Mercurial > scansion / annotate

scansion/serve.lua@b35dc87ebff0 (annotated)

scansion/serve.lua

Fri, 28 Dec 2018 04:35:51 -0500

author
Waqas Hussain <waqas20@gmail.com>
date
Fri, 28 Dec 2018 04:35:51 -0500
changeset 157
b35dc87ebff0
parent 156
807dc9c0f140
child 158
f09fe6c16e10
permissions
-rw-r--r--

Make --serve and --serve-port take an origin argument, in order to disallow random websites from accessing the local port

137
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local verse = require "verse";
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 local server = require "net.server";
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 local http_server = require "net.http.server";
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5 local http = require "net.http";
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6 local json = require "util.json";
156
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
7 local time = require "socket".gettime;
137
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9 function handle_request()
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 return "Hello world";
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 end
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13 local function run(config, run_script)
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14 function handle_run_request(event)
156
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
15 local request, response = event.request, event.response;
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
16
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
17 local function log(type, data)
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
18 local entry = { type = type, data = data, time = time() };
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
19 local chunk = json.encode(entry) .. "\r\n";
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
20 response.conn:write(("%x\r\n%s\r\n"):format(#chunk, chunk));
137
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 end
157
b35dc87ebff0 Make --serve and --serve-port take an origin argument, in order to disallow random websites from accessing the local port
Waqas Hussain <waqas20@gmail.com>
parents: 156
diff changeset
22
b35dc87ebff0 Make --serve and --serve-port take an origin argument, in order to disallow random websites from accessing the local port
Waqas Hussain <waqas20@gmail.com>
parents: 156
diff changeset
23 -- SECURITY NOTE: We MUST validate Origin before running the Scansion script,
b35dc87ebff0 Make --serve and --serve-port take an origin argument, in order to disallow random websites from accessing the local port
Waqas Hussain <waqas20@gmail.com>
parents: 156
diff changeset
24 -- since we don't want arbitrary websites to have local RCEs (CORS does not
b35dc87ebff0 Make --serve and --serve-port take an origin argument, in order to disallow random websites from accessing the local port
Waqas Hussain <waqas20@gmail.com>
parents: 156
diff changeset
25 -- protect us here, it at best keeps the script from seeing the response)
b35dc87ebff0 Make --serve and --serve-port take an origin argument, in order to disallow random websites from accessing the local port
Waqas Hussain <waqas20@gmail.com>
parents: 156
diff changeset
26 if request.headers.origin ~= config.origin and config.origin ~= "*" then
b35dc87ebff0 Make --serve and --serve-port take an origin argument, in order to disallow random websites from accessing the local port
Waqas Hussain <waqas20@gmail.com>
parents: 156
diff changeset
27 verse.log("warn", "Rejecting origin: %s", request.headers.origin);
b35dc87ebff0 Make --serve and --serve-port take an origin argument, in order to disallow random websites from accessing the local port
Waqas Hussain <waqas20@gmail.com>
parents: 156
diff changeset
28 response.status_code = 403; -- spec suggested response when we don't like the origin
b35dc87ebff0 Make --serve and --serve-port take an origin argument, in order to disallow random websites from accessing the local port
Waqas Hussain <waqas20@gmail.com>
parents: 156
diff changeset
29 response.headers.connection = "close";
b35dc87ebff0 Make --serve and --serve-port take an origin argument, in order to disallow random websites from accessing the local port
Waqas Hussain <waqas20@gmail.com>
parents: 156
diff changeset
30 return "";
b35dc87ebff0 Make --serve and --serve-port take an origin argument, in order to disallow random websites from accessing the local port
Waqas Hussain <waqas20@gmail.com>
parents: 156
diff changeset
31 end
b35dc87ebff0 Make --serve and --serve-port take an origin argument, in order to disallow random websites from accessing the local port
Waqas Hussain <waqas20@gmail.com>
parents: 156
diff changeset
32
156
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
33 response.status_code = 201;
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
34 response.headers.connection = "close";
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
35 response.headers.transfer_encoding = "chunked";
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
36 response.conn:send(table.concat(http_server.prepare_header(response)));
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
37
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
38 local ok, ret = pcall(run_script, "web", event.request.body, log);
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
39
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
40 if not ok then
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
41 log("error", ret);
137
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
42 end
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43
156
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
44 response.conn:write("0\r\n\r\n");
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
45 response:done();
137
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
46
156
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
47 return true;
137
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
48 end
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
49
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50 http_server.add_host("localhost");
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
51 http_server.set_default_host("localhost");
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52 http_server.add_handler("GET localhost/*", handle_request);
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
53 http_server.add_handler("POST localhost/run", handle_run_request);
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
54 http_server.add_handler("http-error", function (e)
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
55 verse.log("error", "HTTP error: %s", e.code);
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
56 end);
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
57 --http_server.add_handler("GET localhost/stream/*", handle_stream_request);
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
58 http_server.listen_on(config.port or 8007);
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
59 verse.log("debug", "Ready")
156
807dc9c0f140 scansion.serve: Add support for chunked encoding (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 137
diff changeset
60 repeat until not verse.loop();
137
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
61 end
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
62
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
63 return {
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
64 run = run;
091212cef52a main, scansion.serve: Add mode that serves /run API for executing scripts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
65 }

Mercurial Repository: scansion

mercurial