lino.jorzick
/
greenlight
forked from External/greenlight
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

GRN2-xx: Added SAFE_HOSTS env variable to block unknown hosts (#1543) 

* Added SAFE_HOSTS env variable to block unknown hosts

* Update sample.env
This commit is contained in:
Ahmad Farhat 2020-05-08 13:33:02 -04:00 committed by GitHub
parent 8f454cad0e
commit 6fc402e40b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
app/controllers/application_controller.rb
View File

@ -18,9 +18,10 @@
class ApplicationController < ActionController::Base class ApplicationController < ActionController::Base
include BbbServer include BbbServer
include Errors
before_action :redirect_to_https, :set_user_domain, :set_user_settings, :maintenance_mode?, :migration_error?, before_action :block_unknown_hosts, :redirect_to_https, :set_user_domain, :set_user_settings, :maintenance_mode?,
:user_locale, :check_admin_password, :check_user_role :migration_error?, :user_locale, :check_admin_password, :check_user_role
protect_from_forgery with: :exceptions protect_from_forgery with: :exceptions
@ -44,6 +45,14 @@ class ApplicationController < ActionController::Base
@bbb_server ||= Rails.configuration.loadbalanced_configuration ? bbb(@user_domain) : bbb("greenlight") @bbb_server ||= Rails.configuration.loadbalanced_configuration ? bbb(@user_domain) : bbb("greenlight")
end end
# Block unknown hosts to mitigate host header injection attacks
def block_unknown_hosts
return unless Rails.env.production?
valid_hosts = ENV["SAFE_HOSTS"]
return raise UnsafeHostError, "SAFE_HOSTS not set in .env" if valid_hosts.blank?
raise UnsafeHostError, "#{request.host} is not a safe host" unless host_is_valid(valid_hosts)
end
# Force SSL # Force SSL
def redirect_to_https def redirect_to_https
if Rails.configuration.loadbalanced_configuration && request.headers["X-Forwarded-Proto"] == "http" if Rails.configuration.loadbalanced_configuration && request.headers["X-Forwarded-Proto"] == "http"
@ -252,4 +261,15 @@ class ApplicationController < ActionController::Base
end end
end end
end end
def host_is_valid(hosts)
hosts.split(",").each do |url|
# convert to regex
reg_url = url.gsub(".", "\\.")
sub_url = reg_url.gsub("*", ".{1,}")
return true if request.host.match(sub_url)
end
false
end
end end

5
app/controllers/concerns/errors.rb Normal file
View File

@ -0,0 +1,5 @@
# frozen_string_literal: true
module Errors
class UnsafeHostError < StandardError; end
end

2
app/controllers/themes_controller.rb
View File

@ -17,7 +17,7 @@
# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>. # with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
class ThemesController < ApplicationController class ThemesController < ApplicationController
skip_before_action :redirect_to_https, :maintenance_mode?, :migration_error?, :user_locale, skip_before_action :block_unknown_hosts, :redirect_to_https, :maintenance_mode?, :migration_error?, :user_locale,
:check_admin_password, :check_user_role :check_admin_password, :check_user_role
# GET /primary # GET /primary

7
sample.env
View File

@ -16,6 +16,13 @@ SECRET_KEY_BASE=
BIGBLUEBUTTON_ENDPOINT= BIGBLUEBUTTON_ENDPOINT=
BIGBLUEBUTTON_SECRET= BIGBLUEBUTTON_SECRET=
# The hostname that the application is accessible from.
#
# Used to protect against various HTTP header attacks
# Should be in the form of "domain.com"
#
SAFE_HOSTS=
# Google Login Provider (optional) # Google Login Provider (optional)
# #
# For in-depth steps on setting up a Google Login Provider, see: # For in-depth steps on setting up a Google Login Provider, see: