Unverified Commit 33934af4 authored by Amaury Martiny's avatar Amaury Martiny Committed by GitHub
Browse files

fix: Whitelist cli args (#553)

* fix: Whitelist cli args

* Remove cli.wsPort

* Fix psn flag

* Fix mistaken merge
parent c8138b26
Pipeline #50797 passed with stages
in 10 minutes and 6 seconds
......@@ -44,7 +44,6 @@
"@parity/electron": "^5.1.0",
"ansi-styles": "^3.2.1",
"commander": "^2.15.1",
"commander-remaining-args": "^1.2.0",
"electron-positioner": "^4.1.0",
"electron-settings": "^3.2.0",
"fether-react": "^0.4.0",
......
......@@ -5,7 +5,7 @@
import cli from 'commander';
import { DEFAULT_CHAIN, DEFAULT_WS_PORT } from '../constants';
import { DEFAULT_CHAIN } from '../constants';
const { productName } = require('../../../../electron-builder.json');
const { version } = require('../../../../package.json');
......@@ -23,7 +23,6 @@ if (process.defaultApp !== true) {
cli
.version(version)
.allowUnknownOption()
.option(
'--chain <chain>',
`The network to connect to, can be one of "foundation", "kovan" or "ropsten". (default: "${DEFAULT_CHAIN}")`,
......@@ -33,24 +32,9 @@ cli
'--no-run-parity',
`${productName} will not attempt to run the locally installed parity.`
)
.option(
'--ws-port <port>',
`Specify the port portion of the WebSockets server ${productName} will connect to. (default: ${DEFAULT_WS_PORT})`,
DEFAULT_WS_PORT
)
.parse(
process.argv
// We want to ignore some flags and not pass them down to Parity:
// --inspect: `electron-webpack dev` runs Electron with the `--inspect` flag for HMR
// -psn_*: https://github.com/paritytech/fether/issues/188
// --ws-interface: we don't pass down this flag, because fether only allows 127.0.0.1 as WS interface
.filter(
arg =>
!arg.startsWith('--inspect') &&
!arg.startsWith('-psn_') &&
!arg.startsWith('--ws-interface')
)
);
// We want to ignore some flags that are sometimes passed to Fether, but not
// officially recognized by Fether:
// - -psn_*: https://github.com/paritytech/fether/issues/188
.parse(process.argv.filter(arg => !arg.startsWith('-psn_')));
export default cli;
......@@ -7,10 +7,9 @@ import { checkClockSync, signerNewToken } from '@parity/electron';
import settings from 'electron-settings';
import { bundledParityPath } from '../utils/paths';
import cli from '../cli';
import Pino from '../utils/pino';
import setupParityEthereum from '../methods/setupParityEthereum';
import { TRUSTED_LOOPBACK } from '../constants';
import { DEFAULT_WS_PORT, TRUSTED_LOOPBACK } from '../constants';
const pino = Pino();
......@@ -82,7 +81,7 @@ export default async (fetherApp, event, data) => {
event.sender.send('send-to-renderer', {
action: 'WS_PORT_RESPONSE',
from: 'fether:electron',
payload: cli.wsPort
payload: DEFAULT_WS_PORT
});
break;
......
......@@ -8,7 +8,6 @@ import url from 'url';
import Pino from '../../utils/pino';
import { staticPath } from '../../utils/paths';
import cli from '../../cli';
import {
DEFAULT_CHAIN,
DEFAULT_WS_PORT,
......@@ -23,27 +22,20 @@ pino.info(
);
/**
* Note: If the user provides a custom CLI port to `cli.wsPort` then
* we 'dynamically' trust it in addition to the `DEFAULT_WS_PORT` in
* fether-electron/src/main/index.js, which is where we only
* permit requests from trusted paths.
*
* Note: We also disallows users from using Fether
* Note: We disallow users from using Fether
* with a remote node.
* WARNING: SSH tunnels from an attacker are still possible.
*/
const DEFAULT_HTTP_PORT = '3000';
const CUSTOM_WS_PORT = cli.wsPort;
const TRUSTED_HOSTS = {
github: ['api.github.com', 'github.com', 'raw.githubusercontent.com'],
blockscout: ['blockscout.com']
};
const TRUSTED_WS_PORTS = [DEFAULT_WS_PORT, CUSTOM_WS_PORT];
const TRUSTED_WS_PORTS = [DEFAULT_WS_PORT];
const DEFAULT_HTTP_TRUSTED_LOOPBACK = `http://${TRUSTED_LOOPBACK}:${DEFAULT_HTTP_PORT}`;
const TRUSTED_URLS = [
DEFAULT_HTTP_TRUSTED_LOOPBACK,
`ws://${TRUSTED_LOOPBACK}:${DEFAULT_WS_PORT}`,
`ws://${TRUSTED_LOOPBACK}:${CUSTOM_WS_PORT}`,
'https://parity.io',
'https://wiki.parity.io/Fether-FAQ',
'https://github.com/paritytech/fether/issues/new',
......
......@@ -4,7 +4,6 @@
// SPDX-License-Identifier: BSD-3-Clause
import { isParityRunning, runParity } from '@parity/electron';
import getRemainingArgs from 'commander-remaining-args';
import { bundledParityPath } from '../utils/paths';
import handleError from '../utils/handleError';
......@@ -48,23 +47,14 @@ class ParityEthereum {
}
isRunning = async () => {
return isParityRunning({
wsPort: cli.wsPort
});
return isParityRunning();
};
// Run the bundled Parity Ethereum binary
run = async () => {
return runParity({
parityPath: bundledParityPath,
flags: [
...getRemainingArgs(cli),
'--light',
'--chain',
cli.chain,
'--ws-port',
cli.wsPort
],
flags: ['--light', '--chain', cli.chain],
onParityError: err =>
handleError(err, 'An error occured with Parity Ethereum.')
});
......
......@@ -4093,11 +4093,6 @@ command-exists@^1.2.8:
resolved "https://registry.yarnpkg.com/command-exists/-/command-exists-1.2.8.tgz#715acefdd1223b9c9b37110a149c6392c2852291"
integrity sha512-PM54PkseWbiiD/mMsbvW351/u+dafwTJ0ye2qB60G1aGQP9j3xK2gmMDc+R34L3nDtx4qMCitXT75mkbkGJDLw==
 
commander-remaining-args@^1.2.0:
version "1.2.0"
resolved "https://registry.yarnpkg.com/commander-remaining-args/-/commander-remaining-args-1.2.0.tgz#6fab4cce4a59db1698121f59105364adcb0b4c68"
integrity sha512-yH0yRUtHhJ/389HWgQlEMAwqKXMZr/JJH4xqDIzXCisNy2mS6YSAe3WncgjxZvhLJqZPxJn8MivRK+B0lSNXPw==
commander@2.17.x:
version "2.17.1"
resolved "https://registry.yarnpkg.com/commander/-/commander-2.17.1.tgz#bd77ab7de6de94205ceacc72f1716d29f20a77bf"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment