Added ALLOWED_HOSTS support.

refs #5919
2020-11-09 12:35:19 +05:30 · 2020-11-09 12:35:19 +05:30 · 3a38f6b147
parent 1dca4313f7
commit 3a38f6b147
2 changed files with 44 additions and 0 deletions
--- a/web/config.py
+++ b/web/config.py
@ -183,6 +183,14 @@ X_CONTENT_TYPE_OPTIONS = "nosniff"
 # response contains the same data. e.g. '1; mode=block'
 X_XSS_PROTECTION = "1; mode=block"

+# This param is used to validate ALLOWED_HOSTS for the application
+# This will be used to avoid Host Header Injection attack
+# ALLOWED_HOSTS = ['225.0.0.0/8', '226.0.0.0/7', '228.0.0.0/6']
+# ALLOWED_HOSTS = ['127.0.0.1', '192.168.0.1']
+# if ALLOWED_HOSTS= [] then it will accept all ips (and application will be
+# vulnerable to Host Header Injection attack)
+ALLOWED_HOSTS = []
+
 # Hashing algorithm used for password storage
 SECURITY_PASSWORD_HASH = 'pbkdf2_sha512'

--- a/web/pgadmin/init.py
+++ b/web/pgadmin/init.py
@ -13,6 +13,7 @@ import logging
 import os
 import sys
 import re
+import ipaddress
 from types import MethodType
 from collections import defaultdict
 from importlib import import_module
@ -621,6 +622,41 @@ def create_app(app_name=None):
        app.register_blueprint(module)
        app.register_logout_hook(module)

+    @app.before_request
+    def limit_host_addr():
+        """
+        This function validate the hosts from ALLOWED_HOSTS before allowing
+        HTTP request to avoid Host Header Injection attack
+        :return: None/JSON response with 403 HTTP status code
+        """
+        client_host = str(request.host).split(':')[0]
+        valid = True
+        allowed_hosts = config.ALLOWED_HOSTS
+
+        if len(allowed_hosts) != 0:
+            regex = re.compile(
+                r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:/\d{1,2}|)')
+            # Create separate list for ip addresses and host names
+            ip_set = list(filter(lambda ip: regex.match(ip), allowed_hosts))
+            host_set = list(filter(lambda ip: not regex.match(ip),
+                                   allowed_hosts))
+            is_ip = regex.match(client_host)
+            if is_ip:
+                ip_address = []
+                for ip in ip_set:
+                    ip_address.extend(list(ipaddress.ip_network(ip)))
+                valid = ip_address.__contains__(
+                    ipaddress.ip_address(client_host)
+                )
+            else:
+                valid = host_set.__contains__(client_host)
+
+        if not valid:
+            return make_json_response(
+                status=403, success=0,
+                errormsg=_("403 FORBIDDEN")
+            )
+
    ##########################################################################
    # Handle the desktop login
    ##########################################################################