Skip to content

[Security] Improve handling of address bar display for IPFS and IPNS #13872

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bbondy opened this issue Feb 1, 2021 · 3 comments · Fixed by brave/brave-core#7785
Closed

[Security] Improve handling of address bar display for IPFS and IPNS #13872

bbondy opened this issue Feb 1, 2021 · 3 comments · Fixed by brave/brave-core#7785
Assignees
@spylogsster
Labels
feature/web3/ipfs OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include security
Milestone
1.22.x - Release

Comments

@bbondy
Copy link
Member

bbondy commented Feb 1, 2021

Currently http://test.com.ipns.localhost:8000 shows in the address address bar as ipns://test.com.
However test.com is neither a valid CID nor a DNSLink resolution.

There's also a problem that people that run their own local node, want to retain ipfs:// in their URL bar, but they can't set it as the default gateway.

Currently, we only update the address bar to retain ipfs:// and ipns:// when the user is using the configured Brave node and it is localhost.

We should change this to only keep ipfs:// and ipns:// when the address being loaded when:
i) Using the Brave node and the port matches the Brave node's port.
ii) Using the public node and the port matches the public node, and it is localhost. (Currently we don't do this, so this is new)

This means that something that is not running a gateway that is configured in Brave will not retain ipfs:// anymore like it does with an example local server like http://test.com.ipns.localhost:8000

Test cases:

Test case 1: Non configured localhost should never show as IPFS

  1. Create an entry in your hosts file pointing to 127.0.0.1 for test.com.ipns.localhost
  2. Load http://test.com.ipns.localhost:8000, it should retain that address

Test case 2: Public gateway

  1. Install IPFS Desktop and it should be started on port 8080
  2. Load http://127.0.0.1:8080/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS. It should load the content but retain the https://dweb.link/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS URL in the address bar.
  3. Set your public gateway to http://127.0.0.1:8080 in settings. And also set Brave to use this public gateway when resolving IPFS URIs.
  4. Load https://dweb.link/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS. It should update to an ipfs:// URI.

Test case 3:

  1. Set Brave to use the local node
  2. Load ipns://brantly.eth
  3. It should retain ipns://brantly.eth in the address bar.
  4. Load http://brantly.eth.ipns.localhost:48081/
  5. It should retain ipns://brantly.eth in the address bar.
@bbondy bbondy added security priority/P2 A bad problem. We might uplift this to the next planned release. OS/Desktop labels Feb 1, 2021
This was referenced Feb 1, 2021
Closed
Closed
@diracdeltas diracdeltas mentioned this issue Feb 1, 2021
Closed
@bbondy bbondy mentioned this issue Feb 1, 2021
Closed
@spylogsster spylogsster self-assigned this Feb 2, 2021
@spylogsster spylogsster mentioned this issue Feb 2, 2021
Merged
23 tasks
@lidel
Copy link

lidel commented Feb 3, 2021

Two nits regarding "Test case 2"

  • When user enters custom public gateway Brave should always replace raw IP (127.0.0.1) with localhost, as that enables subdomains and origin isolation. Raw IP can't have subdomains and all content roots share the same origin, which we don't want in browser.
  • Did you mean: 
    - retain the https://dweb.link/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS URL in the address bar
+ retain the https://localhost:8080/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS URL in the address bar
    ?
    (spoofing address of public Origin looks like a bug)

@lidel lidel mentioned this issue Feb 3, 2021
Closed
@bbondy bbondy added this to the 1.22.x - Nightly milestone Feb 7, 2021
@stephendonner stephendonner added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Mar 4, 2021
@stephendonner stephendonner mentioned this issue Mar 5, 2021
Closed
@stephendonner stephendonner removed the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Mar 5, 2021
@stephendonner
Copy link

stephendonner commented Mar 5, 2021
edited by GeetaSarvadnya
Loading

Verified FIXED on beta using

Brave 1.22.51 Chromium: 89.0.4389.72 (Official Build) beta (x86_64)
Revision 3f345f156bfd157bd1bea06310e55f3fb2490359-refs/branch-heads/4389@{#1393}
OS macOS Version 11.2.2 (Build 20D80)

Verified the inline testcases, and filed #14499 about the IPFS URI (localhost vs 127.0.0.1) mismatch.

Test case 1: Non configured localhost should never show as IPFS

  1. Create an entry in your hosts file pointing to 127.0.0.1 for test.com.ipns.localhost
  2. Load http://test.com.ipns.localhost:8000, it should retain that address

Screen Shot 2021-03-03 at 3 50 38 PM

Test case 2: Public gateway

  1. Install IPFS Desktop and it should be started on port 8080
  2. Load http://127.0.0.1:8080/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS. It should load the content but retain the https://dweb.link/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS URL in the address bar.
  3. Set your public gateway to http://127.0.0.1:8080 in settings. And also set Brave to use this public gateway when resolving IPFS URIs.
  4. Load https://dweb.link/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS. It should update to an ipfs:// URI.

