Added ui.public_remote_enabled and ui.public_remote_hosts

This commit is contained in:
Kevin Froman 2020-09-08 08:39:18 +00:00
parent 17ef138c21
commit 2ce5f48c90
3 changed files with 32 additions and 6 deletions

View File

@ -83,4 +83,4 @@ class PublicEndpoints:
In the future this will be done more often than on creation In the future this will be done more often than on creation
to speed up block sync to speed up block sync
""" """
return upload.accept_upload(request) return upload.accept_upload(request)

View File

@ -4,9 +4,13 @@ Process incoming requests to the client api server to validate
that they are legitimate and not DNSR/XSRF or other local adversary that they are legitimate and not DNSR/XSRF or other local adversary
""" """
import hmac import hmac
from flask import Blueprint, request, abort, g from flask import Blueprint, request, abort, g
from onionrservices import httpheaders from onionrservices import httpheaders
from . import pluginwhitelist from . import pluginwhitelist
import config
import logger
""" """
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -31,6 +35,11 @@ whitelist_endpoints = [
'siteapi.siteFile', 'staticfiles.onionrhome', 'siteapi.siteFile', 'staticfiles.onionrhome',
'themes.getTheme', 'staticfiles.onboarding', 'staticfiles.onboardingIndex'] 'themes.getTheme', 'staticfiles.onboarding', 'staticfiles.onboardingIndex']
remote_safe_whitelist = ['www', 'staticfiles']
public_remote_enabled = config.get('ui.public_remote_enabled', False)
public_remote_hostnames = config.get('ui.public_remote_hosts', [])
class ClientAPISecurity: class ClientAPISecurity:
def __init__(self, client_api): def __init__(self, client_api):
@ -42,10 +51,23 @@ class ClientAPISecurity:
@client_api_security_bp.before_app_request @client_api_security_bp.before_app_request
def validate_request(): def validate_request():
"""Validate request has set password and is the correct hostname""" """Validate request has set password & is the correct hostname."""
# For the purpose of preventing DNS rebinding attacks # For the purpose of preventing DNS rebinding attacks
if request.host != '%s:%s' % (client_api.host, client_api.bindPort): localhost = True
abort(403) if request.host != '%s:%s' % \
(client_api.host, client_api.bindPort):
localhost = False
if not localhost and public_remote_enabled:
if request.host not in public_remote_hostnames:
logger.warn(
f'{request.host} not in {public_remote_hostnames}')
abort(403)
else:
if not localhost:
logger.warn(
f'Possible DNS rebinding attack by {request.host}')
abort(403)
# Add shared objects # Add shared objects
try: try:
@ -53,11 +75,13 @@ class ClientAPISecurity:
except KeyError: except KeyError:
g.too_many = None g.too_many = None
if request.endpoint in whitelist_endpoints: # Static files for Onionr sites
return
if request.path.startswith('/site/'): if request.path.startswith('/site/'):
return return
if request.endpoint in whitelist_endpoints:
return
try: try:
if not hmac.compare_digest( if not hmac.compare_digest(
request.headers['token'], client_api.clientToken): request.headers['token'], client_api.clientToken):

View File

@ -73,6 +73,8 @@
}, },
"ui": { "ui": {
"animated_background": true, "animated_background": true,
"public_remote_enabled": false,
"public_remote_hosts": [],
"theme": "dark" "theme": "dark"
} }
} }