Proposal for not requiring changing trustOrigin

This commit is contained in:
fflorent 2024-04-02 18:43:13 +02:00
parent afa7aa2e6b
commit 1530953c3e
3 changed files with 10 additions and 11 deletions

View File

@ -196,13 +196,12 @@ export function hostMatchesUrl(host?: string, url?: string) {
* *
* @param {string?} host The host to check * @param {string?} host The host to check
*/ */
export function isOwnInternalUrlHost(host?: string) { function isOwnInternalUrlHost(host?: string) {
if (process.env.APP_HOME_INTERNAL_URL) { // Note: APP_HOME_INTERNAL_URL may also defined in doc worker as well as in Home worker
return hostMatchesUrl(host, process.env.APP_HOME_INTERNAL_URL); if (process.env.APP_HOME_INTERNAL_URL && hostMatchesUrl(host, process.env.APP_HOME_INTERNAL_URL)) {
} else if (process.env.APP_DOC_INTERNAL_URL) { return true;
return hostMatchesUrl(host, process.env.APP_DOC_INTERNAL_URL);
} }
return false; return Boolean(process.env.APP_DOC_INTERNAL_URL) && hostMatchesUrl(host, process.env.APP_DOC_INTERNAL_URL);
} }
/** /**

View File

@ -685,6 +685,9 @@ export function getTransitiveHeaders(req: Request): {[key: string]: string} {
const XRequestedWith = req.get('X-Requested-With'); const XRequestedWith = req.get('X-Requested-With');
const Origin = req.get('Origin'); // Pass along the original Origin since it may const Origin = req.get('Origin'); // Pass along the original Origin since it may
// play a role in granular access control. // play a role in granular access control.
const Host = req.get('Host'); // Also pass along the original Host, as we need it since
// the destination compares that with the Origin header.
const result: Record<string, string> = { const result: Record<string, string> = {
...(Authorization ? { Authorization } : undefined), ...(Authorization ? { Authorization } : undefined),
...(Cookie ? { Cookie } : undefined), ...(Cookie ? { Cookie } : undefined),
@ -692,6 +695,7 @@ export function getTransitiveHeaders(req: Request): {[key: string]: string} {
...(PermitHeader ? { Permit: PermitHeader } : undefined), ...(PermitHeader ? { Permit: PermitHeader } : undefined),
...(XRequestedWith ? { 'X-Requested-With': XRequestedWith } : undefined), ...(XRequestedWith ? { 'X-Requested-With': XRequestedWith } : undefined),
...(Origin ? { Origin } : undefined), ...(Origin ? { Origin } : undefined),
...(Host ? { Host } : undefined),
}; };
const extraHeader = process.env.GRIST_FORWARD_AUTH_HEADER; const extraHeader = process.env.GRIST_FORWARD_AUTH_HEADER;
const extraHeaderValue = extraHeader && req.get(extraHeader); const extraHeaderValue = extraHeader && req.get(extraHeader);

View File

@ -1,7 +1,5 @@
import {ApiError} from 'app/common/ApiError'; import {ApiError} from 'app/common/ApiError';
import { import { DEFAULT_HOME_SUBDOMAIN, isOrgInPathOnly, parseSubdomain, sanitizePathTail } from 'app/common/gristUrls';
DEFAULT_HOME_SUBDOMAIN, isOrgInPathOnly, isOwnInternalUrlHost, parseSubdomain, sanitizePathTail
} from 'app/common/gristUrls';
import * as gutil from 'app/common/gutil'; import * as gutil from 'app/common/gutil';
import {DocScope, QueryResult, Scope} from 'app/gen-server/lib/HomeDBManager'; import {DocScope, QueryResult, Scope} from 'app/gen-server/lib/HomeDBManager';
import {getUserId, RequestWithLogin} from 'app/server/lib/Authorizer'; import {getUserId, RequestWithLogin} from 'app/server/lib/Authorizer';
@ -90,8 +88,6 @@ export function trustOrigin(req: IncomingMessage, resp?: Response): boolean {
const origin = req.headers.origin; const origin = req.headers.origin;
if (!origin) { return true; } // Not a CORS request. if (!origin) { return true; } // Not a CORS request.
if (isOwnInternalUrlHost(req.get('Host'))) { return true; }
if (!allowHost(req, new URL(origin))) { return false; } if (!allowHost(req, new URL(origin))) { return false; }
if (resp) { if (resp) {