lino.jorzick/greenlight
1
0
Fork 0
forked from External/greenlight
Code Issues Pull Requests Projects Releases Wiki Activity

GRN2-xx: Added SAFE_HOSTS env variable to block unknown hosts (#1543)

Browse Source 
* Added SAFE_HOSTS env variable to block unknown hosts

* Update sample.env
This commit is contained in:
Ahmad Farhat
2020-05-08 13:33:02 -04:00
committed by GitHub
parent 8f454cad0e
commit 6fc402e40b
4 changed files with 35 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
app/controllers/application_controller.rb
View File

@ -18,9 +18,10 @@
class ApplicationController < ActionController::Base
include BbbServer
include Errors
before_action :redirect_to_https, :set_user_domain, :set_user_settings, :maintenance_mode?, :migration_error?,
:user_locale, :check_admin_password, :check_user_role
before_action :block_unknown_hosts, :redirect_to_https, :set_user_domain, :set_user_settings, :maintenance_mode?,
:migration_error?, :user_locale, :check_admin_password, :check_user_role
protect_from_forgery with: :exceptions
@ -44,6 +45,14 @@ class ApplicationController < ActionController::Base
@bbb_server ||= Rails.configuration.loadbalanced_configuration ? bbb(@user_domain) : bbb("greenlight")
end
# Block unknown hosts to mitigate host header injection attacks
def block_unknown_hosts
return unless Rails.env.production?
valid_hosts = ENV["SAFE_HOSTS"]
return raise UnsafeHostError, "SAFE_HOSTS not set in .env" if valid_hosts.blank?
raise UnsafeHostError, "#{request.host} is not a safe host" unless host_is_valid(valid_hosts)
end
# Force SSL
def redirect_to_https
if Rails.configuration.loadbalanced_configuration && request.headers["X-Forwarded-Proto"] == "http"
@ -252,4 +261,15 @@ class ApplicationController < ActionController::Base
end
end
end
def host_is_valid(hosts)
hosts.split(",").each do |url|
# convert to regex
reg_url = url.gsub(".", "\\.")
sub_url = reg_url.gsub("*", ".{1,}")
return true if request.host.match(sub_url)
end
false
end
end

5
app/controllers/concerns/errors.rb Normal file
View File

@ -0,0 +1,5 @@
# frozen_string_literal: true
module Errors
class UnsafeHostError < StandardError; end
end

2
app/controllers/themes_controller.rb
View File

@ -17,7 +17,7 @@
# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
class ThemesController < ApplicationController
skip_before_action :redirect_to_https, :maintenance_mode?, :migration_error?, :user_locale,
skip_before_action :block_unknown_hosts, :redirect_to_https, :maintenance_mode?, :migration_error?, :user_locale,
:check_admin_password, :check_user_role
# GET /primary