Commits · 1b490476e5517931b8d31a6636e7008771db201d · dms3 / go-dms3

05 Apr, 2020 1 commit

HTTP API: Disallow GET requests on API · 1b490476

Hector Sanjuan authored Apr 04, 2020

This commit upgrades go-ipfs-cmds and configures the commands HTTP API Handler
to only allow POST/OPTIONS, disallowing GET and others in the handling of
command requests in the IPFS HTTP API (where before every type of request
method was handled, with GET/POST/PUT/PATCH being equivalent).

The Read-Only commands that the HTTP API attaches to the gateway endpoint will
additional handled GET as they did before (but stop handling PUT,DELETEs).

By limiting the request types we address the possibility that a website
accessed by a browser abuses the IPFS API by issuing GET requests to it which
have no Origin or Referrer set, and are thus bypass CORS and CSRF protections.

This is a breaking change for clients that relay on GET requests against the
HTTP endpoint (usually :5001). Applications integrating on top of the
gateway-read-only API should still work (including cross-domain access).
Co-Authored-By: Steven Allen <steven@stebalien.com>
Co-Authored-By: Marcin Rataj <lidel@lidel.org>

1b490476

09 Mar, 2020 1 commit
- ci: update to go 1.14 · a68c1af9
  Steven Allen authored Mar 06, 2020
  
  a68c1af9
26 Feb, 2020 1 commit
- test(graphsync): test server-side graphsync · 58573107
  Steven Allen authored Feb 17, 2020
  
  58573107
12 Sep, 2019 1 commit

build: fix golangci again · 315a3c9e

Steven Allen authored Sep 12, 2019

The patches that required the replace directives have been merged upstream.
Unfortunately, those branches have now been deleted, breaking the build.

GAH!

315a3c9e

11 Sep, 2019 1 commit

make: move all test deps to a separate module · a8fbd066

Steven Allen authored Sep 11, 2019

1. This means those deps don't get pulled in unless we actually need to test.
2. It means we can cordon all the golangci-lint module replace hacks off into a
   separate package.

a8fbd066