Block POST requests for websocket connections (#934)
This commit is contained in:
David Fowler
GitHub
parent
1686878035
commit
65cd41dbf5
|
|
@ -388,6 +388,15 @@ namespace Microsoft.AspNetCore.Sockets
|
|||
return;
|
||||
}
|
||||
|
||||
var transport = (TransportType?)connection.Metadata[ConnectionMetadataNames.Transport];
|
||||
if (transport == TransportType.WebSockets)
|
||||
{
|
||||
_logger.PostNotAllowedForWebSockets(connection.ConnectionId);
|
||||
context.Response.StatusCode = StatusCodes.Status405MethodNotAllowed;
|
||||
await context.Response.WriteAsync("POST requests are not allowed for WebSocket connections.");
|
||||
return;
|
||||
}
|
||||
|
||||
// TODO: Use a pool here
|
||||
|
||||
byte[] buffer;
|
||||
|
|
|
|||
|
|
@ -50,6 +50,9 @@ namespace Microsoft.AspNetCore.Sockets.Internal
|
|||
private static readonly Action<ILogger, DateTime, string, TransportType, TransportType, Exception> _cannotChangeTransport =
|
||||
LoggerMessage.Define<DateTime, string, TransportType, TransportType>(LogLevel.Debug, new EventId(7, nameof(CannotChangeTransport)), "{time}: Connection Id {connectionId}: Cannot change transports mid-connection; currently using {transportType}, requesting {requestedTransport}.");
|
||||
|
||||
private static readonly Action<ILogger, DateTime, string, Exception> _postNotallowedForWebsockets =
|
||||
LoggerMessage.Define<DateTime, string>(LogLevel.Debug, new EventId(8, nameof(PostNotAllowedForWebSockets)), "{time}: Connection Id {connectionId}: POST requests are not allowed for websocket connections.");
|
||||
|
||||
private static readonly Action<ILogger, DateTime, string, Exception> _negotiationRequest =
|
||||
LoggerMessage.Define<DateTime, string>(LogLevel.Debug, new EventId(8, nameof(NegotiationRequest)), "{time}: Connection Id {connectionId}: Sending negotiation response.");
|
||||
|
||||
|
|
@ -201,6 +204,14 @@ namespace Microsoft.AspNetCore.Sockets.Internal
|
|||
}
|
||||
}
|
||||
|
||||
public static void PostNotAllowedForWebSockets(this ILogger logger, string connectionId)
|
||||
{
|
||||
if (logger.IsEnabled(LogLevel.Debug))
|
||||
{
|
||||
_postNotallowedForWebsockets(logger, DateTime.Now, connectionId, null);
|
||||
}
|
||||
}
|
||||
|
||||
public static void NegotiationRequest(this ILogger logger, string connectionId)
|
||||
{
|
||||
if (logger.IsEnabled(LogLevel.Debug))
|
||||
|
|
|
|||
|
|
@ -150,6 +150,40 @@ namespace Microsoft.AspNetCore.Sockets.Tests
|
|||
}
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task PostNotAllowedForWebSocketConnections()
|
||||
{
|
||||
var manager = CreateConnectionManager();
|
||||
var dispatcher = new HttpConnectionDispatcher(manager, new LoggerFactory());
|
||||
var connection = manager.CreateConnection();
|
||||
connection.Metadata[ConnectionMetadataNames.Transport] = TransportType.WebSockets;
|
||||
|
||||
using (var strm = new MemoryStream())
|
||||
{
|
||||
var context = new DefaultHttpContext();
|
||||
context.Response.Body = strm;
|
||||
|
||||
var services = new ServiceCollection();
|
||||
services.AddEndPoint<TestEndPoint>();
|
||||
services.AddOptions();
|
||||
context.Request.Path = "/foo";
|
||||
context.Request.Method = "POST";
|
||||
var values = new Dictionary<string, StringValues>();
|
||||
values["id"] = connection.ConnectionId;
|
||||
var qs = new QueryCollection(values);
|
||||
context.Request.Query = qs;
|
||||
|
||||
var builder = new SocketBuilder(services.BuildServiceProvider());
|
||||
builder.UseEndPoint<TestEndPoint>();
|
||||
var app = builder.Build();
|
||||
await dispatcher.ExecuteAsync(context, new HttpSocketOptions(), app);
|
||||
|
||||
Assert.Equal(StatusCodes.Status405MethodNotAllowed, context.Response.StatusCode);
|
||||
await strm.FlushAsync();
|
||||
Assert.Equal("POST requests are not allowed for WebSocket connections.", Encoding.UTF8.GetString(strm.ToArray()));
|
||||
}
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData(TransportType.ServerSentEvents)]
|
||||
[InlineData(TransportType.LongPolling)]
|
||||
|
|
|
|||
Loading…
Reference in New Issue