|
| 1 | +/** |
| 2 | + * HTTP transport CSRF / DNS-rebinding guard test (finding 019eff5a). |
| 3 | + * |
| 4 | + * The documented no-auth loopback mode (`s1-secops-mcp --transport http`, no |
| 5 | + * bearer tokens) used to dispatch any POST /mcp regardless of Origin or Host, |
| 6 | + * so a browser page — or a DNS-rebinding attack — on the operator's workstation |
| 7 | + * could invoke every state-changing tool. After the fix, in no-auth mode: |
| 8 | + * - a request carrying any Origin header is rejected 403 |
| 9 | + * - a request whose Host header is not the loopback bind is rejected 403 |
| 10 | + * - a normal non-browser request (no Origin, loopback Host) still works |
| 11 | + * |
| 12 | + * fetch() forbids setting Origin/Host, so we use the raw node:http client. |
| 13 | + */ |
| 14 | + |
| 15 | +import { test } from 'node:test'; |
| 16 | +import assert from 'node:assert/strict'; |
| 17 | +import { spawn } from 'node:child_process'; |
| 18 | +import http from 'node:http'; |
| 19 | +import { mkdtempSync, writeFileSync, rmSync } from 'node:fs'; |
| 20 | +import { tmpdir } from 'node:os'; |
| 21 | +import { join, dirname, resolve } from 'node:path'; |
| 22 | +import { fileURLToPath } from 'node:url'; |
| 23 | + |
| 24 | +const __dir = dirname(fileURLToPath(import.meta.url)); |
| 25 | +const SERVER = resolve(__dir, '..', 'index.js'); |
| 26 | + |
| 27 | +async function waitForHealth(port, attempts = 50) { |
| 28 | + for (let i = 0; i < attempts; i++) { |
| 29 | + try { |
| 30 | + const r = await fetch(`http://127.0.0.1:${port}/healthz`); |
| 31 | + if (r.ok) return; |
| 32 | + } catch { /* retry */ } |
| 33 | + await new Promise(r => setTimeout(r, 100)); |
| 34 | + } |
| 35 | + throw new Error(`Server did not become healthy on port ${port}`); |
| 36 | +} |
| 37 | + |
| 38 | +function spawnServer(env = {}) { |
| 39 | + const port = 9000 + Math.floor(Math.random() * 1000); |
| 40 | + const child = spawn(process.execPath, [SERVER, '--transport', 'http', '--port', String(port), '--host', '127.0.0.1'], { |
| 41 | + stdio: ['ignore', 'ignore', 'pipe'], |
| 42 | + env: { ...process.env, ...env }, |
| 43 | + }); |
| 44 | + let stderrBuf = ''; |
| 45 | + child.stderr.on('data', c => { stderrBuf += c.toString('utf-8'); }); |
| 46 | + return { child, port, getStderr: () => stderrBuf }; |
| 47 | +} |
| 48 | + |
| 49 | +/** Raw HTTP POST so we can set the forbidden-in-fetch Origin / Host headers. */ |
| 50 | +function rawPost(port, body, headers = {}) { |
| 51 | + return new Promise((resolve, reject) => { |
| 52 | + const data = Buffer.from(body, 'utf-8'); |
| 53 | + const req = http.request({ |
| 54 | + hostname: '127.0.0.1', |
| 55 | + port, |
| 56 | + path: '/mcp', |
| 57 | + method: 'POST', |
| 58 | + headers: { 'Content-Type': 'application/json', 'Content-Length': data.length, ...headers }, |
| 59 | + }, (res) => { |
| 60 | + let buf = ''; |
| 61 | + res.on('data', c => { buf += c; }); |
| 62 | + res.on('end', () => resolve({ status: res.statusCode, body: buf })); |
| 63 | + }); |
| 64 | + req.on('error', reject); |
| 65 | + req.write(data); |
| 66 | + req.end(); |
| 67 | + }); |
| 68 | +} |
| 69 | + |
| 70 | +function rpc(id, method, params = {}) { |
| 71 | + return JSON.stringify({ jsonrpc: '2.0', id, method, params }); |
| 72 | +} |
| 73 | + |
| 74 | +async function withServer(env, fn) { |
| 75 | + const { child, port, getStderr } = spawnServer(env); |
| 76 | + try { |
| 77 | + await waitForHealth(port); |
| 78 | + await fn(port); |
| 79 | + } finally { |
