(req: IncomingMessage, res: ServerResponse)
| 36 | const DEFAULT_UPSTREAM_TIMEOUT_MS = 10_000; |
| 37 | |
| 38 | export function rejectIfNotLoopbackApi(req: IncomingMessage, res: ServerResponse): boolean { |
| 39 | const peerAddress = req.socket?.remoteAddress; |
| 40 | if (peerAddress !== undefined && !isLoopbackAddress(peerAddress)) { |
| 41 | emitProblem( |
| 42 | res, |
| 43 | 403, |
| 44 | 'urn:ok:error:loopback-required', |
| 45 | 'Request must originate from a loopback address.', |
| 46 | ); |
| 47 | return true; |
| 48 | } |
| 49 | if (!isAllowedWorkspaceHostHeader(req.headers.host)) { |
| 50 | emitProblem( |
| 51 | res, |
| 52 | 403, |
| 53 | 'urn:ok:error:host-not-allowed', |
| 54 | 'Host header is not in the loopback allowlist.', |
| 55 | ); |
| 56 | return true; |
| 57 | } |
| 58 | const origin = req.headers.origin; |
| 59 | if (origin !== undefined && !isAllowedApiOrigin(origin)) { |
| 60 | emitProblem( |
| 61 | res, |
| 62 | 403, |
| 63 | 'urn:ok:error:invalid-origin', |
| 64 | 'Origin header is not in the loopback allowlist.', |
| 65 | ); |
| 66 | return true; |
| 67 | } |
| 68 | return false; |
| 69 | } |
| 70 | |
| 71 | /** Per-request client-side deadline — prevents a malicious/local slow-loris peer |
| 72 | * from pinning the proxy socket indefinitely. 30s leaves ample margin over the |
no test coverage detected