Merge pull request rancher-sandbox#8286 from mook-as/rdx/disable-cors

RDX: Bypass CORS

Author: Nino-K

.eslintrc.js

@@ -238,6 +238,9 @@ Object.assign(module.exports.rules, {
 
   // destructuring: don't error if `a` is reassigned, but `b` is never reassigned
   'prefer-const': ['error', { destructuring: 'all' }],
+
+  // This one assumes all callbacks have errors in the first argument, which isn't likely.
+  'n/no-callback-literal': 'off',
 });
 module.exports.rules['key-spacing'][1].align.mode = 'strict';
 

.github/actions/spelling/expect.txt

@@ -658,6 +658,7 @@ poweroff
 PQgrl
 prakhar
 prebuilds
+preflights
 Privs
 PROCARGS
 procnet

background.ts

@@ -183,8 +183,12 @@ mainEvents.handle('settings-fetch', () => {
 Electron.protocol.registerSchemesAsPrivileged([{ scheme: 'app' }, {
   scheme:     'x-rd-extension',
   privileges: {
-    standard:        true,
-    supportFetchAPI: true,
+    standard:            true,
+    secure:              true,
+    bypassCSP:           true,
+    allowServiceWorkers: true,
+    supportFetchAPI:     true,
+    corsEnabled:         true,
   },
 }]);
 

pkg/rancher-desktop/main/extensions/extensions.ts

@@ -287,6 +287,11 @@ export class ExtensionImpl implements Extension {
       console.error(`Ignoring error running ${ this.id } post-install script: ${ ex }`);
     }
 
+    // Since we now run extensions in a separate session, register the protocol handler there.
+    const encodedId = Buffer.from(this.id).toString('hex');
+
+    await mainEvents.invoke('extensions/register-protocol', `persist:rdx-${ encodedId }`);
+
     console.debug(`Install ${ this.id }: install complete.`);
 
     return true;

pkg/rancher-desktop/main/mainEvents.ts

@@ -130,6 +130,12 @@ interface MainEventNames {
    */
   'extensions/shutdown'(): Promise<void>;
 
+  /**
+   * Register the extension protocol handler in the given webContents partition.
+   * @param partition The partition name; likely "persist:rdx-..."
+   */
+  'extensions/register-protocol'(partition: string): Promise<void>;
+
   /**
    * Emitted on application quit, used to shut down any integrations.  This
    * requires feedback from the handler to know when all tasks are complete.

pkg/rancher-desktop/main/networking/index.ts

@@ -62,15 +62,15 @@ export default async function setupNetworking() {
       pluginDevUrls.some(x => url.startsWith(x))
     ) {
       event.preventDefault();
-      // eslint-disable-next-line n/no-callback-literal
+
       callback(true);
 
       return;
     }
 
     if (dashboardUrls.some(x => url.startsWith(x)) && 'dashboard' in windowMapping) {
       event.preventDefault();
-      // eslint-disable-next-line n/no-callback-literal
+
       callback(true);
 
       return;
@@ -87,7 +87,7 @@ export default async function setupNetworking() {
           // an attacker generating a cert with the same serial.
           if (cert === certificate.data.replace(/\r/g, '')) {
             console.log(`Accepting system certificate for ${ certificate.subjectName } (${ certificate.fingerprint })`);
-            // eslint-disable-next-line n/no-callback-literal
+
             callback(true);
 
             return;
@@ -100,7 +100,6 @@ export default async function setupNetworking() {
 
     console.log(`Not handling certificate error ${ error } for ${ url }`);
 
-    // eslint-disable-next-line n/no-callback-literal
     callback(false);
   });
 

pkg/rancher-desktop/utils/protocols.ts

@@ -1,8 +1,9 @@
 import path from 'path';
 import { URL, pathToFileURL } from 'url';
 
-import { app, protocol, net } from 'electron';
+import Electron from 'electron';
 
