Merge pull request #184 from Shopify/temp-address-security-issue

Address an issue where a toxiproxy can be used to bypass the Same-Origin Policy in web browsers

Author: JackMc

api.go

@@ -7,10 +7,11 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"strings"
 
 	"github.com/Shopify/toxiproxy/toxics"
-	"github.com/sirupsen/logrus"
 	"github.com/gorilla/mux"
+	"github.com/sirupsen/logrus"
 )
 
 type ApiServer struct {
@@ -46,6 +47,16 @@ func (server *ApiServer) PopulateConfig(filename string) {
 	}
 }
 
+func StopBrowsersMiddleware(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.HasPrefix(r.UserAgent(), "Mozilla/") {
+			http.Error(w, "User agent not allowed", 403)
+		} else {
+			h.ServeHTTP(w, r)
+		}
+	})
+}
+
 func (server *ApiServer) Listen(host string, port string) {
 	r := mux.NewRouter()
 	r.HandleFunc("/reset", server.ResetState).Methods("POST")
@@ -62,7 +73,8 @@ func (server *ApiServer) Listen(host string, port string) {
 	r.HandleFunc("/proxies/{proxy}/toxics/{toxic}", server.ToxicDelete).Methods("DELETE")
 
 	r.HandleFunc("/version", server.Version).Methods("GET")
-	http.Handle("/", r)
+
+	http.Handle("/", StopBrowsersMiddleware(r))
 
 	logrus.WithFields(logrus.Fields{
 		"host":    host,

api_test.go

@@ -36,6 +36,36 @@ func WithServer(t *testing.T, f func(string)) {
 	f("http://localhost:8475")
 }
 
+func TestBrowserGets403(t *testing.T) {
+	WithServer(t, func(addr string) {
+		client := http.Client{}
+
+		req, _ := http.NewRequest("GET", "http://localhost:8475/proxies", nil)
+		req.Header.Add("User-Agent", "Mozilla/5.0 (Linux; Android 4.4.2); Nexus 5 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Mobile Safari/537.36 OPR/20.0.1396.72047")
+
+		resp, _ := client.Do(req)
+
+		if resp.StatusCode != 403 {
+			t.Fatal("Browser-like UserAgent was not denied access to Toxiproxy")
+		}
+	})
+}
+
+func TestNonBrowserGets200(t *testing.T) {
+	WithServer(t, func(addr string) {
+		client := http.Client{}
+
+		req, _ := http.NewRequest("GET", "http://localhost:8475/proxies", nil)
+		req.Header.Add("User-Agent", "Wget/2.1")
+
+		resp, _ := client.Do(req)
+
+		if resp.StatusCode == 403 {
+			t.Fatal("Non-Browser-like UserAgent was denied access to Toxiproxy")
+		}
+	})
+}
+
 func TestIndexWithNoProxies(t *testing.T) {
 	WithServer(t, func(addr string) {
 		client := tclient.NewClient(addr)