From f47d68ea18d1955d5c947a23c5a4a5a649bbd104 Mon Sep 17 00:00:00 2001 From: Ahmad Farhat Date: Fri, 8 May 2020 15:25:24 -0400 Subject: [PATCH] GRN2-xx: Allow SAFE_HOSTS to be left blank (#1545) * Allow SAFE_HOSTS to be left blank * a different approach Co-authored-by: jfederico --- app/controllers/application_controller.rb | 16 ++-------------- config/environments/production.rb | 2 ++ 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index f7ec7b81..9df61370 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -48,9 +48,8 @@ class ApplicationController < ActionController::Base # Block unknown hosts to mitigate host header injection attacks def block_unknown_hosts return unless Rails.env.production? - valid_hosts = ENV["SAFE_HOSTS"] - return raise UnsafeHostError, "SAFE_HOSTS not set in .env" if valid_hosts.blank? - raise UnsafeHostError, "#{request.host} is not a safe host" unless host_is_valid(valid_hosts) + return if config.hosts.blank? + raise UnsafeHostError, "#{request.host} is not a safe host" unless config.hosts.include?(request.host) end # Force SSL @@ -261,15 +260,4 @@ class ApplicationController < ActionController::Base end end end - - def host_is_valid(hosts) - hosts.split(",").each do |url| - # convert to regex - reg_url = url.gsub(".", "\\.") - sub_url = reg_url.gsub("*", ".{1,}") - - return true if request.host.match(sub_url) - end - false - end end diff --git a/config/environments/production.rb b/config/environments/production.rb index 4396a57b..b47d2ed8 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -155,4 +155,6 @@ Rails.application.configure do # Set the relative url root for deployment to a subdirectory. config.relative_url_root = ENV['RELATIVE_URL_ROOT'] || "/b" if ENV['RELATIVE_URL_ROOT'] != "/" + + config.hosts = ENV['SAFE_HOSTS'].presence || nil end