Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTPS API endpoint is downgraded to HTTP #652

Closed
yvt opened this issue Jan 7, 2019 · 2 comments · Fixed by #654
Closed

HTTPS API endpoint is downgraded to HTTP #652

yvt opened this issue Jan 7, 2019 · 2 comments · Fixed by #654
Labels
kind/bug A bug in existing code (including security flaws)

Comments

@yvt
Copy link
Contributor

yvt commented Jan 7, 2019

The protocol part of the endpoint URL is always ignored and assumed to be http.

For example, if you specify https://www.example.com, all requests are actually sent to http://www.example.com. Although this usage scenario is very uncommon, this can unintentionally open possibilities for information leakage and MITM attacks.

@yvt
Copy link
Contributor Author

yvt commented Jan 7, 2019

I think, perhaps, this is the cause...? (Look closely at the spelling of protocol)

https://github.com/ipfs-shipyard/ipfs-companion/blob/17fa4e56f33e815469829193d910a00da66d34e1/add-on/src/lib/ipfs-client/external.js#L10

Here's the dump of the config object I managed to retrieve from the parameter of requestAPI:

{
  "api-path":"/api/v0/",
  "user-agent":"/node-ipfs-api/26.1.2/",
  "host":"[redacted]",
  "port":"",
  "protocol":"http",
  "procotol":"https:"
}

@yvt yvt changed the title Can't use a HTTPS API endpoint HTTPS API endpoint is downgraded to HTTP Jan 7, 2019
@lidel lidel added the kind/bug A bug in existing code (including security flaws) label Jan 7, 2019
@lidel
Copy link
Member

lidel commented Jan 7, 2019

@yvt wow that is a sneaky typo, great catch!
Mind creating a pull request with a fix? :)

@lidel lidel added the status/ready Ready to be worked label Jan 7, 2019
yvt added a commit to yvt/ipfs-companion that referenced this issue Jan 8, 2019
This commit fixes the issue that a protocol name (http or https) is not passed
to `ipfs-http-client` as intended.

Closes ipfs#652
@lidel lidel closed this as completed in #654 Jan 8, 2019
lidel pushed a commit that referenced this issue Jan 8, 2019
This commit fixes the issue that a protocol name (http or https) is not passed to `ipfs-http-client` as intended.

Closes #652
@ghost ghost removed the status/ready Ready to be worked label Jan 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug A bug in existing code (including security flaws)
Projects
None yet
2 participants