Add basic CSRF protection to built-in HTTP server

openscopeproject · Feb 11, 2024 · ea69a07 · ea69a07
1 parent 0fe9b79
commit ea69a07
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/src-tauri/src/ipc.rs b/src-tauri/src/ipc.rs
@@ -87,6 +87,11 @@ async fn http_response(
     args_lock: Arc<Semaphore>,
     req: Request<Body>,
 ) -> hyper::Result<Response<Body>> {
+    let content_type = req.headers().get("Content-Type").and_then(|ct| ct.to_str().ok()).unwrap_or("");
+    if content_type != "application/json" && req.method() != Method::OPTIONS {
+        return Ok(invalid_request(req.headers(), "unexpected content-type"));
+    }
+
     let toast = req.headers().get("X-TrguiNG-Toast").is_some();
     let sound = req.headers().get("X-TrguiNG-Sound").is_some();
 
@@ -99,7 +104,7 @@ async fn http_response(
             }
 
             let lock = args_lock.acquire().await.unwrap();
-            send_payoad(&app, payload).await;
+            send_payload(&app, payload).await;
             drop(lock);
 
             Ok(Response::builder().body(Body::from("TrguiNG OK")).unwrap())
@@ -224,7 +229,7 @@ async fn proxy_fetch(req: Request<Body>) -> Result<Response<Body>, hyper::Error>
     }
 }
 
-async fn send_payoad(app: &AppHandle, payload: Bytes) {
+async fn send_payload(app: &AppHandle, payload: Bytes) {
     app.get_window("main")
         .unwrap()
         .emit(

diff --git a/src/rpc/client.ts b/src/rpc/client.ts
@@ -83,7 +83,9 @@ export class TransmissionClient {
 
     constructor(connection: ServerConnection, toastNotifications: boolean, toastNotificationSound: boolean, timeout = 15) {
         this.url = encodeURIComponent(connection.url);
-        this.headers = {};
+        this.headers = {
+            "Content-Type": "application/json",
+        };
         if (toastNotifications) {
             this.headers["X-TrguiNG-toast"] = "true";
         }
@@ -384,7 +386,7 @@ export class TransmissionClient {
         const url = `${RUST_BACKEND}/iplookup`;
         const body = JSON.stringify(ips);
 
-        const response = await fetch(url, { method: "POST", body });
+        const response = await fetch(url, { method: "POST", body, headers: { "Content-Type": "application/json" } });
 
         if (response.ok) {
             return await response.json();