mirror of
https://github.com/bettercap/bettercap
synced 2025-07-15 01:23:42 -07:00
new: new api.rest.alloworigin parameter to customize the Access-Control-Allow-Origin header of the server.
This commit is contained in:
evilsocket
parent
2b117e14d6
commit
8f7f6545b1
2 changed files with 18 additions and 10 deletions
|
|
@ -22,6 +22,7 @@ type RestAPI struct {
|
||||||
password string
|
password string
|
||||||
certFile string
|
certFile string
|
||||||
keyFile string
|
keyFile string
|
||||||
|
allowOrigin string
|
||||||
useWebsocket bool
|
useWebsocket bool
|
||||||
upgrader websocket.Upgrader
|
upgrader websocket.Upgrader
|
||||||
quit chan bool
|
quit chan bool
|
||||||
|
|
@ -33,6 +34,7 @@ func NewRestAPI(s *session.Session) *RestAPI {
|
||||||
server: &http.Server{},
|
server: &http.Server{},
|
||||||
quit: make(chan bool),
|
quit: make(chan bool),
|
||||||
useWebsocket: false,
|
useWebsocket: false,
|
||||||
|
allowOrigin: "*",
|
||||||
upgrader: websocket.Upgrader{
|
upgrader: websocket.Upgrader{
|
||||||
ReadBufferSize: 1024,
|
ReadBufferSize: 1024,
|
||||||
WriteBufferSize: 1024,
|
WriteBufferSize: 1024,
|
||||||
|
|
@ -48,6 +50,10 @@ func NewRestAPI(s *session.Session) *RestAPI {
|
||||||
"8081",
|
"8081",
|
||||||
"Port to bind the API REST server to."))
|
"Port to bind the API REST server to."))
|
||||||
|
|
||||||
|
api.AddParam(session.NewIntParameter("api.rest.alloworigin",
|
||||||
|
api.allowOrigin,
|
||||||
|
"Value of the Access-Control-Allow-Origin header of the API server."))
|
||||||
|
|
||||||
api.AddParam(session.NewStringParameter("api.rest.username",
|
api.AddParam(session.NewStringParameter("api.rest.username",
|
||||||
"",
|
"",
|
||||||
"",
|
"",
|
||||||
|
|
@ -124,6 +130,8 @@ func (api *RestAPI) Configure() error {
|
||||||
return err
|
return err
|
||||||
} else if err, port = api.IntParam("api.rest.port"); err != nil {
|
} else if err, port = api.IntParam("api.rest.port"); err != nil {
|
||||||
return err
|
return err
|
||||||
|
} else if err, api.allowOrigin = api.StringParam("api.rest.alloworigin"); err != nil {
|
||||||
|
return err
|
||||||
} else if err, api.certFile = api.StringParam("api.rest.certificate"); err != nil {
|
} else if err, api.certFile = api.StringParam("api.rest.certificate"); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if api.certFile, err = core.ExpandPath(api.certFile); err != nil {
|
} else if api.certFile, err = core.ExpandPath(api.certFile); err != nil {
|
||||||
|
|
|
||||||
|
|
@ -30,14 +30,6 @@ func setAuthFailed(w http.ResponseWriter, r *http.Request) {
|
||||||
w.Write([]byte("Unauthorized"))
|
w.Write([]byte("Unauthorized"))
|
||||||
}
|
}
|
||||||
|
|
||||||
func setSecurityHeaders(w http.ResponseWriter) {
|
|
||||||
w.Header().Add("X-Frame-Options", "DENY")
|
|
||||||
w.Header().Add("X-Content-Type-Options", "nosniff")
|
|
||||||
w.Header().Add("X-XSS-Protection", "1; mode=block")
|
|
||||||
w.Header().Add("Referrer-Policy", "same-origin")
|
|
||||||
w.Header().Set("Access-Control-Allow-Origin", "*")
|
|
||||||
}
|
|
||||||
|
|
||||||
func toJSON(w http.ResponseWriter, o interface{}) {
|
func toJSON(w http.ResponseWriter, o interface{}) {
|
||||||
w.Header().Set("Content-Type", "application/json")
|
w.Header().Set("Content-Type", "application/json")
|
||||||
if err := json.NewEncoder(w).Encode(o); err != nil {
|
if err := json.NewEncoder(w).Encode(o); err != nil {
|
||||||
|
|
@ -45,6 +37,14 @@ func toJSON(w http.ResponseWriter, o interface{}) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (api *RestAPI) setSecurityHeaders(w http.ResponseWriter) {
|
||||||
|
w.Header().Add("X-Frame-Options", "DENY")
|
||||||
|
w.Header().Add("X-Content-Type-Options", "nosniff")
|
||||||
|
w.Header().Add("X-XSS-Protection", "1; mode=block")
|
||||||
|
w.Header().Add("Referrer-Policy", "same-origin")
|
||||||
|
w.Header().Set("Access-Control-Allow-Origin", api.allowOrigin)
|
||||||
|
}
|
||||||
|
|
||||||
func (api *RestAPI) checkAuth(r *http.Request) bool {
|
func (api *RestAPI) checkAuth(r *http.Request) bool {
|
||||||
if api.username != "" && api.password != "" {
|
if api.username != "" && api.password != "" {
|
||||||
user, pass, _ := r.BasicAuth()
|
user, pass, _ := r.BasicAuth()
|
||||||
|
|
@ -175,7 +175,7 @@ func (api *RestAPI) clearEvents(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (api *RestAPI) sessionRoute(w http.ResponseWriter, r *http.Request) {
|
func (api *RestAPI) sessionRoute(w http.ResponseWriter, r *http.Request) {
|
||||||
setSecurityHeaders(w)
|
api.setSecurityHeaders(w)
|
||||||
|
|
||||||
if !api.checkAuth(r) {
|
if !api.checkAuth(r) {
|
||||||
setAuthFailed(w, r)
|
setAuthFailed(w, r)
|
||||||
|
|
@ -229,7 +229,7 @@ func (api *RestAPI) sessionRoute(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (api *RestAPI) eventsRoute(w http.ResponseWriter, r *http.Request) {
|
func (api *RestAPI) eventsRoute(w http.ResponseWriter, r *http.Request) {
|
||||||
setSecurityHeaders(w)
|
api.setSecurityHeaders(w)
|
||||||
|
|
||||||
if !api.checkAuth(r) {
|
if !api.checkAuth(r) {
|
||||||
setAuthFailed(w, r)
|
setAuthFailed(w, r)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue