Snider/Mining
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Mining/miner/proxy/src/base/net/http/HttpApiResponse.cpp
snider 8fb240967a fix: Address 9 security findings from code review (batch 6) 
Security fixes:
- CRIT-012: Add compile-time bounds checking in Job::setBlob()
- CRIT-017: Add header count limit (64 max) to prevent DoS
- HIGH-005: Disable TLSv1.0 and TLSv1.1 (BEAST/POODLE vulnerable)
- HIGH-008: Document signal handler safety (libuv defers to event loop)
- HIGH-011: Fix memory leak in BindHost using String copy constructor
- HIGH-023: Document JSON type safety check in Client::parse()

Quality improvements:
- MED-002: Add security headers (X-Content-Type-Options, X-Frame-Options, CSP)
- MED-007: Add URL length validation (8KB limit)
- MED-009: Reduce self-signed cert validity from 10 years to 1 year

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-31 19:14:24 +00:00

88 lines
2.8 KiB
C++
Raw Blame History

/* XMRig
* Copyright (c) 2014-2019 heapwolf <https://github.com/heapwolf>
* Copyright (c) 2018-2024 SChernykh <https://github.com/SChernykh>
* Copyright (c) 2016-2024 XMRig <https://github.com/xmrig>, <support@xmrig.com>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "base/net/http/HttpApiResponse.h"
#include "3rdparty/rapidjson/prettywriter.h"
#include "3rdparty/rapidjson/stringbuffer.h"
#include "base/net/http/HttpData.h"
namespace xmrig {
static const char *kError = "error";
static const char *kStatus = "status";
} // namespace xmrig
xmrig::HttpApiResponse::HttpApiResponse(uint64_t id) :
HttpResponse(id),
m_doc(rapidjson::kObjectType)
{
}
xmrig::HttpApiResponse::HttpApiResponse(uint64_t id, int status) :
HttpResponse(id),
m_doc(rapidjson::kObjectType)
{
setStatus(status);
}
void xmrig::HttpApiResponse::end()
{
using namespace rapidjson;
// SECURITY: Restrict CORS to localhost only (not wildcard "*")
// This prevents malicious websites from accessing the API
setHeader("Access-Control-Allow-Origin", "http://localhost");
setHeader("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE");
setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type");
// SECURITY FIX (MED-002): Add standard security headers
setHeader("X-Content-Type-Options", "nosniff");
setHeader("X-Frame-Options", "DENY");
setHeader("Content-Security-Policy", "default-src 'none'");
if (statusCode() >= 400) {
if (!m_doc.HasMember(kStatus)) {
m_doc.AddMember(StringRef(kStatus), statusCode(), m_doc.GetAllocator());
}
if (!m_doc.HasMember(kError)) {
m_doc.AddMember(StringRef(kError), StringRef(HttpData::statusName(statusCode())), m_doc.GetAllocator());
}
}
if (m_doc.IsObject() && m_doc.ObjectEmpty()) {
return HttpResponse::end();
}
setHeader(HttpData::kContentType, HttpData::kApplicationJson);
StringBuffer buffer(nullptr, 4096);
PrettyWriter<StringBuffer> writer(buffer);
writer.SetMaxDecimalPlaces(10);
writer.SetFormatOptions(kFormatSingleLineArray);
m_doc.Accept(writer);
HttpResponse::end(buffer.GetString(), buffer.GetSize());
}
Reference in a new issue View git blame Copy permalink