[tor-commits] [pluggable-transports/snowflake] 13/31: Add Relay URL Check in Snowflake Proxy

[gitolite role <git@xxxxxxxxxxxxxxxxxxxxx>]

This is an automated email from the git hooks/post-receive script.

shelikhoo pushed a commit to branch main
in repository pluggable-transports/snowflake.

commit b09a2e09b3e8abadac5f5b96662864eec4ebd597
Author: Shelikhoo <xiaokangwang@xxxxxxxxxxx>
AuthorDate: Wed Apr 13 16:20:52 2022 +0100

    Add Relay URL Check in Snowflake Proxy
---
 proxy/lib/snowflake.go | 9 ++++++++-
 proxy/main.go          | 5 +++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/proxy/lib/snowflake.go b/proxy/lib/snowflake.go
index 7e06c0f..7dbc976 100644
--- a/proxy/lib/snowflake.go
+++ b/proxy/lib/snowflake.go
@@ -119,6 +119,7 @@ type SnowflakeProxy struct {
 	// There is no look ahead assertion when matching domain name suffix,
 	// thus the string prepend the suffix does not need to be empty or ends with a dot.
 	RelayDomainNamePattern string
+	AllowNonTLSRelay       bool
 	// NATProbeURL is the URL of the probe service we use for NAT checks
 	NATProbeURL string
 	// NATTypeMeasurementInterval is time before NAT type is retested
@@ -496,7 +497,13 @@ func (sf *SnowflakeProxy) runSession(sid string) {
 		return
 	}
 	matcher := namematcher.NewNameMatcher(sf.RelayDomainNamePattern)
-	if relayURL != "" && !matcher.IsMember(relayURL) {
+	parsedRelayURL, err := url.Parse(relayURL)
+	if err != nil {
+		log.Printf("bad offer from broker: bad Relay URL %v", err.Error())
+		tokens.ret()
+		return
+	}
+	if relayURL != "" && (!matcher.IsMember(parsedRelayURL.Hostname()) || (!sf.AllowNonTLSRelay && parsedRelayURL.Scheme != "wss")) {
 		log.Printf("bad offer from broker: rejected Relay URL")
 		tokens.ret()
 		return
diff --git a/proxy/main.go b/proxy/main.go
index 7d025ea..305d0b0 100644
--- a/proxy/main.go
+++ b/proxy/main.go
@@ -21,6 +21,8 @@ func main() {
 	unsafeLogging := flag.Bool("unsafe-logging", false, "prevent logs from being scrubbed")
 	keepLocalAddresses := flag.Bool("keep-local-addresses", false, "keep local LAN address ICE candidates")
 	relayURL := flag.String("relay", sf.DefaultRelayURL, "websocket relay URL")
+	allowedRelayHostNamePattern := flag.String("allowed-relay-hostname-pattern", "", "a pattern to specify allowed hostname pattern for relay URL.")
+	allowNonTLSRelay := flag.Bool("allow-non-tls-relay", false, "allow relay without tls encryption")
 	NATTypeMeasurementInterval := flag.Duration("nat-retest-interval", time.Hour*24,
 		"the time interval in second before NAT type is retested, 0s disables retest. Valid time units are \"s\", \"m\", \"h\". ")
 	SummaryInterval := flag.Duration("summary-interval", time.Hour,
@@ -40,6 +42,9 @@ func main() {
 
 		NATTypeMeasurementInterval: *NATTypeMeasurementInterval,
 		EventDispatcher:            eventLogger,
+
+		RelayDomainNamePattern: *allowedRelayHostNamePattern,
+		AllowNonTLSRelay:       *allowNonTLSRelay,
 	}
 
 	var logOutput io.Writer = os.Stderr

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits