misc: add referer checker and csp header (#72)

ringcentral · Jul 8, 2024 · 6e31207 · 6e31207
1 parent 80bad06
commit 6e31207
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 5 deletions.
diff --git a/src/server/index.js b/src/server/index.js
@@ -9,6 +9,7 @@ const subscriptionRoute = require('./routes/subscription');
 const { botHandler } = require('./bot/handler');
 const { botConfig } = require('./bot/config');
 const { errorLogger } = require('./utils/logger');
+const { refererChecker } = require('./utils/refererChecker');
 
 const app = express()
 app.use(morgan(function (tokens, req, res) {
@@ -36,7 +37,7 @@ app.post('/notify/:id', notificationRoute.notification);
 app.post('/notify_v2/:id', notificationRoute.notification);
 
 app.get('/webhook/new', subscriptionRoute.setup);
-app.post('/webhooks', subscriptionRoute.createWebhook);
+app.post('/webhooks', refererChecker, subscriptionRoute.createWebhook);
 
 app.post('/interactive-messages', notificationRoute.interactiveMessages);
 

diff --git a/src/server/routes/subscription.js b/src/server/routes/subscription.js
@@ -16,6 +16,8 @@ async function setup(req, res) {
     res.send('Webhook uri is required.');
     return;
   }
+  const IFRAME_HOST_DOMAINS = "https://*.ringcentral.com https://*.ringcentral.biz https://*.glip.com https://*.glip.net https://glip.com https://*.labs.ringcentral.com http://*.integration.ringcentral.com http://*.devtest.ringcentral.com https://*.unifyoffice.com https://*.officeathand.att.com https://*.cloudoffice.avaya.com https://*.cloudwork.bt.com https://*.rainbowoffice.com https://*.businessconnect.telus.com https://*.vodafonebusiness.ringcentral.com";
+  res.set('Content-Security-Policy', `frame-ancestors 'self' ${IFRAME_HOST_DOMAINS};`);
   res.render('new', {
     glipWebhookUri,
     analyticsKey: process.env.MIXPANEL_KEY,

diff --git a/src/server/utils/refererChecker.js b/src/server/utils/refererChecker.js
@@ -0,0 +1,35 @@
+function getOrigin(uri) {
+  if (!uri) {
+    return null;
+  }
+  const url = new URL(uri);
+  return url.origin;
+}
+
+const KNOWN_REFERER_HOSTS = [
+  getOrigin(process.env.APP_SERVER),
+  getOrigin(process.env.RINGCENTRAL_CHATBOT_SERVER),
+];
+
+function refererChecker(req, res, next) {
+  const referrer = req.get('Referer');
+  if (!referrer) {
+    res.status(403).send('No Referer');
+    return;
+  }
+  const referrerOrigin = getOrigin(referrer);
+  if (
+    KNOWN_REFERER_HOSTS.find(host => {
+      if (!host) {
+        return false;
+      }
+      return host === referrerOrigin;
+    })
+  ) {
+    next();
+    return;
+  }
+  res.status(403).send('Invalid Referer');
+};
+
+exports.refererChecker = refererChecker;
diff --git a/tests/notify.test.js b/tests/notify.test.js
@@ -30,7 +30,7 @@ describe('Notify', () => {
   let bugsnagWebhookRecord;
 
   beforeAll(async () => {
-    await request(server).post('/webhooks').send({ webhook });
+    await request(server).post('/webhooks').send({ webhook }).set('Referer', process.env.APP_SERVER);
     const rcWebhookRecord = await RCWebhook.findByPk(webhookId);
     bugsnagWebhookRecord = await Webhook.findByPk(rcWebhookRecord.bugsnag_webhook_id);
   });

diff --git a/tests/webhook.test.js b/tests/webhook.test.js
@@ -12,19 +12,34 @@ describe('Webhook new', () => {
   it('should get new webhook page successfully', async () => {
     const res = await request(server).get('/webhook/new?webhook=http://test.com/webhook_id');
     expect(res.status).toEqual(200);
+    expect(res.header['content-security-policy']).toContain("frame-ancestors 'self'");
   });
 });
 
 describe('Webhook generate', () => {
-  it('should get 400 without webhook uri', async () => {
+  it('should get 403 without referer', async () => {
     const res = await request(server).post('/webhooks');
+    expect(res.status).toEqual(403);
+    expect(res.text).toEqual('No Referer');
+  });
+
+  it('should get 403 with wrong referer', async () => {
+    const res = await request(server)
+      .post('/webhooks')
+      .set('Referer', 'http://test.com');
+    expect(res.status).toEqual(403);
+    expect(res.text).toEqual('Invalid Referer');
+  });
+
+  it('should get 400 without webhook uri', async () => {
+    const res = await request(server).post('/webhooks').set('Referer', process.env.APP_SERVER);
     expect(res.status).toEqual(400);
   });
 
   it('should generate webhook successfully', async () => {
     const webhookId = 'webhook_id';
     const webhook = `http://test.com/${webhookId}`;
-    const res = await request(server).post('/webhooks').send({ webhook });
+    const res = await request(server).post('/webhooks').send({ webhook }).set('Referer', process.env.APP_SERVER);
     expect(res.status).toEqual(200);
     const webhookUri = res.body.webhookUri;
     const rcWebhookRecord = await RCWebhook.findByPk(webhookId);
@@ -37,7 +52,7 @@ describe('Webhook generate', () => {
     const webhookId = 'webhook_id';
     const webhook = `http://test.com/${webhookId}`;
     const existedRCWebhookRecord = await RCWebhook.findByPk(webhookId);
-    const res = await request(server).post('/webhooks').send({ webhook });
+    const res = await request(server).post('/webhooks').send({ webhook }).set('Referer', process.env.APP_SERVER);
     expect(res.status).toEqual(200);
     const webhookUri = res.body.webhookUri;
     expect(`${process.env.APP_SERVER}/notify/${existedRCWebhookRecord.bugsnag_webhook_id}`).toEqual(webhookUri);