From 8231917c410133ed83ac43b9a17a1494bf686ff0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Requena=20L=C3=B3pez?= Date: Tue, 1 Jan 2019 20:52:41 +0100 Subject: [PATCH 1/3] fixes #1794, makes the websocket server validate the origin --- packages/core/parcel-bundler/src/HMRServer.js | 12 +++++------- packages/core/parcel-bundler/src/cli.js | 1 + 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/packages/core/parcel-bundler/src/HMRServer.js b/packages/core/parcel-bundler/src/HMRServer.js index 4ce9d7d25bf..8fe7625ff08 100644 --- a/packages/core/parcel-bundler/src/HMRServer.js +++ b/packages/core/parcel-bundler/src/HMRServer.js @@ -17,15 +17,13 @@ class HMRServer { } let websocketOptions = { - server: this.server + server: this.server, + verifyClient: (info) => { + const originator = new URL(info.origin); + return options.hmrHostname === originator.hostname; + } }; - if (options.hmrHostname) { - websocketOptions.origin = `${options.https ? 'https' : 'http'}://${ - options.hmrHostname - }`; - } - this.wss = new WebSocket.Server(websocketOptions); this.server.listen(options.hmrPort, resolve); }); diff --git a/packages/core/parcel-bundler/src/cli.js b/packages/core/parcel-bundler/src/cli.js index 6fd3f2eb098..b00dd50f863 100755 --- a/packages/core/parcel-bundler/src/cli.js +++ b/packages/core/parcel-bundler/src/cli.js @@ -214,6 +214,7 @@ async function bundle(main, command) { command.throwErrors = false; command.scopeHoist = command.experimentalScopeHoisting || false; + command.hmrHostname = command.hmrHostname || 'localhost'; const bundler = new Bundler(main, command); command.target = command.target || 'browser'; From c1d187ed63a48519d03143bf2107245114420999 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Requena=20L=C3=B3pez?= Date: Wed, 2 Jan 2019 01:17:09 +0100 Subject: [PATCH 2/3] adapt some tests for commit fixing #1794 tests use the ws library to establish a websocket connection, and they have an undefined origin by default. This is changed tests have no defined hmrHostname so it was set too. --- packages/core/integration-tests/test/hmr.js | 61 +++++++++++++------ packages/core/integration-tests/test/utils.js | 5 +- 2 files changed, 48 insertions(+), 18 deletions(-) diff --git a/packages/core/integration-tests/test/hmr.js b/packages/core/integration-tests/test/hmr.js index e06276c6e30..3577a7221b9 100644 --- a/packages/core/integration-tests/test/hmr.js +++ b/packages/core/integration-tests/test/hmr.js @@ -48,14 +48,17 @@ describe('hmr', function() { b = bundler(path.join(__dirname, '/input/index.js'), { watch: true, - hmr: true + hmr: true, + hmrHostname: 'localhost' }); await b.bundle(); - ws = new WebSocket('ws://localhost:' + b.options.hmrPort); + ws = new WebSocket('ws://localhost:' + b.options.hmrPort, { + origin: 'http://localhost:1234' + }); const buildEnd = nextEvent(b, 'buildEnd'); - await sleep(100); + fs.writeFile( path.join(__dirname, '/input/local.js'), 'exports.a = 5;\nexports.b = 5;' @@ -79,6 +82,7 @@ describe('hmr', function() { b = bundler(path.join(__dirname, '/input/index.js'), { watch: true, hmr: true, + hmrHostname: 'localhost', target: 'node' }); await b.bundle(); @@ -103,7 +107,9 @@ describe('hmr', function() { }); await b.bundle(); - ws = new WebSocket('ws://localhost:' + b.options.hmrPort); + ws = new WebSocket('ws://localhost:' + b.options.hmrPort, { + origin: 'http://localhost:1234' + }); const buildEnd = nextEvent(b, 'buildEnd'); @@ -130,11 +136,14 @@ describe('hmr', function() { b = bundler(path.join(__dirname, '/input/index.js'), { watch: true, - hmr: true + hmr: true, + hmrHostname: 'localhost' }); await b.bundle(); - ws = new WebSocket('ws://localhost:' + b.options.hmrPort); + ws = new WebSocket('ws://localhost:' + b.options.hmrPort, { + origin: 'http://localhost:1234' + }); const buildEnd = nextEvent(b, 'buildEnd'); @@ -159,11 +168,14 @@ describe('hmr', function() { b = bundler(path.join(__dirname, '/input/index.js'), { watch: true, - hmr: true + hmr: true, + hmrHostname: 'localhost' }); await b.bundle(); - ws = new WebSocket('ws://localhost:' + b.options.hmrPort); + ws = new WebSocket('ws://localhost:' + b.options.hmrPort, { + origin: 'http://localhost:1234' + }); const buildEnd = nextEvent(b, 'buildEnd'); @@ -198,7 +210,8 @@ describe('hmr', function() { b = bundler(path.join(__dirname, '/input/index.js'), { watch: true, - hmr: true + hmr: true, + hmrHostname: 'localhost' }); await b.bundle(); @@ -210,7 +223,9 @@ describe('hmr', function() { await nextEvent(b, 'buildEnd'); await sleep(50); - ws = new WebSocket('ws://localhost:' + b.options.hmrPort); + ws = new WebSocket('ws://localhost:' + b.options.hmrPort, { + origin: 'http://localhost:1234' + }); let msg = JSON.parse(await nextEvent(ws, 'message')); assert.equal(msg.type, 'error'); }); @@ -223,11 +238,14 @@ describe('hmr', function() { b = bundler(path.join(__dirname, '/input/index.js'), { watch: true, - hmr: true + hmr: true, + hmrHostname: 'localhost' }); await b.bundle(); - ws = new WebSocket('ws://localhost:' + b.options.hmrPort); + ws = new WebSocket('ws://localhost:' + b.options.hmrPort, { + origin: 'http://localhost:1234' + }); const firstBuildEnd = nextEvent(b, 'buildEnd'); @@ -264,7 +282,8 @@ describe('hmr', function() { b = bundler(path.join(__dirname, '/input/index.js'), { watch: true, - hmr: true + hmr: true, + hmrHostname: 'localhost' }); let bundle = await b.bundle(); let outputs = []; @@ -295,7 +314,8 @@ describe('hmr', function() { b = bundler(path.join(__dirname, '/input/index.js'), { watch: true, - hmr: true + hmr: true, + hmrHostname: 'localhost' }); let bundle = await b.bundle(); let outputs = []; @@ -336,7 +356,8 @@ describe('hmr', function() { b = bundler(path.join(__dirname, '/input/index.js'), { watch: true, - hmr: true + hmr: true, + hmrHostname: 'localhost' }); let bundle = await b.bundle(); let outputs = []; @@ -369,7 +390,8 @@ describe('hmr', function() { b = bundler(path.join(__dirname, '/input/index.js'), { watch: true, - hmr: true + hmr: true, + hmrHostname: 'localhost' }); let bundle = await b.bundle(); @@ -410,7 +432,8 @@ describe('hmr', function() { b = bundler(path.join(__dirname, '/input/index.js'), { watch: true, - hmr: true + hmr: true, + hmrHostname: 'localhost' }); let bundle = await b.bundle(); @@ -468,11 +491,13 @@ describe('hmr', function() { b = bundler(path.join(__dirname, '/input/index.js'), { watch: true, hmr: true, + hmrHostname: 'localhost', https: true }); await b.bundle(); ws = new WebSocket('wss://localhost:' + b.options.hmrPort, { + origin: 'http://localhost:1234', rejectUnauthorized: false }); @@ -502,6 +527,7 @@ describe('hmr', function() { b = bundler(path.join(__dirname, '/input/index.js'), { watch: true, hmr: true, + hmrHostname: 'localhost', https: { key: path.join(__dirname, '/integration/https/private.pem'), cert: path.join(__dirname, '/integration/https/primary.crt') @@ -510,6 +536,7 @@ describe('hmr', function() { await b.bundle(); ws = new WebSocket('wss://localhost:' + b.options.hmrPort, { + origin: 'http://localhost:1234', rejectUnauthorized: false }); diff --git a/packages/core/integration-tests/test/utils.js b/packages/core/integration-tests/test/utils.js index e2f78fd517a..4959d7f4b0b 100644 --- a/packages/core/integration-tests/test/utils.js +++ b/packages/core/integration-tests/test/utils.js @@ -112,7 +112,10 @@ function prepareBrowserContext(bundle, globals) { document: fakeDocument, WebSocket, console, - location: {hostname: 'localhost'}, + location: { + hostname: 'localhost', + origin: 'http://localhost:1234' + }, fetch(url) { return Promise.resolve({ arrayBuffer() { From 84112542b9288d01d7dbf6cff94ce9c162fc35a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Requena=20L=C3=B3pez?= Date: Thu, 3 Jan 2019 13:44:38 +0100 Subject: [PATCH 3/3] no more breaking changes for #2494 --- packages/core/parcel-bundler/src/HMRServer.js | 11 +++++++---- packages/core/parcel-bundler/src/cli.js | 1 - 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/packages/core/parcel-bundler/src/HMRServer.js b/packages/core/parcel-bundler/src/HMRServer.js index 8fe7625ff08..a8b1281ee31 100644 --- a/packages/core/parcel-bundler/src/HMRServer.js +++ b/packages/core/parcel-bundler/src/HMRServer.js @@ -17,12 +17,15 @@ class HMRServer { } let websocketOptions = { - server: this.server, - verifyClient: (info) => { + server: this.server + }; + + if (options.hmrHostname) { + websocketOptions.verifyClient = info => { const originator = new URL(info.origin); return options.hmrHostname === originator.hostname; - } - }; + }; + } this.wss = new WebSocket.Server(websocketOptions); this.server.listen(options.hmrPort, resolve); diff --git a/packages/core/parcel-bundler/src/cli.js b/packages/core/parcel-bundler/src/cli.js index b00dd50f863..6fd3f2eb098 100755 --- a/packages/core/parcel-bundler/src/cli.js +++ b/packages/core/parcel-bundler/src/cli.js @@ -214,7 +214,6 @@ async function bundle(main, command) { command.throwErrors = false; command.scopeHoist = command.experimentalScopeHoisting || false; - command.hmrHostname = command.hmrHostname || 'localhost'; const bundler = new Bundler(main, command); command.target = command.target || 'browser';