Fixed security issue

* Web-server for library-, board-manager etc. was not listening on localhost but on the machine's main interface
* Web-server wasn't launched asynchronously what can cause problems
* Port was stored redundantly in webserver class
Addresses #966

Author: elektronikworkshop

src/arduino/arduinoContentProvider.ts

@@ -16,12 +16,9 @@ export class ArduinoContentProvider implements vscode.TextDocumentContentProvide
     private _webserver: LocalWebServer;
     private _onDidChange = new vscode.EventEmitter<vscode.Uri>();
 
-    constructor(
-        private _extensionPath: string) {
-        this.initialize();
-    }
+    constructor(private _extensionPath: string) { }
 
-    public initialize() {
+    public async initialize() {
         this._webserver = new LocalWebServer(this._extensionPath);
         // Arduino Boards Manager
         this.addHandlerWithLogger("show-boardmanager", "/boardmanager", (req, res) => this.getHtmlView(req, res));
@@ -50,7 +47,7 @@ export class ArduinoContentProvider implements vscode.TextDocumentContentProvide
         this.addHandlerWithLogger("load-examples", "/api/examples", async (req, res) => await this.getExamples(req, res));
         this.addHandlerWithLogger("open-example", "/api/openexample", (req, res) => this.openExample(req, res), true);
 
-        this._webserver.start();
+        await this._webserver.start();
     }
 
     public async provideTextDocumentContent(uri: vscode.Uri): Promise<string> {

src/arduino/localWebServer.ts

@@ -9,7 +9,6 @@ import * as path from "path";
 export default class LocalWebServer {
     private app = express();
     private server;
-    private _serverPort: string;
 
     constructor(private _extensionPath: string) {
         this.app.use("/", express.static(path.join(this._extensionPath, "./out/views")));
@@ -18,10 +17,10 @@ export default class LocalWebServer {
     }
 
     public getServerUrl(): string {
-        return `http://localhost:${this._serverPort}`;
+        return `http://localhost:${this.server.address().port}`;
     }
     public getEndpointUri(type: string): string {
-        return `http://localhost:${this._serverPort}/${type}`;
+        return `http://localhost:${this.server.address().port}/${type}`;
     }
 
     public addHandler(url: string, handler: (req, res) => void): void {
@@ -32,10 +31,24 @@ export default class LocalWebServer {
         this.app.post(url, handler);
     }
 
-    public start(): void {
-        const port = this.server.listen(0).address().port;
-        // tslint:disable-next-line
-        console.log(`Starting express server on port: ${port}`);
-        this._serverPort = port;
+    /**
+     * Start webserver.
+     * If it fails to listen reject will report its error.
+     */
+    public async start() {
+        return new Promise<void>((resolve, reject) => {
+            // Address and port are available as soon as the server
+            // started listening, resolving localhost requires
+            // some time.
+            this.server.listen(0, "localhost", (error) => {
+                if (error) {
+                    reject(error);
+                    return;
+                }
+                // tslint:disable-next-line
+                console.log(`Express server listening on port: ${this.server.address().port}`);
+                resolve();
+            });
+        });
     }
 }

src/extension.ts

@@ -333,8 +333,10 @@ export async function activate(context: vscode.ExtensionContext) {
     }
     Logger.traceUserData("end-activate-extension", { correlationId: activeGuid });
 
-    setTimeout(() => {
+    setTimeout(async () => {
         const arduinoManagerProvider = new arduinoContentProviderModule.ArduinoContentProvider(context.extensionPath);
+        await arduinoManagerProvider.initialize();
+
         context.subscriptions.push(vscode.workspace.registerTextDocumentContentProvider(ARDUINO_MANAGER_PROTOCOL, arduinoManagerProvider));
         registerArduinoCommand("arduino.showBoardManager", async () => {
             const panel = vscode.window.createWebviewPanel("arduinoBoardManager", "Arduino Board Manager", vscode.ViewColumn.Two, {