eric/duckdb-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

block cross-site requests

Browse Source
This commit is contained in:
Jeff Raymakers
2025-03-08 13:37:04 -08:00
parent 23ca391ef2
commit bc60637266
1 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/http_server.cpp
View File

@@ -195,6 +195,12 @@ void HttpServer::HandleGetLocalEvents(const httplib::Request &req,
void HttpServer::HandleGetLocalToken(const httplib::Request &req,
httplib::Response &res) {
auto sec_fetch_site = req.get_header_value("Sec-Fetch-Site");
if (sec_fetch_site == "cross-site") {
res.status = 401;
return;
}
auto db = ddb_instance.lock();
if (!db) {
res.status = 500;
@@ -254,6 +260,12 @@ void HttpServer::HandleGet(const httplib::Request &req,
void HttpServer::HandleInterrupt(const httplib::Request &req,
httplib::Response &res) {
auto sec_fetch_site = req.get_header_value("Sec-Fetch-Site");
if (sec_fetch_site == "cross-site") {
res.status = 401;
return;
}
auto description = req.get_header_value("X-DuckDB-UI-Request-Description");
auto connection_name = req.get_header_value("X-DuckDB-UI-Connection-Name");
@@ -288,6 +300,12 @@ void HttpServer::HandleRun(const httplib::Request &req, httplib::Response &res,
void HttpServer::DoHandleRun(const httplib::Request &req,
httplib::Response &res,
const httplib::ContentReader &content_reader) {
auto sec_fetch_site = req.get_header_value("Sec-Fetch-Site");
if (sec_fetch_site == "cross-site") {
res.status = 401;
return;
}
auto description = req.get_header_value("X-DuckDB-UI-Request-Description");
auto connection_name = req.get_header_value("X-DuckDB-UI-Connection-Name");
@@ -404,6 +422,12 @@ void HttpServer::DoHandleRun(const httplib::Request &req,
void HttpServer::HandleTokenize(const httplib::Request &req,
httplib::Response &res,
const httplib::ContentReader &content_reader) {
auto sec_fetch_site = req.get_header_value("Sec-Fetch-Site");
if (sec_fetch_site == "cross-site") {
res.status = 401;
return;
}
auto description = req.get_header_value("X-DuckDB-UI-Request-Description");
std::string content = ReadContent(content_reader);