Removed ALLOWED_HOSTS support as it requires 'netaddr' which doesn't support Python 3.5

pull/37/head
Akshay Joshi 2020-11-05 12:43:11 +05:30
parent 2793747d3c
commit 9e2127b2a5
4 changed files with 1 additions and 45 deletions

View File

@ -81,8 +81,7 @@ RUN apk add --no-cache \
flask_gravatar \
flask_migrate \
simplejson \
cryptography \
netaddr
cryptography
# Copy the docs from the local tree. Explicitly remove any existing builds that
# may be present

View File

@ -41,5 +41,4 @@ Flask-Security-Too>=3.0.0
bcrypt<=3.1.7
cryptography<=3.0
sshtunnel>=0.1.5
netaddr==0.8.0
ldap3>=2.5.1

View File

@ -143,17 +143,6 @@ DEFAULT_SERVER = '127.0.0.1'
# environment by the runtime
DEFAULT_SERVER_PORT = 5050
# This param is used to validate ALLOWED_HOSTS for the application
# This will be used to avoid Host Header Injection attack
# For how to set ALLOWED_HOSTS see netaddr library
# For more details https://netaddr.readthedocs.io/en/latest/tutorial_03.html
# e.g. ALLOWED_HOSTS = ['192.0.2.0/28', '::192.0.2.0/124']
# ALLOWED_HOSTS = ['225.0.0.0/8', '226.0.0.0/7', '228.0.0.0/6']
# ALLOWED_HOSTS = ['127.0.0.1', '192.168.0.1']
# if ALLOWED_HOSTS= [] then it will accept all ips (and application will be
# vulnerable to Host Header Injection attack)
ALLOWED_HOSTS = []
# This param is used to override the default web server information about
# the web technology and the frameworks being used in the application
# An attacker could use this information to fingerprint underlying operating

View File

@ -26,7 +26,6 @@ from flask_mail import Mail
from flask_paranoid import Paranoid
from flask_security import Security, SQLAlchemyUserDatastore, current_user
from flask_security.utils import login_user, logout_user
from netaddr import IPSet
from werkzeug.datastructures import ImmutableDict
from werkzeug.local import LocalProxy
from werkzeug.utils import find_modules
@ -662,36 +661,6 @@ def create_app(app_name=None):
request.endpoint not in ('security.login', 'security.logout'):
logout_user()
@app.before_request
def limit_host_addr():
"""
This function validate the hosts from ALLOWED_HOSTS before allowing
HTTP request to avoid Host Header Injection attack
:return: None/JSON response with 403 HTTP status code
"""
client_host = str(request.host).split(':')[0]
valid = True
allowed_hosts = config.ALLOWED_HOSTS
if len(allowed_hosts) != 0:
regex = re.compile(
r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:/\d{1,2}|)')
# Create separate list for ip addresses and host names
ip_set = list(filter(lambda ip: regex.match(ip), allowed_hosts))
host_set = list(filter(lambda ip: not regex.match(ip),
allowed_hosts))
is_ip = regex.match(client_host)
if is_ip:
valid = IPSet(ip_set).__contains__(client_host)
else:
valid = host_set.__contains__(client_host)
if not valid:
return make_json_response(
status=403, success=0,
errormsg=_("403 FORBIDDEN")
)
@app.after_request
def after_request(response):
if 'key' in request.args: