freenet 0.2.53

Freenet core software
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184

use axum::{
    Extension, Router,
    extract::{Path, RawQuery},
    response::IntoResponse,
    routing::get,
};

use super::*;

/// Registers V1-specific HTTP client API routes.
pub(super) fn routes(config: Config) -> Router {
    Router::new()
        .route("/v1", get(home))
        // No-trailing-slash redirect to the canonical contract root URL.
        // Without this, pasting `/v1/contract/web/<key>` (no slash)
        // into the address bar 404s — common HTTP UX is to either
        // accept both forms or redirect, so we 308 to the canonical
        // form. 308 (Permanent Redirect) preserves the request method
        // and is the modern equivalent of 301 for GETs.
        // (freenet/freenet-core#4019)
        .route("/v1/contract/web/{key}", get(web_root_redirect_v1))
        .route("/v1/contract/web/{key}/", get(web_home_v1))
        .route("/v1/contract/web/{key}/{*path}", get(web_subpages_v1))
        .with_state(config)
}

async fn web_home_v1(
    key: Path<String>,
    rs: Extension<HttpClientApiRequest>,
    config: axum::extract::State<Config>,
    headers: axum::http::HeaderMap,
    axum::extract::RawQuery(query): axum::extract::RawQuery,
) -> Result<axum::response::Response, WebSocketApiError> {
    web_home(key, rs, config, headers, ApiVersion::V1, query).await
}

async fn web_subpages_v1(
    Path((key, last_path)): Path<(String, String)>,
    axum::extract::RawQuery(query): axum::extract::RawQuery,
    headers: axum::http::HeaderMap,
    Extension(rs): Extension<HttpClientApiRequest>,
) -> Result<axum::response::Response, WebSocketApiError> {
    web_subpages(key, last_path, ApiVersion::V1, query, headers, rs).await
}

/// Redirect `/v1/contract/web/{key}` (no trailing slash) to
/// `/v1/contract/web/{key}/` (with trailing slash, the canonical form
/// the rest of the routing already understands).
///
/// Routes the redirect target through `build_canonical_shell_url` so
/// the same key validation (CRLF / path-traversal rejection) and
/// sensitive-query-param filter (`__sandbox`, `authToken`) that
/// `redirect_to_shell_root` applies are also applied here. Returning
/// a 308 (instead of 303 like the cross-contract subpage redirect)
/// preserves the request method and lets the browser cache the
/// redirect — the address bar lands on the canonical URL on
/// subsequent visits.
async fn web_root_redirect_v1(
    Path(key): Path<String>,
    RawQuery(query): RawQuery,
) -> Result<axum::response::Response, WebSocketApiError> {
    let canonical = build_canonical_shell_url(&key, ApiVersion::V1, query.as_deref())?;
    Ok(axum::response::Redirect::permanent(&canonical).into_response())
}

#[cfg(test)]
mod tests {
    use super::*;
    use axum::http::{StatusCode, header::LOCATION};

    fn valid_key() -> &'static str {
        "EqJ5YpEEV3XLqEvKWLQHFhGAac2qXzSUoE6k2zbdnXBr"
    }

    /// Regression test for freenet/freenet-core#4019.
    ///
    /// Pasting `/v1/contract/web/<key>` (no trailing slash) into a browser
    /// used to 404. Now the no-slash form 308s to the canonical
    /// trailing-slash form. 308 preserves the request method and lets
    /// the browser cache the redirect.
    #[tokio::test]
    async fn no_trailing_slash_redirects_to_canonical_root_v1() {
        let response = web_root_redirect_v1(Path(valid_key().to_string()), RawQuery(None))
            .await
            .unwrap();

        assert_eq!(response.status(), StatusCode::PERMANENT_REDIRECT);
        let location = response
            .headers()
            .get(LOCATION)
            .expect("redirect must set Location")
            .to_str()
            .unwrap();
        assert_eq!(
            location,
            format!("/v1/contract/web/{}/", valid_key()),
            "Location must be the canonical trailing-slash form"
        );
    }

    /// Regression test for the H1 review finding on PR #4020. The
    /// no-slash redirect MUST forward the original query string —
    /// pasting `/v1/contract/web/<key>?invite=abc` is exactly the
    /// flow River invite links produce, and dropping `?invite=abc`
    /// silently breaks them.
    #[tokio::test]
    async fn no_trailing_slash_redirect_preserves_query_string_v1() {
        let response = web_root_redirect_v1(
            Path(valid_key().to_string()),
            RawQuery(Some("invite=abc&room=42".into())),
        )
        .await
        .unwrap();

        let location = response
            .headers()
            .get(LOCATION)
            .expect("redirect must set Location")
            .to_str()
            .unwrap();
        assert_eq!(
            location,
            format!("/v1/contract/web/{}/?invite=abc&room=42", valid_key()),
            "query string must be carried through the redirect so \
             `?invite=…` no-slash links keep working"
        );
    }

    /// Regression test for the M1 review finding. The same
    /// `__sandbox` / `authToken` filter `redirect_to_shell_root`
    /// applies must apply here too — otherwise `/v1/contract/web/<key>?
    /// authToken=attacker` becomes a 308 to a URL that injects an
    /// attacker-chosen token into the destination shell.
    #[tokio::test]
    async fn no_trailing_slash_redirect_strips_sensitive_query_params_v1() {
        let response = web_root_redirect_v1(
            Path(valid_key().to_string()),
            RawQuery(Some("authToken=evil&invite=ok&__sandbox=1".into())),
        )
        .await
        .unwrap();

        let location = response.headers().get(LOCATION).unwrap().to_str().unwrap();
        assert!(
            location.contains("invite=ok"),
            "non-sensitive query params must survive: {location}"
        );
        assert!(
            !location.contains("authToken"),
            "authToken must be stripped: {location}"
        );
        assert!(
            !location.contains("__sandbox"),
            "__sandbox must be stripped: {location}"
        );
    }

    /// Regression test for the H2 review finding. The path parameter
    /// must be validated before being interpolated into a `Location`
    /// header. `redirect_to_shell_root` already does this on the
    /// sibling redirect; the no-slash redirect must too — without it,
    /// CRLF in `key` could inject arbitrary headers, and a
    /// path-traversal-style key would point the redirect at an
    /// attacker-chosen URL.
    #[tokio::test]
    async fn no_trailing_slash_redirect_rejects_invalid_key_v1() {
        // CRLF-bearing key — the header-injection case.
        assert!(matches!(
            web_root_redirect_v1(Path("AAAA\r\nInjected: x".into()), RawQuery(None)).await,
            Err(WebSocketApiError::InvalidParam { .. })
        ));
        // Obvious garbage.
        assert!(matches!(
            web_root_redirect_v1(Path("not-a-real-contract-key".into()), RawQuery(None)).await,
            Err(WebSocketApiError::InvalidParam { .. })
        ));
        // Empty string (axum would normally reject this at routing
        // time, but defend against an internal caller too).
        assert!(matches!(
            web_root_redirect_v1(Path(String::new()), RawQuery(None)).await,
            Err(WebSocketApiError::InvalidParam { .. })
        ));
    }
}