fix(play): add security flag (#126)

* fix(play): add security flag

* fix(play): linting error

Author: adrienaury

cmd/pimo/main.go

@@ -116,10 +116,11 @@ There is NO WARRANTY, to the extent permitted by law.`, version, commit, buildDa
 	})
 
 	playPort := 3010
+	playSecure := false
 	playCmd := &cobra.Command{
 		Use: "play",
 		Run: func(cmd *cobra.Command, args []string) {
-			router := pimo.Play()
+			router := pimo.Play(playSecure)
 			port := fmt.Sprintf("0.0.0.0:%d", playPort)
 
 			if err := router.Start(port); err != nil {
@@ -128,6 +129,7 @@ There is NO WARRANTY, to the extent permitted by law.`, version, commit, buildDa
 		},
 	}
 	playCmd.PersistentFlags().IntVarP(&playPort, "port", "p", 3010, "port number")
+	playCmd.PersistentFlags().BoolVarP(&playSecure, "secure", "s", false, "enable security features (use this flag if PIMO Play is publicly exposed)")
 	rootCmd.AddCommand(playCmd)
 
 	if err := rootCmd.Execute(); err != nil {

internal/app/pimo/play.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io/fs"
 	"net/http"
+	"net/url"
 	"strings"
 
 	"github.com/cgi-fr/pimo/pkg/jsonline"
@@ -17,7 +18,7 @@ import (
 //go:embed client
 var content embed.FS
 
-func Play() *echo.Echo {
+func Play(enableSecurity bool) *echo.Echo {
 	router := echo.New()
 
 	router.Use(middleware.CORS())
@@ -26,6 +27,15 @@ func Play() *echo.Echo {
 			" err=${error}\n",
 	}))
 
+	if enableSecurity {
+		router.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
+			return func(c echo.Context) error {
+				c.Set("enableSecurity", true)
+				return next(c)
+			}
+		})
+	}
+
 	router.GET("/*", echo.WrapHandler(handleClient()))
 	router.POST("/play", play)
 
@@ -70,6 +80,13 @@ func play(ctx echo.Context) error {
 		return ctx.String(http.StatusInternalServerError, err.Error())
 	}
 
+	if ctx.Get("enableSecurity") == true {
+		if err := checkSecurityRequirements(pdef); err != nil {
+			log.Err(err).Msg("Forbidden request")
+			return ctx.String(http.StatusInternalServerError, err.Error())
+		}
+	}
+
 	config.SingleInput = &input
 	context := NewContext(pdef)
 
@@ -90,6 +107,47 @@ func play(ctx echo.Context) error {
 	return ctx.JSONBlob(http.StatusOK, []byte(result.String()))
 }
 
+func checkSecurityRequirements(pdef model.Definition) error {
+	for _, mask := range pdef.Masking {
+		// usage of command is not allowed with pimo play
+		if len(mask.Mask.Command) > 0 {
+			return fmt.Errorf("Usage of `command` mask is forbidden")
+		}
+
+		// usage of file scheme is not allowed
+		if err := checkUriScheme(mask.Mask.FluxURI); err != nil {
+			return err
+		}
+
+		if err := checkUriScheme(mask.Mask.HashInURI); err != nil {
+			return err
+		}
+
+		if err := checkUriScheme(mask.Mask.Markov.Sample); err != nil {
+			return err
+		}
+
+		if err := checkUriScheme(mask.Mask.RandomChoiceInURI); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func checkUriScheme(uri string) error {
+	u, err := url.Parse(uri)
+	if err != nil {
+		return nil
+	}
+
+	if u.Scheme == "file" {
+		return fmt.Errorf("Usage of `file` scheme is forbidden")
+	}
+
+	return nil
+}
+
 func handleClient() http.Handler {
 	fSys, err := fs.Sub(content, "client")
 	if err != nil {