[DAEMON-272] appcd-subprocess: Remove HTTP source check
| GitHub Issue | n/a |
|---|---|
| Type | Improvement |
| Priority | Medium |
| Status | Resolved |
| Resolution | Fixed |
| Resolution Date | 2019-02-15T03:31:19.000+0000 |
| Affected Version/s | n/a |
| Fix Version/s | Appc Daemon 2.0.0 |
| Components | appcd-subprocess |
| Labels | n/a |
| Reporter | Chris Barber |
| Assignee | Chris Barber |
| Created | 2019-02-14T23:28:36.000+0000 |
| Updated | 2019-02-15T03:31:19.000+0000 |
Description
The
SubprocessManager has a false security measure where only requests from internal routes and plugins and requests from WebSockets can spawn commands. Requests from HTTP are forbidden.
Since WebSockets requests are essentially HTTP requests, there's no point blocking HTTP requests. The daemon's web server listens on localhost only, so there's no way for an outside actor to spawn a command.
To make things worse, the check to see if the source is indeed "http" is broken. It checks if ctx.request.source is "http" when it should be checking ctx.source.
This restriction is pointless and does not work. It should just be removed.
https://github.com/appcelerator/appc-daemon/pull/353