Proposal for not requiring changing trustOrigin

2024-10-27 20:44:07 +00:00 · 2024-04-02 18:43:13 +02:00 · 2024-04-02 18:43:13 +02:00 · 1530953c3e
commit 1530953c3e
parent afa7aa2e6b
3 changed files with 10 additions and 11 deletions
--- a/app/common/gristUrls.ts
+++ b/app/common/gristUrls.ts
@ -196,13 +196,12 @@ export function hostMatchesUrl(host?: string, url?: string) {
 *
 * @param {string?} host The host to check
 */
-export function isOwnInternalUrlHost(host?: string) {
-  if (process.env.APP_HOME_INTERNAL_URL) {
-    return hostMatchesUrl(host, process.env.APP_HOME_INTERNAL_URL);
-  } else if (process.env.APP_DOC_INTERNAL_URL) {
-    return hostMatchesUrl(host, process.env.APP_DOC_INTERNAL_URL);
+function isOwnInternalUrlHost(host?: string) {
+  // Note: APP_HOME_INTERNAL_URL may also defined in doc worker as well as in Home worker
+  if (process.env.APP_HOME_INTERNAL_URL && hostMatchesUrl(host, process.env.APP_HOME_INTERNAL_URL)) {
+    return true;
  }
-  return false;
+  return Boolean(process.env.APP_DOC_INTERNAL_URL) && hostMatchesUrl(host, process.env.APP_DOC_INTERNAL_URL);
 }

 /**
--- a/app/server/lib/Authorizer.ts
+++ b/app/server/lib/Authorizer.ts
@ -685,6 +685,9 @@ export function getTransitiveHeaders(req: Request): {[key: string]: string} {
  const XRequestedWith = req.get('X-Requested-With');
  const Origin = req.get('Origin');  // Pass along the original Origin since it may
                                     // play a role in granular access control.
+  const Host = req.get('Host');      // Also pass along the original Host, as we need it since
+                                     // the destination compares that with the Origin header.
+
  const result: Record<string, string> = {
    ...(Authorization ? { Authorization } : undefined),
    ...(Cookie ? { Cookie } : undefined),
@ -692,6 +695,7 @@ export function getTransitiveHeaders(req: Request): {[key: string]: string} {
    ...(PermitHeader ? { Permit: PermitHeader } : undefined),
    ...(XRequestedWith ? { 'X-Requested-With': XRequestedWith } : undefined),
    ...(Origin ? { Origin } : undefined),
+    ...(Host ? { Host } : undefined),
  };
  const extraHeader = process.env.GRIST_FORWARD_AUTH_HEADER;
  const extraHeaderValue = extraHeader && req.get(extraHeader);
--- a/app/server/lib/requestUtils.ts
+++ b/app/server/lib/requestUtils.ts
@ -1,7 +1,5 @@
 import {ApiError} from 'app/common/ApiError';
-import {
-  DEFAULT_HOME_SUBDOMAIN, isOrgInPathOnly, isOwnInternalUrlHost, parseSubdomain, sanitizePathTail
-} from 'app/common/gristUrls';
+import { DEFAULT_HOME_SUBDOMAIN, isOrgInPathOnly, parseSubdomain, sanitizePathTail } from 'app/common/gristUrls';
 import * as gutil from 'app/common/gutil';
 import {DocScope, QueryResult, Scope} from 'app/gen-server/lib/HomeDBManager';
 import {getUserId, RequestWithLogin} from 'app/server/lib/Authorizer';
@ -90,8 +88,6 @@ export function trustOrigin(req: IncomingMessage, resp?: Response): boolean {
  const origin = req.headers.origin;
  if (!origin) { return true; } // Not a CORS request.

-  if (isOwnInternalUrlHost(req.get('Host'))) { return true; }
-
  if (!allowHost(req, new URL(origin))) { return false; }

  if (resp) {