Removed ALLOWED_HOSTS support as it requires 'netaddr' which doesn't support Python 3.5

Dockerfile

@@ -81,8 +81,7 @@ RUN apk add --no-cache \
         flask_gravatar \
         flask_migrate \
         simplejson \
-        cryptography \
+        cryptography
-        netaddr
 
 # Copy the docs from the local tree. Explicitly remove any existing builds that
 # may be present

requirements.txt

@@ -41,5 +41,4 @@ Flask-Security-Too>=3.0.0
 bcrypt<=3.1.7
 cryptography<=3.0
 sshtunnel>=0.1.5
-netaddr==0.8.0
 ldap3>=2.5.1

web/config.py

@@ -143,17 +143,6 @@ DEFAULT_SERVER = '127.0.0.1'
 # environment by the runtime
 DEFAULT_SERVER_PORT = 5050
 
-# This param is used to validate ALLOWED_HOSTS for the application
-# This will be used to avoid Host Header Injection attack
-# For how to set ALLOWED_HOSTS see netaddr library
-# For more details https://netaddr.readthedocs.io/en/latest/tutorial_03.html
-# e.g. ALLOWED_HOSTS = ['192.0.2.0/28', '::192.0.2.0/124']
-# ALLOWED_HOSTS = ['225.0.0.0/8', '226.0.0.0/7', '228.0.0.0/6']
-# ALLOWED_HOSTS = ['127.0.0.1', '192.168.0.1']
-# if ALLOWED_HOSTS= [] then it will accept all ips (and application will be
-# vulnerable to Host Header Injection attack)
-ALLOWED_HOSTS = []
-
 # This param is used to override the default web server information about
 # the web technology and the frameworks being used in the application
 # An attacker could use this information to fingerprint underlying operating

web/pgadmin/__init__.py

@@ -26,7 +26,6 @@ from flask_mail import Mail
 from flask_paranoid import Paranoid
 from flask_security import Security, SQLAlchemyUserDatastore, current_user
 from flask_security.utils import login_user, logout_user
-from netaddr import IPSet
 from werkzeug.datastructures import ImmutableDict
 from werkzeug.local import LocalProxy
 from werkzeug.utils import find_modules
@@ -662,36 +661,6 @@ def create_app(app_name=None):
                 request.endpoint not in ('security.login', 'security.logout'):
             logout_user()
 
-    @app.before_request
-    def limit_host_addr():
-        """
-        This function validate the hosts from ALLOWED_HOSTS before allowing
-        HTTP request to avoid Host Header Injection attack
-        :return: None/JSON response with 403 HTTP status code
-        """
-        client_host = str(request.host).split(':')[0]
-        valid = True
-        allowed_hosts = config.ALLOWED_HOSTS
-
-        if len(allowed_hosts) != 0:
-            regex = re.compile(
-                r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:/\d{1,2}|)')
-            # Create separate list for ip addresses and host names
-            ip_set = list(filter(lambda ip: regex.match(ip), allowed_hosts))
-            host_set = list(filter(lambda ip: not regex.match(ip),
-                                   allowed_hosts))
-            is_ip = regex.match(client_host)
-            if is_ip:
-                valid = IPSet(ip_set).__contains__(client_host)
-            else:
-                valid = host_set.__contains__(client_host)
-
-        if not valid:
-            return make_json_response(
-                status=403, success=0,
-                errormsg=_("403 FORBIDDEN")
-            )
-
     @app.after_request
     def after_request(response):
         if 'key' in request.args: