Block POST requests for websocket connections (#934)
This commit is contained in:
David Fowler
GitHub
parent
1686878035
commit
65cd41dbf5
|
|
@ -388,6 +388,15 @@ namespace Microsoft.AspNetCore.Sockets
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var transport = (TransportType?)connection.Metadata[ConnectionMetadataNames.Transport];
|
||||||
|
if (transport == TransportType.WebSockets)
|
||||||
|
{
|
||||||
|
_logger.PostNotAllowedForWebSockets(connection.ConnectionId);
|
||||||
|
context.Response.StatusCode = StatusCodes.Status405MethodNotAllowed;
|
||||||
|
await context.Response.WriteAsync("POST requests are not allowed for WebSocket connections.");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
// TODO: Use a pool here
|
// TODO: Use a pool here
|
||||||
|
|
||||||
byte[] buffer;
|
byte[] buffer;
|
||||||
|
|
|
||||||
|
|
@ -50,6 +50,9 @@ namespace Microsoft.AspNetCore.Sockets.Internal
|
||||||
private static readonly Action<ILogger, DateTime, string, TransportType, TransportType, Exception> _cannotChangeTransport =
|
private static readonly Action<ILogger, DateTime, string, TransportType, TransportType, Exception> _cannotChangeTransport =
|
||||||
LoggerMessage.Define<DateTime, string, TransportType, TransportType>(LogLevel.Debug, new EventId(7, nameof(CannotChangeTransport)), "{time}: Connection Id {connectionId}: Cannot change transports mid-connection; currently using {transportType}, requesting {requestedTransport}.");
|
LoggerMessage.Define<DateTime, string, TransportType, TransportType>(LogLevel.Debug, new EventId(7, nameof(CannotChangeTransport)), "{time}: Connection Id {connectionId}: Cannot change transports mid-connection; currently using {transportType}, requesting {requestedTransport}.");
|
||||||
|
|
||||||
|
private static readonly Action<ILogger, DateTime, string, Exception> _postNotallowedForWebsockets =
|
||||||
|
LoggerMessage.Define<DateTime, string>(LogLevel.Debug, new EventId(8, nameof(PostNotAllowedForWebSockets)), "{time}: Connection Id {connectionId}: POST requests are not allowed for websocket connections.");
|
||||||
|
|
||||||
private static readonly Action<ILogger, DateTime, string, Exception> _negotiationRequest =
|
private static readonly Action<ILogger, DateTime, string, Exception> _negotiationRequest =
|
||||||
LoggerMessage.Define<DateTime, string>(LogLevel.Debug, new EventId(8, nameof(NegotiationRequest)), "{time}: Connection Id {connectionId}: Sending negotiation response.");
|
LoggerMessage.Define<DateTime, string>(LogLevel.Debug, new EventId(8, nameof(NegotiationRequest)), "{time}: Connection Id {connectionId}: Sending negotiation response.");
|
||||||
|
|
||||||
|
|
@ -201,6 +204,14 @@ namespace Microsoft.AspNetCore.Sockets.Internal
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static void PostNotAllowedForWebSockets(this ILogger logger, string connectionId)
|
||||||
|
{
|
||||||
|
if (logger.IsEnabled(LogLevel.Debug))
|
||||||
|
{
|
||||||
|
_postNotallowedForWebsockets(logger, DateTime.Now, connectionId, null);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public static void NegotiationRequest(this ILogger logger, string connectionId)
|
public static void NegotiationRequest(this ILogger logger, string connectionId)
|
||||||
{
|
{
|
||||||
if (logger.IsEnabled(LogLevel.Debug))
|
if (logger.IsEnabled(LogLevel.Debug))
|
||||||
|
|
|
||||||
|
|
@ -150,6 +150,40 @@ namespace Microsoft.AspNetCore.Sockets.Tests
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[Fact]
|
||||||
|
public async Task PostNotAllowedForWebSocketConnections()
|
||||||
|
{
|
||||||
|
var manager = CreateConnectionManager();
|
||||||
|
var dispatcher = new HttpConnectionDispatcher(manager, new LoggerFactory());
|
||||||
|
var connection = manager.CreateConnection();
|
||||||
|
connection.Metadata[ConnectionMetadataNames.Transport] = TransportType.WebSockets;
|
||||||
|
|
||||||
|
using (var strm = new MemoryStream())
|
||||||
|
{
|
||||||
|
var context = new DefaultHttpContext();
|
||||||
|
context.Response.Body = strm;
|
||||||
|
|
||||||
|
var services = new ServiceCollection();
|
||||||
|
services.AddEndPoint<TestEndPoint>();
|
||||||
|
services.AddOptions();
|
||||||
|
context.Request.Path = "/foo";
|
||||||
|
context.Request.Method = "POST";
|
||||||
|
var values = new Dictionary<string, StringValues>();
|
||||||
|
values["id"] = connection.ConnectionId;
|
||||||
|
var qs = new QueryCollection(values);
|
||||||
|
context.Request.Query = qs;
|
||||||
|
|
||||||
|
var builder = new SocketBuilder(services.BuildServiceProvider());
|
||||||
|
builder.UseEndPoint<TestEndPoint>();
|
||||||
|
var app = builder.Build();
|
||||||
|
await dispatcher.ExecuteAsync(context, new HttpSocketOptions(), app);
|
||||||
|
|
||||||
|
Assert.Equal(StatusCodes.Status405MethodNotAllowed, context.Response.StatusCode);
|
||||||
|
await strm.FlushAsync();
|
||||||
|
Assert.Equal("POST requests are not allowed for WebSocket connections.", Encoding.UTF8.GetString(strm.ToArray()));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[InlineData(TransportType.ServerSentEvents)]
|
[InlineData(TransportType.ServerSentEvents)]
|
||||||
[InlineData(TransportType.LongPolling)]
|
[InlineData(TransportType.LongPolling)]
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue