From 8ce2a0e245cbcde9aed41b4a4436f37a0052e53b Mon Sep 17 00:00:00 2001
From: mmmray <142015632+mmmray@users.noreply.github.com>
Date: Fri, 26 Apr 2024 05:19:25 +0200
Subject: [PATCH] Validate /websocket requests from browser dialer page (#3295)

Fixes https://github.com/XTLS/Xray-core/issues/3236

---------

Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
---
 transport/internet/websocket/dialer.go   | 15 +++++++++++----
 transport/internet/websocket/dialer.html |  2 +-
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/transport/internet/websocket/dialer.go b/transport/internet/websocket/dialer.go
index 4ef27831..20161688 100644
--- a/transport/internet/websocket/dialer.go
+++ b/transport/internet/websocket/dialer.go
@@ -1,6 +1,7 @@
 package websocket
 
 import (
+	"bytes"
 	"context"
 	_ "embed"
 	"encoding/base64"
@@ -14,6 +15,7 @@ import (
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/platform"
 	"github.com/xtls/xray-core/common/session"
+	"github.com/xtls/xray-core/common/uuid"
 	"github.com/xtls/xray-core/transport/internet"
 	"github.com/xtls/xray-core/transport/internet/stat"
 	"github.com/xtls/xray-core/transport/internet/tls"
@@ -27,13 +29,18 @@ var conns chan *websocket.Conn
 func init() {
 	addr := platform.NewEnvFlag(platform.BrowserDialerAddress).GetValue(func() string { return "" })
 	if addr != "" {
+		token := uuid.New()
+		csrfToken := token.String()
+		webpage = bytes.ReplaceAll(webpage, []byte("csrfToken"), []byte(csrfToken))
 		conns = make(chan *websocket.Conn, 256)
 		go http.ListenAndServe(addr, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/websocket" {
-				if conn, err := upgrader.Upgrade(w, r, nil); err == nil {
-					conns <- conn
-				} else {
-					newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog()
+				if r.URL.Query().Get("token") == csrfToken {
+					if conn, err := upgrader.Upgrade(w, r, nil); err == nil {
+						conns <- conn
+					} else {
+						newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog()
+					}
 				}
 			} else {
 				w.Write(webpage)
diff --git a/transport/internet/websocket/dialer.html b/transport/internet/websocket/dialer.html
index c141379d..7831225c 100644
--- a/transport/internet/websocket/dialer.html
+++ b/transport/internet/websocket/dialer.html
@@ -6,7 +6,7 @@
 <body>
 	<script>
 		// Copyright (c) 2021 XRAY. Mozilla Public License 2.0.
-		var url = "ws://" + window.location.host + "/websocket"
+		var url = "ws://" + window.location.host + "/websocket?token=csrfToken"
 		var count = 0
 		setInterval(check, 1000)
 		function check() {