From 9e2127b2a58409f2a871ea1cef7f921d40e2a6c0 Mon Sep 17 00:00:00 2001 From: Akshay Joshi Date: Thu, 5 Nov 2020 12:43:11 +0530 Subject: [PATCH] Removed ALLOWED_HOSTS support as it requires 'netaddr' which doesn't support Python 3.5 --- Dockerfile | 3 +-- requirements.txt | 1 - web/config.py | 11 ----------- web/pgadmin/__init__.py | 31 ------------------------------- 4 files changed, 1 insertion(+), 45 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3f5d5045a..6632e88ac 100644 --- a/Dockerfile +++ b/Dockerfile @@ -81,8 +81,7 @@ RUN apk add --no-cache \ flask_gravatar \ flask_migrate \ simplejson \ - cryptography \ - netaddr + cryptography # Copy the docs from the local tree. Explicitly remove any existing builds that # may be present diff --git a/requirements.txt b/requirements.txt index dbb008323..a5815a34c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -41,5 +41,4 @@ Flask-Security-Too>=3.0.0 bcrypt<=3.1.7 cryptography<=3.0 sshtunnel>=0.1.5 -netaddr==0.8.0 ldap3>=2.5.1 diff --git a/web/config.py b/web/config.py index b893e352c..6dd26be20 100644 --- a/web/config.py +++ b/web/config.py @@ -143,17 +143,6 @@ DEFAULT_SERVER = '127.0.0.1' # environment by the runtime DEFAULT_SERVER_PORT = 5050 -# This param is used to validate ALLOWED_HOSTS for the application -# This will be used to avoid Host Header Injection attack -# For how to set ALLOWED_HOSTS see netaddr library -# For more details https://netaddr.readthedocs.io/en/latest/tutorial_03.html -# e.g. ALLOWED_HOSTS = ['192.0.2.0/28', '::192.0.2.0/124'] -# ALLOWED_HOSTS = ['225.0.0.0/8', '226.0.0.0/7', '228.0.0.0/6'] -# ALLOWED_HOSTS = ['127.0.0.1', '192.168.0.1'] -# if ALLOWED_HOSTS= [] then it will accept all ips (and application will be -# vulnerable to Host Header Injection attack) -ALLOWED_HOSTS = [] - # This param is used to override the default web server information about # the web technology and the frameworks being used in the application # An attacker could use this information to fingerprint underlying operating diff --git a/web/pgadmin/__init__.py b/web/pgadmin/__init__.py index 59cab6250..4ee836da4 100644 --- a/web/pgadmin/__init__.py +++ b/web/pgadmin/__init__.py @@ -26,7 +26,6 @@ from flask_mail import Mail from flask_paranoid import Paranoid from flask_security import Security, SQLAlchemyUserDatastore, current_user from flask_security.utils import login_user, logout_user -from netaddr import IPSet from werkzeug.datastructures import ImmutableDict from werkzeug.local import LocalProxy from werkzeug.utils import find_modules @@ -662,36 +661,6 @@ def create_app(app_name=None): request.endpoint not in ('security.login', 'security.logout'): logout_user() - @app.before_request - def limit_host_addr(): - """ - This function validate the hosts from ALLOWED_HOSTS before allowing - HTTP request to avoid Host Header Injection attack - :return: None/JSON response with 403 HTTP status code - """ - client_host = str(request.host).split(':')[0] - valid = True - allowed_hosts = config.ALLOWED_HOSTS - - if len(allowed_hosts) != 0: - regex = re.compile( - r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:/\d{1,2}|)') - # Create separate list for ip addresses and host names - ip_set = list(filter(lambda ip: regex.match(ip), allowed_hosts)) - host_set = list(filter(lambda ip: not regex.match(ip), - allowed_hosts)) - is_ip = regex.match(client_host) - if is_ip: - valid = IPSet(ip_set).__contains__(client_host) - else: - valid = host_set.__contains__(client_host) - - if not valid: - return make_json_response( - status=403, success=0, - errormsg=_("403 FORBIDDEN") - ) - @app.after_request def after_request(response): if 'key' in request.args: