daemon: Only accept HTTPS origins

Author: iinuwa

credentialsd/src/dbus/gateway.rs

@@ -198,6 +198,10 @@ async fn check_origin(
         );
         return Err(WebAuthnError::SecurityError);
     };
+    if !origin.starts_with("https://") {
+        tracing::warn!("Caller requested non-HTTPS schemed origin, which is not supported.");
+        return Err(WebAuthnError::SecurityError);
+    }
     let is_same_origin = is_same_origin.unwrap_or(false);
     let top_origin = if is_same_origin {
         origin.clone()
@@ -264,3 +268,25 @@ impl From<WebAuthnError> for Error {
         }
     }
 }
+
+#[cfg(test)]
+mod test {
+    use std::future::Future;
+
+    use credentialsd_common::model::WebAuthnError;
+
+    use crate::dbus::gateway::check_origin;
+
+    #[tokio::test]
+    async fn test_only_https_origins() {
+        let check = |origin: &'static str| async { check_origin(Some(origin), Some(true)).await };
+        assert!(matches!(
+            check("https://example.com").await,
+            Ok((o, ..)) if o == "https://example.com"
+        ));
+        assert!(matches!(
+            check("http://example.com").await,
+            Err(WebAuthnError::SecurityError)
+        ));
+    }
+}

credentialsd/src/dbus/model.rs

@@ -312,6 +312,8 @@ pub(super) fn get_credential_request_try_into_ctap2(
         }
     };
     let relying_party_id = options.rp_id.unwrap_or_else(|| {
+        // TODO: We're assuming that the origin is `<scheme>://data`, which is
+        // currently checked by the caller, but we should encode this in a type.
         let (_, effective_domain) = origin.rsplit_once('/').unwrap();
         effective_domain.to_string()
     });