disable signed JS and socket hijack protection
This commit is contained in:
Thibault Duplessis
parent
4fb5b74645
commit
c6ed3b43db
|
|
@ -30,15 +30,11 @@ object Round extends LilaController with TheftPrevention {
|
|||
}
|
||||
|
||||
def websocketPlayer(fullId: String) = Socket[JsValue] { implicit ctx ⇒
|
||||
(get("sri") |@| getInt("version") |@| get("tk2")).tupled ?? {
|
||||
case (uid, version, token) ⇒ env.socketHandler.player(fullId, version, uid, token, ctx)
|
||||
(get("sri") |@| getInt("version")).tupled ?? {
|
||||
case (uid, version) ⇒ env.socketHandler.player(fullId, version, uid, ctx)
|
||||
}
|
||||
}
|
||||
|
||||
def signedJs(gameId: String) = OpenNoCtx { req ⇒
|
||||
JsOk(GameRepo token gameId map Env.game.gameJs.sign, CACHE_CONTROL -> "max-age=3600")
|
||||
}
|
||||
|
||||
def player(fullId: String) = Open { implicit ctx ⇒
|
||||
OptionFuResult(GameRepo pov fullId) { pov ⇒
|
||||
if (pov.game.playableByAi) env.roundMap ! Tell(pov.game.id, AiPlay(_ ⇒ ()))
|
||||
|
|
|
|||
|
|
@ -8,8 +8,7 @@ chat: Option[Html] = None,
|
|||
underchat: Option[Html] = None,
|
||||
robots: Boolean = true,
|
||||
moreCss: Html = Html(""),
|
||||
moreJs: Html = Html(""),
|
||||
signedJs: Option[String] = None)(body: Html)(implicit ctx: Context)
|
||||
moreJs: Html = Html(""))(body: Html)(implicit ctx: Context)
|
||||
<!doctype html>
|
||||
<html lang="@lang.language">
|
||||
<head>
|
||||
|
|
@ -129,7 +128,7 @@ signedJs: Option[String] = None)(body: Html)(implicit ctx: Context)
|
|||
</div>
|
||||
</div>
|
||||
@jsTag("deps.min.js")
|
||||
@signedJs.fold(isProd.fold(jsTagC("big.js"), jsTag("big.js")))(jsAt)
|
||||
@isProd.fold(jsTagC("big.js"), jsTag("big.js"))
|
||||
@moreJs
|
||||
@if(lang.language != "en") {
|
||||
<script src="@routes.Assets.at("trans/" + lang.language + ".js")?v=@assetVersion"></script>
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
@(title: String, goodies: Html, chat: Option[Html] = None, underchat: Option[Html] = None, robots: Boolean = true, signedJs: Option[String] = None)(body: Html)(implicit ctx: Context)
|
||||
@(title: String, goodies: Html, chat: Option[Html] = None, underchat: Option[Html] = None, robots: Boolean = true)(body: Html)(implicit ctx: Context)
|
||||
|
||||
@base.layout(
|
||||
title = title,
|
||||
|
|
@ -6,5 +6,4 @@ goodies = goodies.some,
|
|||
active = siteMenu.play.some,
|
||||
chat = chat,
|
||||
underchat = underchat,
|
||||
robots = robots,
|
||||
signedJs = signedJs)(body)
|
||||
robots = robots)(body)
|
||||
|
|
|
|||
|
|
@ -14,8 +14,7 @@
|
|||
title = title,
|
||||
goodies = views.html.game.infoBox(pov, tour),
|
||||
chat = roomHtml.map(round.room(_, false)),
|
||||
underchat = underchat.some,
|
||||
signedJs = routes.Round.signedJs(pov.gameId).toString.some) {
|
||||
underchat = underchat.some) {
|
||||
<div class="lichess_game clearfix lichess_player_@color not_spectator"
|
||||
data-socket-url="@routes.Round.websocketPlayer(fullId)"
|
||||
data-table-url="@routes.Round.tablePlayer(fullId)"
|
||||
|
|
|
|||
|
|
@ -4,8 +4,7 @@
|
|||
|
||||
@round.layout(
|
||||
title = trans.playWithAFriend.str(),
|
||||
goodies = Html(""),
|
||||
signedJs = routes.Round.signedJs(pov.gameId).toString.some) {
|
||||
goodies = Html("")) {
|
||||
<div class="lichess_game lichess_game_not_started waiting_opponent clearfix lichess_player_@color"
|
||||
