Added ui.public_remote_enabled and ui.public_remote_hosts

2020-09-08 08:39:18 +00:00 · 2020-09-08 08:39:18 +00:00 · 2ce5f48c90
parent 17ef138c21
commit 2ce5f48c90
3 changed files with 32 additions and 6 deletions
--- a/src/httpapi/security/client.py
+++ b/src/httpapi/security/client.py
@ -4,9 +4,13 @@ Process incoming requests to the client api server to validate
 that they are legitimate and not DNSR/XSRF or other local adversary
 """
 import hmac
+
 from flask import Blueprint, request, abort, g
+
 from onionrservices import httpheaders
 from . import pluginwhitelist
+import config
+import logger
 """
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -31,6 +35,11 @@ whitelist_endpoints = [
    'siteapi.siteFile', 'staticfiles.onionrhome',
    'themes.getTheme', 'staticfiles.onboarding', 'staticfiles.onboardingIndex']

+remote_safe_whitelist = ['www', 'staticfiles']
+
+public_remote_enabled = config.get('ui.public_remote_enabled', False)
+public_remote_hostnames = config.get('ui.public_remote_hosts', [])
+

 class ClientAPISecurity:
    def __init__(self, client_api):
@ -42,10 +51,23 @@ class ClientAPISecurity:

        @client_api_security_bp.before_app_request
        def validate_request():
-            """Validate request has set password and is the correct hostname"""
+            """Validate request has set password & is the correct hostname."""
            # For the purpose of preventing DNS rebinding attacks
-            if request.host != '%s:%s' % (client_api.host, client_api.bindPort):
-                abort(403)
+            localhost = True
+            if request.host != '%s:%s' % \
+                    (client_api.host, client_api.bindPort):
+                localhost = False
+
+            if not localhost and public_remote_enabled:
+                if request.host not in public_remote_hostnames:
+                    logger.warn(
+                        f'{request.host} not in {public_remote_hostnames}')
+                    abort(403)
+            else:
+                if not localhost:
+                    logger.warn(
+                        f'Possible DNS rebinding attack by {request.host}')
+                    abort(403)

            # Add shared objects
            try:
@ -53,11 +75,13 @@ class ClientAPISecurity:
            except KeyError:
                g.too_many = None

-            if request.endpoint in whitelist_endpoints:
-                return
+            # Static files for Onionr sites
            if request.path.startswith('/site/'):
                return

+            if request.endpoint in whitelist_endpoints:
+                return
+
            try:
                if not hmac.compare_digest(
                        request.headers['token'], client_api.clientToken):
--- a/static-data/default_config.json
+++ b/static-data/default_config.json
@ -73,6 +73,8 @@
    },
    "ui": {
        "animated_background": true,
+        "public_remote_enabled": false,
+        "public_remote_hosts": [],
        "theme": "dark"
    }
 }