+import mainEvents from '@pkg/main/mainEvents';
 import { isDevBuild } from '@pkg/utils/environment';
 import Latch from '@pkg/utils/latch';
 import Logging from '@pkg/utils/logging';
@@ -20,8 +21,8 @@ function redirectedUrl(relPath: string) {
   if (isDevBuild) {
     return `http://localhost:8888${ relPath }`;
   }
-  if (app.isPackaged) {
-    return path.join(app.getAppPath(), 'dist', 'app', relPath);
+  if (Electron.app.isPackaged) {
+    return path.join(Electron.app.getAppPath(), 'dist', 'app', relPath);
   }
 
   // Unpackaged non-dev build; this normally means E2E tests, where
@@ -41,17 +42,17 @@ export const protocolsRegistered = Latch();
  * production environments.
  */
 function setupAppProtocolHandler() {
-  protocol.handle(
+  Electron.protocol.handle(
     'app',
     (request) => {
       const relPath = new URL(request.url).pathname;
       const redirectUrl = redirectedUrl(relPath);
 
       if (isDevBuild) {
-        return net.fetch(redirectUrl);
+        return Electron.net.fetch(redirectUrl);
       }
 
-      return net.fetch(pathToFileURL(redirectUrl).toString());
+      return Electron.net.fetch(pathToFileURL(redirectUrl).toString());
     });
 }
 
@@ -62,26 +63,36 @@ function setupAppProtocolHandler() {
  * x-rd-extension://<extension id>/...
  * Where the extension id is the extension image id, hex encoded (to avoid
  * issues with slashes).  Base64 was not available in Vue.
+ * @param partition The Electron session partition name; if unset, set it up for
+ *                  the default session.
  */
-function setupExtensionProtocolHandler() {
-  protocol.handle(
-    'x-rd-extension',
-    (request) => {
-      const url = new URL(request.url);
-      // Re-encoding the extension ID here also ensures it doesn't contain any
-      // directory traversal etc. issues.
-      const extensionID = Buffer.from(url.hostname, 'hex').toString('base64url');
-      const resourcePath = path.normalize(url.pathname);
-      const filepath = path.join(paths.extensionRoot, extensionID, resourcePath);
+function setupExtensionProtocolHandler(partition?: string): Promise<void> {
+  const scheme = 'x-rd-extension';
+  const session = partition ? Electron.session.fromPartition(partition) : Electron.session.defaultSession;
 
-      return net.fetch(pathToFileURL(filepath).toString());
-    });
+  if (!session.protocol.isProtocolHandled(scheme)) {
+    session.protocol.handle(
+      scheme,
+      (request) => {
+        const url = new URL(request.url);
+        // Re-encoding the extension ID here also ensures it doesn't contain any
+        // directory traversal etc. issues.
+        const extensionID = Buffer.from(url.hostname, 'hex').toString('base64url');
+        const resourcePath = path.normalize(url.pathname);
+        const filepath = path.join(paths.extensionRoot, extensionID, resourcePath);
+
+        return Electron.net.fetch(pathToFileURL(filepath).toString());
+      });
+  }
+
+  return Promise.resolve();
 }
 
 export function setupProtocolHandlers() {
   try {
     setupAppProtocolHandler();
     setupExtensionProtocolHandler();
+    mainEvents.handle('extensions/register-protocol', setupExtensionProtocolHandler);
 
     protocolsRegistered.resolve();
   } catch (ex) {

pkg/rancher-desktop/window/index.ts

@@ -52,6 +52,10 @@ export function getWindow(name: string): Electron.BrowserWindow | null {
   return (name in windowMapping) ? BrowserWindow.fromId(windowMapping[name]) : null;
 }
 
+function isInternalURL(url: string) {
+  return url.startsWith(`${ webRoot }/`) || url.startsWith('x-rd-extension://');
+}
+
 /**
  * Open a given window; if it is already open, focus it.
  * @param name The window identifier; this controls window re-use.
@@ -65,10 +69,6 @@ export function createWindow(name: string, url: string, options: Electron.Browse
     return window;
   }
 
