From 1530953c3e072b708710b1e4ae439bc08c793a50 Mon Sep 17 00:00:00 2001 From: fflorent Date: Tue, 2 Apr 2024 18:43:13 +0200 Subject: [PATCH] Proposal for not requiring changing trustOrigin --- app/common/gristUrls.ts | 11 +++++------ app/server/lib/Authorizer.ts | 4 ++++ app/server/lib/requestUtils.ts | 6 +----- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/app/common/gristUrls.ts b/app/common/gristUrls.ts index deb3bfc9..cdd2b5c3 100644 --- a/app/common/gristUrls.ts +++ b/app/common/gristUrls.ts @@ -196,13 +196,12 @@ export function hostMatchesUrl(host?: string, url?: string) { * * @param {string?} host The host to check */ -export function isOwnInternalUrlHost(host?: string) { - if (process.env.APP_HOME_INTERNAL_URL) { - return hostMatchesUrl(host, process.env.APP_HOME_INTERNAL_URL); - } else if (process.env.APP_DOC_INTERNAL_URL) { - return hostMatchesUrl(host, process.env.APP_DOC_INTERNAL_URL); +function isOwnInternalUrlHost(host?: string) { + // Note: APP_HOME_INTERNAL_URL may also defined in doc worker as well as in Home worker + if (process.env.APP_HOME_INTERNAL_URL && hostMatchesUrl(host, process.env.APP_HOME_INTERNAL_URL)) { + return true; } - return false; + return Boolean(process.env.APP_DOC_INTERNAL_URL) && hostMatchesUrl(host, process.env.APP_DOC_INTERNAL_URL); } /** diff --git a/app/server/lib/Authorizer.ts b/app/server/lib/Authorizer.ts index 761e76f2..2ad7d134 100644 --- a/app/server/lib/Authorizer.ts +++ b/app/server/lib/Authorizer.ts @@ -685,6 +685,9 @@ export function getTransitiveHeaders(req: Request): {[key: string]: string} { const XRequestedWith = req.get('X-Requested-With'); const Origin = req.get('Origin'); // Pass along the original Origin since it may // play a role in granular access control. + const Host = req.get('Host'); // Also pass along the original Host, as we need it since + // the destination compares that with the Origin header. + const result: Record = { ...(Authorization ? { Authorization } : undefined), ...(Cookie ? { Cookie } : undefined), @@ -692,6 +695,7 @@ export function getTransitiveHeaders(req: Request): {[key: string]: string} { ...(PermitHeader ? { Permit: PermitHeader } : undefined), ...(XRequestedWith ? { 'X-Requested-With': XRequestedWith } : undefined), ...(Origin ? { Origin } : undefined), + ...(Host ? { Host } : undefined), }; const extraHeader = process.env.GRIST_FORWARD_AUTH_HEADER; const extraHeaderValue = extraHeader && req.get(extraHeader); diff --git a/app/server/lib/requestUtils.ts b/app/server/lib/requestUtils.ts index 8216830b..fae7ec71 100644 --- a/app/server/lib/requestUtils.ts +++ b/app/server/lib/requestUtils.ts @@ -1,7 +1,5 @@ import {ApiError} from 'app/common/ApiError'; -import { - DEFAULT_HOME_SUBDOMAIN, isOrgInPathOnly, isOwnInternalUrlHost, parseSubdomain, sanitizePathTail -} from 'app/common/gristUrls'; +import { DEFAULT_HOME_SUBDOMAIN, isOrgInPathOnly, parseSubdomain, sanitizePathTail } from 'app/common/gristUrls'; import * as gutil from 'app/common/gutil'; import {DocScope, QueryResult, Scope} from 'app/gen-server/lib/HomeDBManager'; import {getUserId, RequestWithLogin} from 'app/server/lib/Authorizer'; @@ -90,8 +88,6 @@ export function trustOrigin(req: IncomingMessage, resp?: Response): boolean { const origin = req.headers.origin; if (!origin) { return true; } // Not a CORS request. - if (isOwnInternalUrlHost(req.get('Host'))) { return true; } - if (!allowHost(req, new URL(origin))) { return false; } if (resp) {