From f2dd8d8335e628ca21dee28ace112611788c2c66 Mon Sep 17 00:00:00 2001 From: Laura Hausmann Date: Tue, 28 Mar 2023 23:46:47 +0200 Subject: [PATCH] Use string interpolation everywhere, harden host checks --- Backend/AuthHelpers.cs | 4 ++-- Controllers/CookieProxyController.cs | 4 ++-- Controllers/LogoutController.cs | 4 ++-- Controllers/RedirectController.cs | 2 +- Controllers/VerifyController.cs | 2 +- Pages/Index.cshtml | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/Backend/AuthHelpers.cs b/Backend/AuthHelpers.cs index c126bb4..14c0f90 100644 --- a/Backend/AuthHelpers.cs +++ b/Backend/AuthHelpers.cs @@ -19,7 +19,7 @@ public class AuthHelpers { var client = new HttpClient(); client.DefaultRequestHeaders.Add("cookie", $"authelia_session={HttpUtility.UrlDecode(cookie)}"); client.DefaultRequestHeaders.Add("x-forwarded-proto", "https"); - client.DefaultRequestHeaders.Add("Host", Vars.AutheliaSubdomain + "." + Vars.UpstreamPrimaryDomain); + client.DefaultRequestHeaders.Add("Host", $"{Vars.AutheliaSubdomain}.{Vars.UpstreamPrimaryDomain}"); var response = client.GetAsync($"http://127.0.0.1:9091/api/verify"); return response.Result; } @@ -32,7 +32,7 @@ public class AuthHelpers { client.DefaultRequestHeaders.Add(header.Key, (IEnumerable)header.Value); } - client.DefaultRequestHeaders.Host = headers["Host"] + ".amdp." + Vars.UpstreamPrimaryDomain; + client.DefaultRequestHeaders.Host = $"{headers["Host"]}.amdp.{Vars.UpstreamPrimaryDomain}"; if (!string.IsNullOrWhiteSpace(cookie)) client.DefaultRequestHeaders.Add("cookie", $"authelia_session={HttpUtility.UrlDecode(cookie)}"); diff --git a/Controllers/CookieProxyController.cs b/Controllers/CookieProxyController.cs index 369c30e..588b1de 100644 --- a/Controllers/CookieProxyController.cs +++ b/Controllers/CookieProxyController.cs @@ -12,7 +12,7 @@ public class CookieProxyController : Controller { [Route("/api/cookieproxy_stage_one")] public IActionResult StageOne([FromQuery] string dstDomain, [FromQuery] string tgt) { // Check if we are on the correct domain - if (Request.Host.Host != Vars.AuthProxySubdomain + "." + Vars.UpstreamPrimaryDomain) + if (Request.Host.Host != $"{Vars.AuthProxySubdomain}.{Vars.UpstreamPrimaryDomain}") return StatusCode(StatusCodes.Status421MisdirectedRequest); if (!Request.Cookies.ContainsKey("authelia_session") @@ -34,7 +34,7 @@ public class CookieProxyController : Controller { [Route("/api/cookieproxy_stage_two")] public IActionResult StageTwo([FromQuery] string dstDomain, [FromQuery] string tgt, [FromForm] string cookie) { // Check if we are on an allowed domain - if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p))) + if (Vars.PermittedDomains.All(p => Request.Host.Host != $"{Vars.AuthProxySubdomain}.{p}")) return StatusCode(StatusCodes.Status421MisdirectedRequest); if (string.IsNullOrWhiteSpace(dstDomain) diff --git a/Controllers/LogoutController.cs b/Controllers/LogoutController.cs index 2e99133..ab646aa 100644 --- a/Controllers/LogoutController.cs +++ b/Controllers/LogoutController.cs @@ -10,13 +10,13 @@ public class LogoutController : Controller { [Produces("text/html")] public ActionResult Post([FromQuery] string rd) { // Check if we are on an allowed domain - if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p))) + if (Vars.PermittedDomains.All(p => Request.Host.Host != $"{Vars.AuthProxySubdomain}.{p}")) return StatusCode(StatusCodes.Status421MisdirectedRequest); if (string.IsNullOrWhiteSpace(rd)) rd = "/"; - Response.Cookies.Delete(Vars.CookieName, new CookieOptions { Secure = true, SameSite = SameSiteMode.Lax, HttpOnly = true, Domain = Request.Host.Host.Replace(Vars.AuthProxySubdomain + ".", "")}); + Response.Cookies.Delete(Vars.CookieName, new CookieOptions { Secure = true, SameSite = SameSiteMode.Lax, HttpOnly = true, Domain = Request.Host.Host.Replace($"{Vars.AuthProxySubdomain}.", "")}); Response.ContentType = "text/html"; Response.Redirect(rd); return Content($"Cookie cleared. Redirecting... Click here if you are not redirected automatically", "text/html"); diff --git a/Controllers/RedirectController.cs b/Controllers/RedirectController.cs index 4a6652e..87c9ca0 100644 --- a/Controllers/RedirectController.cs +++ b/Controllers/RedirectController.cs @@ -9,7 +9,7 @@ namespace AutheliaMultiDomainProxy.Controllers; public class RedirectController : Controller { public IActionResult Get([FromQuery] string dstDomain, [FromQuery] string tgt) { // Check if we are on an allowed domain - if (!Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p))) { + if (!Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith($".{p}"))) { Response.StatusCode = 421; return StatusCode(StatusCodes.Status421MisdirectedRequest); } diff --git a/Controllers/VerifyController.cs b/Controllers/VerifyController.cs index dad4470..be4b0fc 100644 --- a/Controllers/VerifyController.cs +++ b/Controllers/VerifyController.cs @@ -8,7 +8,7 @@ namespace AutheliaMultiDomainProxy.Controllers; public class VerifyController : Controller { public string Get() { // Check if we are on an allowed domain - if (!Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p))) { + if (!Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith($".{p}"))) { Response.StatusCode = 421; return "421 Misdirected Request"; } diff --git a/Pages/Index.cshtml b/Pages/Index.cshtml index 0881bb4..78b4ad1 100644 --- a/Pages/Index.cshtml +++ b/Pages/Index.cshtml @@ -4,7 +4,7 @@ @model IndexModel @{ // Check if we are on an allowed domain - if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p))) { + if (Vars.PermittedDomains.All(p => Request.Host.Host != $"{Vars.AuthProxySubdomain}.{p}")) Layout = null; Response.Clear(); Response.StatusCode = StatusCodes.Status421MisdirectedRequest; @@ -32,6 +32,6 @@ } else {

You are currently not authenticated

- Log in + Log in }