Screen Shot 2021-03-04 at 11 26 50 AM

Screen Shot 2021-03-04 at 11 49 48 AM

Screen Shot 2021-03-04 at 11 49 52 AM

Test case 3:

  1. Set Brave to use the local node
  2. Load ipns://brantly.eth
  3. It should retain ipns://brantly.eth in the address bar.
  4. Load http://brantly.eth.ipns.localhost:48081/ (NOTE: I had to change this to be port 48083 to match)
  5. It should retain ipns://brantly.eth in the address bar.

ipns-host

Verification passed on

Brave 1.22.53 Chromium: 89.0.4389.72 (Official Build) beta (64-bit)
Revision 3f345f156bfd157bd1bea06310e55f3fb2490359-refs/branch-heads/4389@{#1393}
OS Ubuntu 18.04 LTS

Verified test plan from the description #14499 about the IPFS URI (localhost vs 127.0.0.1) mismatch.

Test case 1: Non configured localhost should never show as IPFS

  1. Create an entry in your hosts file pointing to 127.0.0.1 for test.com.ipns.localhost
  2. Load http://test.com.ipns.localhost:8000, it should retain that address

image

Test case 2: Public gateway

  1. Install IPFS Desktop and it should be started on port 8080
  2. Load http://127.0.0.1:8080/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS. It should load the content but retain the https://dweb.link/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS URL in the address bar.
  3. Set your public gateway to http://127.0.0.1:8080 in settings. And also set Brave to use this public gateway when resolving IPFS URIs.
  4. Load https://dweb.link/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS. It should update to an ipfs:// URI.

Encountered #14499

image
image

Test case 3:

  1. Set Brave to use the local node
  2. Load ipns://brantly.eth
  3. It should retain ipns://brantly.eth in the address bar.
  4. Load http://brantly.eth.ipns.localhost:48081/ (NOTE: I had to change this to be port 48083 to match)
  5. It should retain ipns://brantly.eth in the address bar.

Could not resolve ipns
image

Verification is inprogress

Brave	1.22.56 Chromium: 89.0.4389.72 (Official Build) dev (64-bit)
Revision	3f345f156bfd157bd1bea06310e55f3fb2490359-refs/branch-heads/4389@{#1393}
OS	Windows 10 OS Version 2004 (Build 19041.867)

Test case 1: Non configured localhost should never show as IPFS

  1. Create an entry in your hosts file pointing to 127.0.0.1 for test.com.ipns.localhost
  2. Load http://test.com.ipns.localhost:8000, it should retain that address

image

Test case 2: Public gateway

  1. Install IPFS Desktop and it should be started on port 8080
  2. Load http://127.0.0.1:8080/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS. It should load the content but retain the https://dweb.link/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS URL in the address bar.
  3. Set your public gateway to http://127.0.0.1:8080 in settings. And also set Brave to use this public gateway when resolving IPFS URIs.
  4. Load https://dweb.link/ipfs/QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS. It should update to an ipfs:// URI.

Note : The source QmV4FVfWRG4hJJKUsS1aU9MK85HYFJtuCmYAj8HetS8qMS is not available hence used http://127.0.0.1:8080/ipfs/bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq/wiki/Vincent_van_Gogh.html to test the issue
image
image
image

Test case 3:

  1. Set Brave to use the local node
  2. Load ipns://brantly.eth
  3. It should retain ipns://brantly.eth in the address bar.
  4. Load http://brantly.eth.ipns.localhost:48081/ (NOTE: I had to change this to be port 48082 to match)
  5. It should retain ipns://brantly.eth in the address bar.

image
image
image

@LaurenWags LaurenWags changed the title Improve handling of address bar display for IPFS and IPNS [Security} Improve handling of address bar display for IPFS and IPNS Mar 8, 2021
@LaurenWags LaurenWags changed the title [Security} Improve handling of address bar display for IPFS and IPNS [Security] Improve handling of address bar display for IPFS and IPNS Mar 8, 2021
@LaurenWags
Copy link
Member

Adding QA/Test-All-Platforms since this issue also has the security label

@LaurenWags LaurenWags mentioned this issue Mar 22, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spylogsster spylogsster

Labels
feature/web3/ipfs OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include security
Projects
None yet
Milestone
1.22.x - Release
Development

Successfully merging a pull request may close this issue.

Change ipfs scheme handling brave/brave-core
7 participants
@lidel @stephendonner @bbondy @spylogsster @LaurenWags @btlechowski @GeetaSarvadnya