-  const isInternalURL = (url: string) => {
-    return url.startsWith(`${ webRoot }/`) || url.startsWith('x-rd-extension://');
-  };
-
   window = new BrowserWindow(options);
   window.webContents.on('console-message', (event, level, message, line, sourceId) => {
     const levelNum = level === 0 ? 0 : level === 1 ? 1 : level === 2 ? 2 : level === 3 ? 3 : 0;
@@ -197,7 +197,7 @@ let lastOpenExtension: { id: string, relPath: string } | undefined;
 /**
  * Attaches a browser view to the main window
  */
-const createView = () => {
+function createView() {
   const mainWindow = getWindow('main');
   const hostInfo = {
     arch:     process.arch,
@@ -208,15 +208,71 @@ const createView = () => {
     throw new Error('Failed to get main window, cannot create view');
   }
 
-  view = new WebContentsView({
-    webPreferences: {
-      nodeIntegration:     false,
-      contextIsolation:    true,
-      preload:             path.join(paths.resources, 'preload.js'),
-      sandbox:             true,
-      additionalArguments: [JSON.stringify(hostInfo)],
-    },
-  });
+  const webPreferences: Electron.WebPreferences = {
+    nodeIntegration:     false,
+    contextIsolation:    true,
+    preload:             path.join(paths.resources, 'preload.js'),
+    sandbox:             true,
+    additionalArguments: [JSON.stringify(hostInfo)],
+  };
+
+  if (currentExtension?.id) {
+    webPreferences.partition = `persist:rdx-${ currentExtension.id }`;
+    const webRequest = Electron.session.fromPartition(webPreferences.partition).webRequest;
+
+    webRequest.onBeforeSendHeaders((details, callback) => {
+      const source = details.webContents?.getURL() ?? '';
+      const requestHeaders = { ...details.requestHeaders };
+
+      if (isInternalURL(source)) {
+        // If the request is coming from the extension, remove the Origin: header
+        // because it has x-rd-extension:// nonsense (relative to the server).
+        delete requestHeaders.Origin;
+      }
+      callback({ requestHeaders });
+    });
+
+    webRequest.onHeadersReceived((details, callback) => {
+      const sourceURL = details.webContents?.getURL() ?? '';
+
+      if (!isInternalURL(sourceURL)) {
+        // Do not rewrite requests from outside the extension (e.g. iframe).
+        callback({});
+
+        return;
+      }
+
+      // Insert (or overwrite) CORS headers to pretend this was allowed.  While
+      // ideally we can just disable `webSecurity` instead, that seems to break
+      // the preload script (which breaks the extension APIs).
+      const responseHeaders: Record<string, string|string[]> = { ...details.responseHeaders };
+      // HTTP headers use case-insensitive comparison; but accents should count
+      // as different characters (even though it should be ASCII only).
+      const { compare } = new Intl.Collator('en', { sensitivity: 'accent' });
+      const overwriteHeaders = [
+        'Access-Control-Allow-Headers',
+        'Access-Control-Allow-Methods',
+        'Access-Control-Allow-Origin',
+      ];
+
+      for (const header of overwriteHeaders) {
+        const match = Object.keys(responseHeaders).find(k => compare(header, k) === 0);
+
+        responseHeaders[match ?? header] = '*';
+      }
+
+      if (details.method !== 'OPTIONS') {
+        // For any request that's not a CORS preflight, just overwrite the headers.
+        callback({ responseHeaders });
+      } else {
+        // For CORS preflights, also change the status code.
+        const prefix = /\s+/.exec(details.statusLine)?.shift() ?? 'HTTP/1.1';
+
+        callback({ responseHeaders, statusLine: `${ prefix } 204 No Content` });
+      }
+    });
+  }
+  view = new WebContentsView({ webPreferences });
   mainWindow.contentView.addChildView(view);
   mainWindow.contentView.addListener('bounds-changed', () => {
     setImmediate(() => mainWindow.webContents.send('extensions/getContentArea'));
@@ -225,7 +281,7 @@ const createView = () => {
   const backgroundColor = nativeTheme.shouldUseDarkColors ? '#202c33' : '#f4f4f6';
 
   view.setBackgroundColor(backgroundColor);
-};
+}
 
 /**
  * Updates the browser view size and position