IntenseWebs/pgadmin4
3
0
Fork 0
mirror of https://github.com/pgadmin-org/pgadmin4.git synced 2025-02-25 18:55:31 -06:00
Code Issues Packages Projects Releases Wiki Activity

Added ALLOWED_HOSTS support.

Browse Source 
refs #5919
This commit is contained in:
navnath gadakh
2020-11-09 12:35:19 +05:30
committed by Akshay Joshi
parent 1dca4313f7
commit 3a38f6b147
2 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
web/config.py
View File

@@ -183,6 +183,14 @@ X_CONTENT_TYPE_OPTIONS = "nosniff"
# response contains the same data. e.g. '1; mode=block' # response contains the same data. e.g. '1; mode=block'
X_XSS_PROTECTION = "1; mode=block" X_XSS_PROTECTION = "1; mode=block"
# This param is used to validate ALLOWED_HOSTS for the application
# This will be used to avoid Host Header Injection attack
# ALLOWED_HOSTS = ['225.0.0.0/8', '226.0.0.0/7', '228.0.0.0/6']
# ALLOWED_HOSTS = ['127.0.0.1', '192.168.0.1']
# if ALLOWED_HOSTS= [] then it will accept all ips (and application will be
# vulnerable to Host Header Injection attack)
ALLOWED_HOSTS = []
# Hashing algorithm used for password storage # Hashing algorithm used for password storage
SECURITY_PASSWORD_HASH = 'pbkdf2_sha512' SECURITY_PASSWORD_HASH = 'pbkdf2_sha512'

36
web/pgadmin/__init__.py
View File

@@ -13,6 +13,7 @@ import logging
import os import os
import sys import sys
import re import re
import ipaddress
from types import MethodType from types import MethodType
from collections import defaultdict from collections import defaultdict
from importlib import import_module from importlib import import_module
@@ -621,6 +622,41 @@ def create_app(app_name=None):
app.register_blueprint(module) app.register_blueprint(module)
app.register_logout_hook(module) app.register_logout_hook(module)
@app.before_request
def limit_host_addr():
"""
This function validate the hosts from ALLOWED_HOSTS before allowing
HTTP request to avoid Host Header Injection attack
:return: None/JSON response with 403 HTTP status code
"""
client_host = str(request.host).split(':')[0]
valid = True
allowed_hosts = config.ALLOWED_HOSTS
if len(allowed_hosts) != 0:
regex = re.compile(
r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:/\d{1,2}|)')
# Create separate list for ip addresses and host names
ip_set = list(filter(lambda ip: regex.match(ip), allowed_hosts))
host_set = list(filter(lambda ip: not regex.match(ip),
allowed_hosts))
is_ip = regex.match(client_host)
if is_ip:
ip_address = []
for ip in ip_set:
ip_address.extend(list(ipaddress.ip_network(ip)))
valid = ip_address.__contains__(
ipaddress.ip_address(client_host)
)
else:
valid = host_set.__contains__(client_host)
if not valid:
return make_json_response(
status=403, success=0,
errormsg=_("403 FORBIDDEN")
)
########################################################################## ##########################################################################
# Handle the desktop login # Handle the desktop login
########################################################################## ##########################################################################