rhardih / serve Goto Github PK

Hello @rhardih , I just saw your package from the go trending list. Congrulations, I know how you're feeling!!

I am thinking of this, and don't missunderstand me please but,

Many packages uses net/http for command line fast-run servers like yours, I think you can do better, using the Iris .

I'm not enough good with command line apps in go and these days I don't have much time to deep into this field. If you prefer to use net/http in this package that's ok, it's your decision, but I have to make this 'offer' too: I want to you to be part of the Iris Contrib in this command line tool which is not ready yet, you can delete all files and start from zero with your preffered way and structure. Think both of them and answer me here or here please. Hopes you the bests!!

This little server is so useful, thanks! I've not found anything else that's quite so handy.

It would be great to have the ability to specify custom HTTP headers. For my immediate use case I want to be able to set:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

so as to be able to use the performance.measureUserAgentSpecificMemory API while developing, but I'm sure there will be lots of other use cases.

I'm pretty sure there's a big issue in the current version of serve, but I'm not a security expert so some details in the following description might not be 100% correct.

When running serve -2, serve serves the current working directory, and also saves the generated certificate and private key in the same directory. This means everyone can just download both files and use them in a Man-in-the-Middle attack with the following consequences:

1. The attacker can decrypt and read all data that's usually encrypted by the TLS connection
2. The client has no way to notice that he's the victim of a MitM attack because the certificate he sees is the correct one

Usually, while the first part of a MitM attack (routing traffic from a victim via the attacker's computer to the server, leading to seeing all network packets) is easy, the second part (decrypting the packets and having the victim not notice that he's attacked) is very difficult.
Without the certificate and private key the attacker can only generate another self signed certificate. When routing the traffic from the victim via his computer, he can now decrypt the traffic (because the TLS connection is only encrypted between the victim and himself, and a seperate TLS encryption is encrypted between himself and the server), but if the client knows for example the fingerprint of the original server's certificate, he can now tell that the certificate he's shown is different.

So what should be implemented here is two things:

1. The certificate and private key shouldn't be written to the same directory that's served
2. There should be an easy way for the server to send a fingerprint of the certificate to a client via a secure channel, so the client has a way to validate that the certificate he's shown is the correct one (maybe just print the fingerprint so the person running the server can then send it via chat app or put it on his website or something)

The install instruction to:

go get github.com/rhardih/serve

doesn't appear to work:

go get: github.com/rhardih/serve@none updating to
        github.com/rhardih/[email protected]: parsing go.mod:
        module declares its path as: serve
                but was required as: github.com/rhardih/serve 

This is because the commit at 705a565 didn't make it into v1.1.0. Ideally a new release should be made to include this commit. Alternatively, the package can be installed successfully with:

go get github.com/rhardih/serve@master

It's worth the effort, as this is a really useful little tool!

I tried out your project but it seems to be throwing this error.

$ go get github.com/rhardih/serve

# github.com/rhardih/serve
../../go/src/github.com/rhardih/serve/serve.go:164: c.NArg undefined (type *cli.Context has no field or method NArg)