[release] v0.4.0-unstable

2023-05-04 18:41:54 +01:00 · 2023-05-04 18:41:54 +01:00 · efab134d73
parent dba97aca00
commit efab134d73
4 changed files with 28 additions and 2 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,3 +1,6 @@
+## Version 0.4.0
+ - Protect server against direct IP access
+
 ## Version 0.3.0
 - Implement 2 FA
 - Implement SMTP to Send Email (password reset / invites)
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "cosmos-server",
-  "version": "0.3.5",
+  "version": "0.4.0-unstable",
  "description": "",
  "main": "test-server.js",
  "bugs": {
--- a/src/httpServer.go
+++ b/src/httpServer.go
@ -150,6 +150,7 @@ func StartServer() {
 	HTTPConfig := config.HTTPConfig
 	serverPortHTTP = HTTPConfig.HTTPPort
 	serverPortHTTPS = HTTPConfig.HTTPSPort
+	serverHostname := HTTPConfig.Hostname

 	var tlsCert = HTTPConfig.TLSCert
 	var tlsKey= HTTPConfig.TLSKey
@ -222,6 +223,7 @@ func StartServer() {
 	srapi.HandleFunc("/api/servapps/{containerId}/secure/{status}", docker.SecureContainerRoute)
 	srapi.HandleFunc("/api/servapps", docker.ContainersRoute)

+	srapi.Use(utils.EnsureHostname(serverHostname))
 	srapi.Use(tokenMiddleware)
 	srapi.Use(proxy.SmartShieldMiddleware(
 		utils.SmartShieldPolicy{
@ -250,7 +252,7 @@ func StartServer() {
 	}

 	fs  := spa.SpaHandler(pwd + "/static", "index.html")
-	router.PathPrefix("/ui").Handler(http.StripPrefix("/ui", fs))
+	router.PathPrefix("/ui").Handler(utils.EnsureHostname(serverHostname)(http.StripPrefix("/ui", fs)))

 	router = proxy.BuildFromConfig(router, HTTPConfig.ProxyConfig)
 	
--- a/src/utils/utils.go
+++ b/src/utils/utils.go
@ -230,6 +230,27 @@ func GetConfigFileName() string {
 	return configFile
 }

+func EnsureHostname(hostname string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			Debug("Request requested resource from : " + r.Host)
+			port := ""
+			if (IsHTTPS && MainConfig.HTTPConfig.HTTPSPort != "443") {
+				port = ":" + MainConfig.HTTPConfig.HTTPSPort
+			} else if (!IsHTTPS && MainConfig.HTTPConfig.HTTPPort != "80") {
+				port = ":" + MainConfig.HTTPConfig.HTTPPort
+			}
+			if r.Host != hostname + port {
+				Error("Invalid Hostname " + r.Host + "for request. Expecting " + hostname, nil)
+				w.WriteHeader(http.StatusBadRequest)
+				fmt.Fprint(w, "Bad Request.")
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
 func CreateDefaultConfigFileIfNecessary() bool {
 	configFile := GetConfigFileName()