Harden security checks
This commit is contained in:
parent
b824fa58d3
commit
b280eeba23
|
@ -18,5 +18,5 @@ public class Vars {
|
|||
|
||||
public static readonly List<string> ResponseHeaders = new() { "remote-user", "remote-groups", "remote-name", "remote-email" };
|
||||
|
||||
public static readonly List<string> PermittedDstDomains = new() { "ztn.sh", "zotan.services" };
|
||||
public static readonly List<string> PermittedDomains = new() { "ztn.sh" };
|
||||
}
|
||||
|
|
|
@ -11,23 +11,31 @@ public class CookieProxyController : Controller {
|
|||
[Produces("text/html", "text/plain")]
|
||||
[Route("/api/cookieproxy_stage_one")]
|
||||
public IActionResult StageOne([FromQuery] string dstDomain, [FromQuery] string tgt) {
|
||||
// Check if we are on the correct domain
|
||||
if (Request.Host.Host != Vars.AuthProxySubdomain + Vars.UpstreamPrimaryDomain)
|
||||
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
||||
|
||||
if (!Request.Cookies.ContainsKey("authelia_session")
|
||||
|| string.IsNullOrWhiteSpace(dstDomain)
|
||||
|| !Vars.PermittedDstDomains.Contains(dstDomain)
|
||||
|| !Vars.PermittedDomains.Contains(dstDomain)
|
||||
|| string.IsNullOrWhiteSpace(tgt)) {
|
||||
return BadRequest("Bad request.");
|
||||
}
|
||||
|
||||
var targetUrl =
|
||||
$"https://{Vars.AuthProxySubdomain}.{dstDomain}/api/cookieproxy_stage_two?dstDomain={HttpUtility.UrlEncode(dstDomain)}&tgt={HttpUtility.UrlEncode(tgt)}";
|
||||
return Content($"Redirecting to cookie proxy (stage two) on the destination domain... <form method=\"POST\" action=\"{targetUrl}\"> <input type=\"hidden\" name=\"cookie\" value=\"{Request.Cookies["authelia_session"]}\"><button type=\"submit\">Click here</button> if you are not redirected automatically</form><script>document.querySelector(\"form\").submit();</script>", "text/html");
|
||||
return Content($"Redirecting to cookie proxy (stage two) on the destination domain... <form method=\"POST\" action=\"{targetUrl}\"> <input type=\"hidden\" name=\"cookie\" value=\"{HttpUtility.HtmlEncode(Request.Cookies["authelia_session"])}\"><button type=\"submit\">Click here</button> if you are not redirected automatically</form><script>document.querySelector(\"form\").submit();</script>", "text/html");
|
||||
}
|
||||
|
||||
[HttpPost]
|
||||
[Produces("text/html", "text/plain")]
|
||||
[Route("/api/cookieproxy_stage_two")]
|
||||
public IActionResult StageTwo([FromQuery] string dstDomain, [FromQuery] string tgt, [FromForm] string cookie) {
|
||||
if (string.IsNullOrWhiteSpace(dstDomain) || !Vars.PermittedDstDomains.Contains(dstDomain) || string.IsNullOrWhiteSpace(cookie) || string.IsNullOrWhiteSpace(tgt)) {
|
||||
// Check if we are on an allowed domain
|
||||
if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p)))
|
||||
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
||||
|
||||
if (string.IsNullOrWhiteSpace(dstDomain) || !Vars.PermittedDomains.Contains(dstDomain) || string.IsNullOrWhiteSpace(cookie) || string.IsNullOrWhiteSpace(tgt)) {
|
||||
return BadRequest("Bad request.");
|
||||
}
|
||||
|
||||
|
|
|
@ -9,6 +9,10 @@ public class LogoutController : Controller {
|
|||
[Route("/api/logout")]
|
||||
[Produces("text/html")]
|
||||
public ActionResult Post([FromQuery] string rd) {
|
||||
// Check if we are on an allowed domain
|
||||
if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p)))
|
||||
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
||||
|
||||
if (string.IsNullOrWhiteSpace(rd))
|
||||
rd = "/";
|
||||
|
||||
|
|
|
@ -7,6 +7,12 @@ namespace AutheliaMultiDomainProxy.Controllers;
|
|||
[Route("/api/verify")]
|
||||
public class VerifyController : Controller {
|
||||
public string Get() {
|
||||
// Check if we are on an allowed domain
|
||||
if (!Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p))) {
|
||||
Response.StatusCode = 421;
|
||||
return "421 Misdirected Request";
|
||||
}
|
||||
|
||||
var upstreamResponse = AuthHelpers.MakeUpstreamAutheliaRequest(Request.Headers, Request.Cookies[Vars.CookieName]);
|
||||
|
||||
foreach (var header in upstreamResponse.Headers) {
|
||||
|
|
|
@ -3,7 +3,8 @@
|
|||
@using System.Web
|
||||
@model IndexModel
|
||||
@{
|
||||
if (!Request.Host.Value.StartsWith(Vars.AuthProxySubdomain + ".") && Request.Host.Host != "localhost") {
|
||||
// Check if we are on an allowed domain
|
||||
if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p))) {
|
||||
Layout = null;
|
||||
Response.Clear();
|
||||
Response.StatusCode = StatusCodes.Status421MisdirectedRequest;
|
||||
|
|
Loading…
Reference in a new issue