Merge pull request #24592 from overleaf/td-socket-io-origins

Use updated socket.io with CORS origin check in real-time GitOrigin-RevId: a1a874ba298e145aa4c9dd55ef723d79843f8145
2026-05-24 17:51:51 +02:00 · 2025-04-14 10:42:48 +01:00
parent b9f1013f37
commit 773cbc92eb
4 changed files with 42 additions and 14 deletions
--- a/package-lock.json
+++ b/package-lock.json
@@ -32300,7 +32300,7 @@
    "node_modules/policyfile": {
      "version": "0.0.4",
      "resolved": "https://registry.npmjs.org/policyfile/-/policyfile-0.0.4.tgz",
-      "integrity": "sha1-1rgurZiueeviKOLa9ZAzEeyYLk0=",
+      "integrity": "sha512-UfDtlscNialXfmVEwEPm0t/5qtM0xPK025eYWd/ilv89hxLIhVQmt3QIzMHincLO2MBtZyww0386pt13J4aIhQ==",
      "engines": {
        "node": "*"
      }
@@ -35199,6 +35199,15 @@
        "node": ">=8"
      }
    },
+    "node_modules/redis": {
+      "version": "0.7.3",
+      "resolved": "https://registry.npmjs.org/redis/-/redis-0.7.3.tgz",
+      "integrity": "sha512-0Pgb0jOLfn6eREtEIRn/ifyZJjl2H+wUY4F/Pe7T4UhmoSrZ/1HU5ZqiBpDk8I8Wbyv2N5DpXKzbEtMj3drprg==",
+      "optional": true,
+      "engines": {
+        "node": "*"
+      }
+    },
    "node_modules/redis-commands": {
      "version": "1.7.0",
      "resolved": "https://registry.npmjs.org/redis-commands/-/redis-commands-1.7.0.tgz",
@@ -37141,8 +37150,8 @@
      }
    },
    "node_modules/socket.io": {
-      "version": "0.9.19-overleaf-10",
-      "resolved": "git+ssh://git@github.com/overleaf/socket.io.git#7ac322c2a5b26a4647834868d78afbb0db1f8849",
+      "version": "0.9.19-overleaf-11",
+      "resolved": "git+ssh://git@github.com/overleaf/socket.io.git#5afa587036620afa232d0f7b778ebb1541d7e4d5",
      "dependencies": {
        "base64id": "0.1.0",
        "policyfile": "0.0.4"
@@ -37174,15 +37183,6 @@
        "ultron": "1.0.x"
      }
    },
-    "node_modules/socket.io/node_modules/redis": {
-      "version": "0.7.3",
-      "resolved": "https://registry.npmjs.org/redis/-/redis-0.7.3.tgz",
-      "integrity": "sha512-0Pgb0jOLfn6eREtEIRn/ifyZJjl2H+wUY4F/Pe7T4UhmoSrZ/1HU5ZqiBpDk8I8Wbyv2N5DpXKzbEtMj3drprg==",
-      "optional": true,
-      "engines": {
-        "node": "*"
-      }
-    },
    "node_modules/sockjs": {
      "version": "0.3.24",
      "resolved": "https://registry.npmjs.org/sockjs/-/sockjs-0.3.24.tgz",
@@ -43958,7 +43958,7 @@
        "lodash": "^4.17.21",
        "proxy-addr": "^2.0.7",
        "request": "^2.88.2",
-        "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-10",
+        "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-11",
        "socket.io-client": "github:overleaf/socket.io-client#0.9.17-overleaf-5"
      },
      "devDependencies": {
--- a/services/real-time/app.js
+++ b/services/real-time/app.js
@@ -83,6 +83,33 @@ io.configure(function () {
  io.set('match origin protocol', true)

  io.set('transports', ['websocket', 'xhr-polling'])
+
+  if (Settings.allowedCorsOrigins) {
+    // Create a regex for matching origins, allowing wildcard subdomains
+    const allowedCorsOriginsRegex = new RegExp(
+      `^${Settings.allowedCorsOrigins.replaceAll('.', '\\.').replace('://*', '://[^.]+')}(?::443)?$`
+    )
+
+    io.set('origins', function (origin, req) {
+      const normalizedOrigin = URL.parse(origin).origin
+      const originIsValid = allowedCorsOriginsRegex.test(normalizedOrigin)
+
+      if (req.headers.origin) {
+        return originIsValid
+      }
+
+      if (!originIsValid) {
+        // There is no Origin header and the Referrer does not satisfy the
+        // constraints. We're going to pass this anyway for now but log it
+        logger.warn(
+          { req, referer: req.headers.referer },
+          'Referrer header does not match allowed origins'
+        )
+      }
+
+      return true
+    })
+  }
 })

 // Serve socket.io.js client file from imported dist folder
--- a/services/real-time/config/settings.defaults.js
+++ b/services/real-time/config/settings.defaults.js
@@ -173,6 +173,7 @@ const settings = {
  behindProxy: process.env.BEHIND_PROXY === 'true',
  trustedProxyIps: process.env.TRUSTED_PROXY_IPS,
  keepAliveTimeoutMs: parseInt(process.env.KEEPALIVE_TIMEOUT_MS ?? '5000', 10),
+  allowedCorsOrigins: process.env.REAL_TIME_ALLOWED_CORS_ORIGINS,
 }

 // console.log settings.redis
--- a/services/real-time/package.json
+++ b/services/real-time/package.json
@@ -34,7 +34,7 @@
    "lodash": "^4.17.21",
    "proxy-addr": "^2.0.7",
    "request": "^2.88.2",
-    "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-10",
+    "socket.io": "github:overleaf/socket.io#0.9.19-overleaf-11",
    "socket.io-client": "github:overleaf/socket.io-client#0.9.17-overleaf-5"
  },
  "devDependencies": {