validate Origin header on websocket connection

frida · Oct 18, 2024 · e608c7f · e608c7f
1 parent f44bcec
commit e608c7f
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/frida_tools/tracer.py b/frida_tools/tracer.py
@@ -341,6 +341,17 @@ def _handle_asset_request(
             self, connection: websockets.asyncio.server.ServerConnection, request: websockets.asyncio.server.Request
         ):
             if request.headers.get("Connection") == "Upgrade":
+                origin = request.headers.get("Origin")
+                if origin != f"http://localhost:{self._ui_port}":
+                    self._print(
+                        Fore.RED
+                        + Style.BRIGHT
+                        + "Warning"
+                        + Style.RESET_ALL
+                        + f": Cross-origin request from {origin} denied"
+                    )
+                    return connection.respond(http.HTTPStatus.FORBIDDEN, 'Cross-origin request denied\n')
+
                 return
 
             raw_path = request.path.split("?", maxsplit=1)[0]