| 80 | + child.kill('SIGTERM'); |
| 81 | + await new Promise(r => setTimeout(r, 100)); |
| 82 | + if (!child.killed) child.kill('SIGKILL'); |
| 83 | + } |
| 84 | +} |
| 85 | + |
| 86 | +test('guard(no-auth): request with an Origin header is rejected 403', async () => { |
| 87 | + await withServer({}, async (port) => { |
| 88 | + const r = await rawPost(port, rpc(1, 'tools/list'), { Origin: 'https://evil.example' }); |
| 89 | + assert.equal(r.status, 403); |
| 90 | + const body = JSON.parse(r.body); |
| 91 | + assert.equal(body.error.code, -32001); |
| 92 | + }); |
| 93 | +}); |
| 94 | + |
| 95 | +test('guard(no-auth): DNS-rebind Host header is rejected 403', async () => { |
| 96 | + await withServer({}, async (port) => { |
| 97 | + const r = await rawPost(port, rpc(1, 'tools/list'), { Host: `rebind.attacker.example:${port}` }); |
| 98 | + assert.equal(r.status, 403); |
| 99 | + const body = JSON.parse(r.body); |
| 100 | + assert.equal(body.error.code, -32001); |
| 101 | + }); |
| 102 | +}); |
| 103 | + |
| 104 | +test('guard(no-auth): simple text/plain cross-origin POST is rejected 403', async () => { |
| 105 | + // The pre-fix bypass: a "simple" cross-origin fetch with text/plain sends an |
| 106 | + // Origin header but no preflight. The Origin check must still catch it. |
| 107 | + await withServer({}, async (port) => { |
| 108 | + const r = await rawPost(port, rpc(1, 'tools/list'), { |
| 109 | + Origin: 'https://example.com', |
| 110 | + 'Content-Type': 'text/plain', |
| 111 | + }); |
| 112 | + assert.equal(r.status, 403); |
| 113 | + }); |
| 114 | +}); |
| 115 | + |
| 116 | +test('guard(no-auth): normal non-browser request (no Origin, loopback Host) still works', async () => { |
| 117 | + await withServer({}, async (port) => { |
| 118 | + const r = await rawPost(port, rpc(1, 'tools/list')); |
| 119 | + assert.equal(r.status, 200); |
| 120 | + const body = JSON.parse(r.body); |
| 121 | + assert.equal(body.result.tools.length, 26); |
| 122 | + }); |
| 123 | +}); |
| 124 | + |
| 125 | +test('guard(no-auth): localhost Host with matching port is allowed', async () => { |
| 126 | + await withServer({}, async (port) => { |
| 127 | + const r = await rawPost(port, rpc(1, 'tools/list'), { Host: `localhost:${port}` }); |
| 128 | + assert.equal(r.status, 200); |
| 129 | + }); |
| 130 | +}); |
| 131 | + |
| 132 | +test('guard(auth): authenticated path is unaffected by Origin (proxy compatibility)', async () => { |
| 133 | + // When bearer auth is configured (systemd / Caddy team path), the token |
| 134 | + // already blocks browsers, and a reverse proxy may legitimately forward a |
| 135 | + // public Host/Origin. The guard is scoped to no-auth mode, so a valid token |
| 136 | + // with an Origin header must still succeed. |
| 137 | + const goodToken = 'alice-token-' + 'x'.repeat(20); |
| 138 | + const dir = mkdtempSync(join(tmpdir(), 'mcp-auth-')); |
| 139 | + const file = join(dir, 'tokens.json'); |
| 140 | + writeFileSync(file, JSON.stringify({ alice: goodToken }), { mode: 0o600 }); |
| 141 | + try { |
| 142 | + await withServer({ MCP_BEARER_TOKENS_FILE: file }, async (port) => { |
| 143 | + const r = await rawPost(port, rpc(1, 'tools/list'), { |
| 144 | + Origin: 'https://proxy.s1.internal', |
| 145 | + Authorization: `Bearer ${goodToken}`, |
| 146 | + }); |
| 147 | + assert.equal(r.status, 200); |
| 148 | + }); |
| 149 | + } finally { |
| 150 | + rmSync(dir, { recursive: true, force: true }); |
| 151 | + } |
| 152 | +}); |
0 commit comments