chore(transport-bridge): rework origins check

Author: mroz22

packages/node-utils/src/http.ts

@@ -342,7 +342,7 @@ export class HttpServer<T extends EventMap> extends TypedEmitter<T & BaseEvents>
     };
 }
 
-const checkOrigin = ({
+export const checkOrigin = ({
     request,
     allowedOrigin,
     pathname,
@@ -362,16 +362,18 @@ const checkOrigin = ({
     }
 
     if (origin) {
-        isOriginAllowed = origins.some(o => {
-            try {
+        try {
+            const checkedHostname = `.${new URL(origin).hostname}`;
+            isOriginAllowed = origins.some(o =>
                 // match from the end to allow subdomains
-                return new URL(origin).hostname.endsWith(new URL(o).hostname);
-            } catch (error) {
-                // If parsing URL fails we don't want it to crash but silently logs error.
-                logger.error(`Failed parsing URL: ${error}`);
-            }
-        });
+                checkedHostname.endsWith('.' + o),
+            );
+        } catch (error) {
+            // If parsing URL fails we don't want it to crash but silently logs error.
+            logger.error(`Failed parsing URL: ${error}`);
+        }
     }
+
     if (!isOriginAllowed) {
         logger.warn(`Origin rejected for ${pathname}`);
         logger.warn(`- Received: origin: '${origin}'`);
@@ -439,24 +441,6 @@ const checkReferer = ({
     return true;
 };
 
-/**
- * Built-middleware "allow origin"
- */
-export const allowOrigins =
-    (allowedOrigin: string[]): AnyRequestHandler =>
-    (request, _response, next, { logger }) => {
-        if (
-            checkOrigin({
-                request,
-                allowedOrigin,
-                pathname: request.url,
-                logger,
-            })
-        ) {
-            next(request, _response);
-        }
-    };
-
 /**
  * Built-middleware "allow referers"
  */

packages/node-utils/src/index.ts

@@ -2,7 +2,6 @@ export { ensureDirectoryExists } from './ensureDirectoryExists';
 export { getFreePort } from './getFreePort';
 export {
     HttpServer,
-    allowOrigins,
     allowReferers,
     parseBodyJSON,
     parseBodyText,

packages/transport-bridge/src/http.ts

@@ -8,10 +8,10 @@ import {
     RequestHandler,
     RequestWithParams,
     Response,
-    allowOrigins,
     parseBodyJSON,
     parseBodyText,
 } from '@trezor/node-utils';
+import { checkOrigin } from '@trezor/node-utils/src/http';
 import { AbstractApi } from '@trezor/transport/src/api/abstract';
 import { UNEXPECTED_ERROR } from '@trezor/transport/src/errors';
 import { Descriptor, PathPublic, Session } from '@trezor/transport/src/types';
@@ -221,16 +221,36 @@ export class TrezordNode {
                     ) {
                         next(req, res);
                     } else {
-                        allowOrigins([
-                            'https://sldev.cz',
-                            'https://trezor.io',
-                            'http://localhost',
-                            // When using Tor it will send string "null" as default, and it will not allow calling to localhost.
-                            // To allow it to be sent, you can go to about:config and set the attributes below:
-                            // "network.http.referer.hideOnionSource - false"
-                            // "network.proxy.allow_hijacking_localhost - false"
-                            'http://suite.trezoriovpjcahpzkrewelclulmszwbqpzmzgub37gbcjlvluxtruqad.onion',
-                        ])(req, res, next, context);
+                        const isOriginAllowed = checkOrigin({
+                            request: req,
+                            allowedOrigin: [
+                                'sldev.cz',
+                                'trezor.io',
+                                'localhost',
+                                // When using Tor it will send string "null" as default, and it will not allow calling to localhost.
+                                // To allow it to be sent, you can go to about:config and set the attributes below:
+                                // "network.http.referer.hideOnionSource - false"
+                                // "network.proxy.allow_hijacking_localhost - false"
+                                'trezoriovpjcahpzkrewelclulmszwbqpzmzgub37gbcjlvluxtruqad.onion',
+                            ],
+                            pathname: req.url,
+                            logger: context.logger,
+                        });
+
+                        if (isOriginAllowed) {
+                            next(req, res);
+                        } else {
+                            // error handling identic to legacy trezord-go
+                            switch (req.url) {
+                                case '/enumerate':
+                                case '/listen':
+                                    res.statusCode = 403;
+                                    break;
+                                default:
+                                    res.statusCode = 404;
+                            }
+                            res.end();
+                        }
                     }
                 },
             ]);

packages/transport-test/e2e/bridge/headers.test.ts

@@ -0,0 +1,93 @@
+import { controller as TrezorUserEnvLink } from './controller';
+
+describe('headers test', () => {
+    beforeAll(async () => {
+        await TrezorUserEnvLink.connect();
+        await TrezorUserEnvLink.startBridge();
+    });
+
+    afterAll(async () => {
+        await TrezorUserEnvLink.stopBridge();
+        TrezorUserEnvLink.disconnect();
+    });
+
+    const fixturesForbidden = [
+        {
+            endpoint: 'call',
+            statusCode: 404,
+        },
+        {
+            endpoint: 'send',
+            statusCode: 404,
+        },
+        {
+            endpoint: 'receive',
+            statusCode: 404,
+        },
+        {
+            endpoint: 'enumerate',
+            statusCode: 403,
+        },
+        {
+            endpoint: 'acquire',
+            statusCode: 404,
+        },
+        {
+            endpoint: 'release',
+            statusCode: 404,
+        },
+        {
+            endpoint: 'listen',
+            statusCode: 403,
+        },
+    ];
+
+    fixturesForbidden.forEach(f => {
+        test(`origin: https://spoofedtrezor.io and endpoint ${f.endpoint} is forbidden`, async () => {
+            // invalid
+            const response = await fetch(`http://localhost:21325/${f.endpoint}`, {
+                method: 'POST',
+                headers: {
+                    Origin: 'https://spoofedtrezor.io',
+                },
+            });
+
+            expect(response.ok).toEqual(false);
+            expect(response.status).toEqual(f.statusCode);
+        });
+
+        test(`origin: https://zor.io and endpoint ${f.endpoint} is forbidden`, async () => {
+            // invalid
+            const response = await fetch(`http://localhost:21325/${f.endpoint}`, {
+                method: 'POST',
+                headers: {
+                    Origin: 'https://zor.io',
+                },
+            });
+
+            expect(response.ok).toEqual(false);
+            expect(response.status).toEqual(f.statusCode);
+        });
+    });
+
+    const fixturesAllowed = [
+        // todo: other endpoint need more unification steps between old and new
+        {
+            endpoint: 'enumerate',
+            statusCode: 200,
+        },
+    ];
+
+    fixturesAllowed.forEach(f => {
+        test(`endpoint ${f.endpoint} with allowed origin`, async () => {
+            const response = await fetch(`http://localhost:21325/${f.endpoint}`, {
+                method: 'POST',
+                headers: {
+                    Origin: 'https://trezor.io',
+                },
+            });
+
+            expect(response.status).toEqual(f.statusCode);
+        });
+    });
+});