Disable HTTP access to APIs that may be used to pass sensitive data
BUG:24789091
Change-Id: I364126d7ae80f606ca834b9daf05db783382842d
Reviewed-on: https://weave-review.googlesource.com/1411
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
diff --git a/libweave/src/privet/privet_handler.cc b/libweave/src/privet/privet_handler.cc
index 2180cad..fc344ab 100644
--- a/libweave/src/privet/privet_handler.cc
+++ b/libweave/src/privet/privet_handler.cc
@@ -341,8 +341,10 @@
} // namespace
std::vector<std::string> PrivetHandler::GetHttpPaths() const {
- // TODO(vitalybuka): Should be subset only.
- return GetHttpsPaths();
+ return {
+ "/privet/info", "/privet/v3/pairing/start", "/privet/v3/pairing/confirm",
+ "/privet/v3/pairing/cancel",
+ };
}
std::vector<std::string> PrivetHandler::GetHttpsPaths() const {
diff --git a/libweave/src/weave_unittest.cc b/libweave/src/weave_unittest.cc
index 0bfbe0b..eb41294 100644
--- a/libweave/src/weave_unittest.cc
+++ b/libweave/src/weave_unittest.cc
@@ -36,6 +36,8 @@
namespace weave {
+namespace {
+
using provider::HttpClient;
using provider::Network;
using provider::test::MockHttpClientResponse;
@@ -133,6 +135,16 @@
return (arg_copy == txt_copy);
}
+template <class Map>
+std::set<typename Map::key_type> GetKeys(const Map& map) {
+ std::set<typename Map::key_type> result;
+ for (const auto& pair : map)
+ result.insert(pair.first);
+ return result;
+}
+
+} // namespace
+
class WeaveTest : public ::testing::Test {
protected:
void SetUp() override {}
@@ -208,13 +220,13 @@
.WillRepeatedly(Invoke(
[this](const std::string& path_prefix,
const provider::HttpServer::RequestHandlerCallback& cb) {
- http_server_request_cb_.push_back(cb);
+ http_handlers_[path_prefix] = cb;
}));
EXPECT_CALL(http_server_, AddHttpsRequestHandler(_, _))
.WillRepeatedly(Invoke(
[this](const std::string& path_prefix,
const provider::HttpServer::RequestHandlerCallback& cb) {
- http_server_request_cb_.push_back(cb);
+ https_handlers_[path_prefix] = cb;
}));
}
@@ -232,6 +244,19 @@
&http_client_, &network_, &dns_sd_,
&http_server_, &wifi_, &bluetooth_);
+ EXPECT_EQ((std::set<std::string>{
+ "/privet/info", "/privet/v3/pairing/cancel",
+ "/privet/v3/pairing/confirm", "/privet/v3/pairing/start"}),
+ GetKeys(http_handlers_));
+ EXPECT_EQ((std::set<std::string>{
+ "/privet/info", "/privet/v3/auth", "/privet/v3/commandDefs",
+ "/privet/v3/commands/cancel", "/privet/v3/commands/execute",
+ "/privet/v3/commands/list", "/privet/v3/commands/status",
+ "/privet/v3/pairing/cancel", "/privet/v3/pairing/confirm",
+ "/privet/v3/pairing/start", "/privet/v3/setup/start",
+ "/privet/v3/setup/status", "/privet/v3/state"}),
+ GetKeys(https_handlers_));
+
device_->AddCommandDefinitionsFromJson(kCommandDefs);
device_->AddStateDefinitionsFromJson(kStateDefs);
device_->SetStatePropertiesFromJson(kStateDefaults, nullptr);
@@ -247,8 +272,10 @@
}
}
- std::vector<provider::HttpServer::RequestHandlerCallback>
- http_server_request_cb_;
+ std::map<std::string, provider::HttpServer::RequestHandlerCallback>
+ http_handlers_;
+ std::map<std::string, provider::HttpServer::RequestHandlerCallback>
+ https_handlers_;
StrictMock<provider::test::MockConfigStore> config_store_;
StrictMock<provider::test::FakeTaskRunner> task_runner_;
