eric/duckdb-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #16 from duckdb/jray/block-cross-site-requests

Browse Source 
block cross-site requests
This commit is contained in:
Jeff Raymakers
2025-03-08 14:30:27 -08:00
committed by GitHub
parent 23ca391ef2 bc60637266
commit 62f9a73a57
1 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/http_server.cpp
View File

@@ -195,6 +195,12 @@ void HttpServer::HandleGetLocalEvents(const httplib::Request &req,
void HttpServer::HandleGetLocalToken(const httplib::Request &req, void HttpServer::HandleGetLocalToken(const httplib::Request &req,
httplib::Response &res) { httplib::Response &res) {
auto sec_fetch_site = req.get_header_value("Sec-Fetch-Site");
if (sec_fetch_site == "cross-site") {
res.status = 401;
return;
}
auto db = ddb_instance.lock(); auto db = ddb_instance.lock();
if (!db) { if (!db) {
res.status = 500; res.status = 500;
@@ -254,6 +260,12 @@ void HttpServer::HandleGet(const httplib::Request &req,
void HttpServer::HandleInterrupt(const httplib::Request &req, void HttpServer::HandleInterrupt(const httplib::Request &req,
httplib::Response &res) { httplib::Response &res) {
auto sec_fetch_site = req.get_header_value("Sec-Fetch-Site");
if (sec_fetch_site == "cross-site") {
res.status = 401;
return;
}
auto description = req.get_header_value("X-DuckDB-UI-Request-Description"); auto description = req.get_header_value("X-DuckDB-UI-Request-Description");
auto connection_name = req.get_header_value("X-DuckDB-UI-Connection-Name"); auto connection_name = req.get_header_value("X-DuckDB-UI-Connection-Name");
@@ -288,6 +300,12 @@ void HttpServer::HandleRun(const httplib::Request &req, httplib::Response &res,
void HttpServer::DoHandleRun(const httplib::Request &req, void HttpServer::DoHandleRun(const httplib::Request &req,
httplib::Response &res, httplib::Response &res,
const httplib::ContentReader &content_reader) { const httplib::ContentReader &content_reader) {
auto sec_fetch_site = req.get_header_value("Sec-Fetch-Site");
if (sec_fetch_site == "cross-site") {
res.status = 401;
return;
}
auto description = req.get_header_value("X-DuckDB-UI-Request-Description"); auto description = req.get_header_value("X-DuckDB-UI-Request-Description");
auto connection_name = req.get_header_value("X-DuckDB-UI-Connection-Name"); auto connection_name = req.get_header_value("X-DuckDB-UI-Connection-Name");
@@ -404,6 +422,12 @@ void HttpServer::DoHandleRun(const httplib::Request &req,
void HttpServer::HandleTokenize(const httplib::Request &req, void HttpServer::HandleTokenize(const httplib::Request &req,
httplib::Response &res, httplib::Response &res,
const httplib::ContentReader &content_reader) { const httplib::ContentReader &content_reader) {
auto sec_fetch_site = req.get_header_value("Sec-Fetch-Site");
if (sec_fetch_site == "cross-site") {
res.status = 401;
return;
}
auto description = req.get_header_value("X-DuckDB-UI-Request-Description"); auto description = req.get_header_value("X-DuckDB-UI-Request-Description");
std::string content = ReadContent(content_reader); std::string content = ReadContent(content_reader);