Removed ALLOWED_HOSTS support as it requires 'netaddr' which doesn't support Python 3.5
parent
2793747d3c
commit
9e2127b2a5
|
@ -81,8 +81,7 @@ RUN apk add --no-cache \
|
|||
flask_gravatar \
|
||||
flask_migrate \
|
||||
simplejson \
|
||||
cryptography \
|
||||
netaddr
|
||||
cryptography
|
||||
|
||||
# Copy the docs from the local tree. Explicitly remove any existing builds that
|
||||
# may be present
|
||||
|
|
|
@ -41,5 +41,4 @@ Flask-Security-Too>=3.0.0
|
|||
bcrypt<=3.1.7
|
||||
cryptography<=3.0
|
||||
sshtunnel>=0.1.5
|
||||
netaddr==0.8.0
|
||||
ldap3>=2.5.1
|
||||
|
|
|
@ -143,17 +143,6 @@ DEFAULT_SERVER = '127.0.0.1'
|
|||
# environment by the runtime
|
||||
DEFAULT_SERVER_PORT = 5050
|
||||
|
||||
# This param is used to validate ALLOWED_HOSTS for the application
|
||||
# This will be used to avoid Host Header Injection attack
|
||||
# For how to set ALLOWED_HOSTS see netaddr library
|
||||
# For more details https://netaddr.readthedocs.io/en/latest/tutorial_03.html
|
||||
# e.g. ALLOWED_HOSTS = ['192.0.2.0/28', '::192.0.2.0/124']
|
||||
# ALLOWED_HOSTS = ['225.0.0.0/8', '226.0.0.0/7', '228.0.0.0/6']
|
||||
# ALLOWED_HOSTS = ['127.0.0.1', '192.168.0.1']
|
||||
# if ALLOWED_HOSTS= [] then it will accept all ips (and application will be
|
||||
# vulnerable to Host Header Injection attack)
|
||||
ALLOWED_HOSTS = []
|
||||
|
||||
# This param is used to override the default web server information about
|
||||
# the web technology and the frameworks being used in the application
|
||||
# An attacker could use this information to fingerprint underlying operating
|
||||
|
|
|
@ -26,7 +26,6 @@ from flask_mail import Mail
|
|||
from flask_paranoid import Paranoid
|
||||
from flask_security import Security, SQLAlchemyUserDatastore, current_user
|
||||
from flask_security.utils import login_user, logout_user
|
||||
from netaddr import IPSet
|
||||
from werkzeug.datastructures import ImmutableDict
|
||||
from werkzeug.local import LocalProxy
|
||||
from werkzeug.utils import find_modules
|
||||
|
@ -662,36 +661,6 @@ def create_app(app_name=None):
|
|||
request.endpoint not in ('security.login', 'security.logout'):
|
||||
logout_user()
|
||||
|
||||
@app.before_request
|
||||
def limit_host_addr():
|
||||
"""
|
||||
This function validate the hosts from ALLOWED_HOSTS before allowing
|
||||
HTTP request to avoid Host Header Injection attack
|
||||
:return: None/JSON response with 403 HTTP status code
|
||||
"""
|
||||
client_host = str(request.host).split(':')[0]
|
||||
valid = True
|
||||
allowed_hosts = config.ALLOWED_HOSTS
|
||||
|
||||
if len(allowed_hosts) != 0:
|
||||
regex = re.compile(
|
||||
r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:/\d{1,2}|)')
|
||||
# Create separate list for ip addresses and host names
|
||||
ip_set = list(filter(lambda ip: regex.match(ip), allowed_hosts))
|
||||
host_set = list(filter(lambda ip: not regex.match(ip),
|
||||
allowed_hosts))
|
||||
is_ip = regex.match(client_host)
|
||||
if is_ip:
|
||||
valid = IPSet(ip_set).__contains__(client_host)
|
||||
else:
|
||||
valid = host_set.__contains__(client_host)
|
||||
|
||||
if not valid:
|
||||
return make_json_response(
|
||||
status=403, success=0,
|
||||
errormsg=_("403 FORBIDDEN")
|
||||
)
|
||||
|
||||
@app.after_request
|
||||
def after_request(response):
|
||||
if 'key' in request.args:
|
||||
|
|
Loading…
Reference in New Issue