data-socket-url="@routes.Round.websocketPlayer(fullId)" >
|
||||
<div class="lichess_board_wrap">
|
||||
|
|
|
|||
|
|
@ -4,8 +4,7 @@
|
|||
|
||||
@round.layout(
|
||||
title = trans.playWithAFriend.str(),
|
||||
goodies = Html(""),
|
||||
signedJs = routes.Round.signedJs(pov.gameId).toString.some) {
|
||||
goodies = Html("")) {
|
||||
<div class="lichess_game lichess_game_not_started clearfix lichess_player_@color"
|
||||
data-socket-url="@routes.Round.websocketPlayer(fullId)" >
|
||||
<div class="lichess_board_wrap">
|
||||
|
|
|
|||
|
|
@ -38,7 +38,6 @@ GET /$gameId<[\w\-]{8}> controllers.Round.watcher(g
|
|||
GET /$gameId<[\w\-]{8}>/$color<white|black> controllers.Round.watcher(gameId: String, color: String)
|
||||
GET /$fullId<[\w\-]{12}> controllers.Round.player(fullId: String)
|
||||
GET /$gameId<[\w\-]{8}>/$color<white|black>/socket controllers.Round.websocketWatcher(gameId: String, color: String)
|
||||
GET /$gameId<[\w\-]{8}>/s.js controllers.Round.signedJs(gameId: String)
|
||||
GET /$fullId<[\w\-]{12}>/socket controllers.Round.websocketPlayer(fullId: String)
|
||||
GET /$gameId<[\w\-]{8}>/$color<white|black>/table controllers.Round.tableWatcher(gameId: String, color: String)
|
||||
GET /$fullId<[\w\-]{12}>/table controllers.Round.tablePlayer(fullId: String)
|
||||
|
|
|
|||
|
|
@ -10,8 +10,6 @@ final class Env(
|
|||
db: lila.db.Env,
|
||||
system: ActorSystem,
|
||||
hub: lila.hub.Env,
|
||||
appPath: String,
|
||||
isProd: Boolean,
|
||||
scheduler: lila.common.Scheduler) {
|
||||
|
||||
private val settings = new {
|
||||
|
|
@ -47,8 +45,6 @@ final class Env(
|
|||
|
||||
lazy val rewind = Rewind
|
||||
|
||||
lazy val gameJs = new GameJs(path = jsPath, useCache = isProd)
|
||||
|
||||
// load captcher actor
|
||||
private val captcher = system.actorOf(Props(new Captcher), name = CaptcherName)
|
||||
|
||||
|
|
@ -77,9 +73,6 @@ final class Env(
|
|||
|
||||
private lazy val titivate = new Titivate(
|
||||
bookmark = hub.actor.bookmark)
|
||||
|
||||
private def jsPath =
|
||||
"%s/%s".format(appPath, isProd.fold(JsPathCompiled, JsPathRaw))
|
||||
}
|
||||
|
||||
object Env {
|
||||
|
|
@ -91,8 +84,6 @@ object Env {
|
|||
db = lila.db.Env.current,
|
||||
system = lila.common.PlayApp.system,
|
||||
hub = lila.hub.Env.current,
|
||||
appPath = app.path.getCanonicalPath,
|
||||
isProd = lila.common.PlayApp.isProd,
|
||||
scheduler = lila.common.PlayApp.scheduler
|
||||
)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,17 +0,0 @@
|
|||
package lila.game
|
||||
|
||||
private[game] final class GameJs(path: String, useCache: Boolean) {
|
||||
|
||||
def unsigned: String = useCache.fold(cached, readFromSource)
|
||||
|
||||
val placeholder = "--tkph--"
|
||||
|
||||
def sign(token: String) = unsigned.replace(placeholder, token)
|
||||
|
||||
private lazy val cached: String = readFromSource
|
||||
|
||||
private def readFromSource = {
|
||||
val source = scala.io.Source fromFile path
|
||||
source.mkString ~ { _ ⇒ source.close }
|
||||
}
|
||||
}
|
||||
|
|
@ -31,7 +31,6 @@ final class Env(
|
|||
val SocketName = config getString "socket.name"
|
||||
val SocketTimeout = config duration "socket.timeout"
|
||||
val FinisherLockTimeout = config duration "finisher.lock.timeout"
|
||||
val HijackTimeout = config duration "hijack.timeout"
|
||||
val NetDomain = config getString "net.domain"
|
||||
val ActorMapName = config getString "actor.map.name"
|
||||
}
|
||||
|
|
@ -64,8 +63,7 @@ final class Env(
|
|||
roundMap = roundMap,
|
||||
socketHub = socketHub,
|
||||
messenger = messenger,
|
||||
flood = flood,
|
||||
hijack = hijack)
|
||||
flood = flood)
|
||||
|
||||
private lazy val finisher = new Finisher(
|
||||
messenger = messenger,
|
||||
|
|
@ -117,8 +115,6 @@ final class Env(
|
|||
|
||||
private lazy val titivate = new Titivate(roundMap, meddler)
|
||||
|
||||
private lazy val hijack = new Hijack(HijackTimeout)
|
||||
|
||||
private lazy val takebacker = new Takebacker(
|
||||
messenger = messenger)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,21 +0,0 @@
|
|||
package lila.round
|
||||
|
||||
import lila.game.Pov
|
||||
import lila.user.Context
|
||||
import lila.memo.ExpireSetMemo
|
||||
|
||||
import scala.concurrent.duration.Duration
|
||||
|
||||
private[round] final class Hijack(timeout: Duration) {
|
||||
|
||||
// full game ids that have been hijacked
|
||||
private val hijacks = new ExpireSetMemo(timeout)
|
||||
|
||||
def apply(pov: Pov, token: String, ctx: Context) =
|
||||
if (hijacks get pov.fullId) true
|
||||
else if (token != pov.game.token) true ~ { _ ⇒
|
||||
loginfo("[websocket] hijacking detected %s %s".format(pov.fullId, ctx.toString))
|
||||
hijacks put pov.fullId
|
||||
}
|
||||
else false
|
||||
}
|
||||
|
|
@ -19,8 +19,7 @@ private[round] final class SocketHandler(
|
|||
roundMap: ActorRef,
|
||||
socketHub: ActorRef,
|
||||
messenger: Messenger,
|
||||
flood: Flood,
|
||||
hijack: Hijack) {
|
||||
flood: Flood) {
|
||||
|
||||
private def controller(
|
||||
gameId: String,
|
||||
|
|
@ -77,17 +76,16 @@ private[round] final class SocketHandler(
|
|||
uid: String,
|
||||
ctx: Context): Fu[JsSocketHandler] =
|
||||
GameRepo.pov(gameId, colorName) flatMap {
|
||||
_ ?? { join(_, none, version, uid, "", ctx) }
|
||||
_ ?? { join(_, none, version, uid, ctx) }
|
||||
}
|
||||
|
||||
def player(
|
||||
fullId: String,
|
||||
version: Int,
|
||||
uid: String,
|
||||
token: String,
|
||||
ctx: Context): Fu[JsSocketHandler] =
|
||||
GameRepo.pov(fullId) flatMap {
|
||||
_ ?? { join(_, Some(Game takePlayerId fullId), version, uid, token, ctx) }
|
||||
_ ?? { join(_, Some(Game takePlayerId fullId), version, uid, ctx) }
|
||||
}
|
||||
|
||||
private def join(
|
||||
|
|
@ -95,7 +93,6 @@ private[round] final class SocketHandler(
|
|||
playerId: Option[String],
|
||||
version: Int,
|
||||
uid: String,
|
||||
token: String,
|
||||
ctx: Context): Fu[JsSocketHandler] = for {
|
||||
socket ← socketHub ? GetSocket(pov.gameId) mapTo manifest[ActorRef]
|
||||
join = Join(
|
||||
|
|
@ -103,7 +100,7 @@ private[round] final class SocketHandler(
|
|||
user = ctx.me,
|
||||
version = version,
|
||||
color = pov.color,
|
||||
playerId = playerId filterNot (_ ⇒ hijack(pov, token, ctx)))
|
||||
playerId = playerId)
|
||||
handler ← Handler(socket, uid, join) {
|
||||
case Connected(enum, member) ⇒
|
||||
controller(pov.gameId, socket, uid, pov.ref, member) -> enum
|
||||
|
|
|
|||
|
|
@ -647,9 +647,6 @@ var lichess_sri = Math.random().toString(36).substring(5); // 8 chars
|
|||
options: {
|
||||
name: "game"
|
||||
},
|
||||
params: {
|
||||
tk2: "--tkph--"
|
||||
},
|
||||
events: {
|
||||
ack: function() {
|
||||
clearTimeout(self.socketAckTimeout);
|
||||
|
|
|
|||
Loading…
Reference in a new issue