From 6b9b73236a1fde0b9ecf85e6f02a9cd868e57676 Mon Sep 17 00:00:00 2001 From: Sam Date: Thu, 15 Nov 2018 16:17:22 +1100 Subject: [PATCH] SECURITY: enforce hostname to match discourse hostname This ensures that the hostname rails uses for various helpers always matches the Discourse hostname # Conflicts: # config/application.rb # spec/requests/application_controller_spec.rb --- config/application.rb | 2 ++ lib/middleware/enforce_hostname.rb | 20 ++++++++++++++++++++ spec/requests/application_controller_spec.rb | 14 ++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 lib/middleware/enforce_hostname.rb diff --git a/config/application.rb b/config/application.rb index 90218a83eb1..8c76e55609f 100644 --- a/config/application.rb +++ b/config/application.rb @@ -186,6 +186,8 @@ module Discourse # supports etags (post 1.7) config.middleware.delete Rack::ETag + require 'middleware/enforce_hostname' + config.middleware.insert_after Rack::MethodOverride, Middleware::EnforceHostname require 'middleware/discourse_public_exceptions' config.exceptions_app = Middleware::DiscoursePublicExceptions.new(Rails.public_path) diff --git a/lib/middleware/enforce_hostname.rb b/lib/middleware/enforce_hostname.rb new file mode 100644 index 00000000000..130cabb87a9 --- /dev/null +++ b/lib/middleware/enforce_hostname.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +module Middleware + class EnforceHostname + def initialize(app, settings = nil) + @app = app + end + + def call(env) + # enforces hostname to match the hostname of our connection + # this middleware lives after rails multisite so at this point + # Discourse.current_hostname MUST be canonical, enforce it so + # all Rails helpers are guarenteed to use it unconditionally and + # never generate incorrect links + env[Rack::Request::HTTP_X_FORWARDED_HOST] = nil + env[Rack::HTTP_HOST] = Discourse.current_hostname + @app.call(env) + end + end +end diff --git a/spec/requests/application_controller_spec.rb b/spec/requests/application_controller_spec.rb index fb64f91b0b5..12a75006bc9 100644 --- a/spec/requests/application_controller_spec.rb +++ b/spec/requests/application_controller_spec.rb @@ -169,4 +169,18 @@ RSpec.describe ApplicationController do expect(controller.theme_ids).to eq([theme.id]) end end + + describe 'Custom hostname' do + + it 'does not allow arbitrary host injection' do + get("/latest", + headers: { + "X-Forwarded-Host" => "test123.com" + } + ) + + expect(response.body).not_to include("test123") + end + end + end