Remove the GRIST_ALLOWED_HOSTS environment variable (#899)

This mostly reverts commit 49b1749e98.
This commit is contained in:
Jonathan Perret 2024-03-15 14:40:56 +01:00 committed by GitHub
parent 2cc48c3bfb
commit b054810fd1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 6 additions and 33 deletions

View File

@ -256,7 +256,6 @@ APP_STATIC_URL | url prefix for static resources
APP_STATIC_INCLUDE_CUSTOM_CSS | set to "true" to include custom.css (from APP_STATIC_URL) in static pages APP_STATIC_INCLUDE_CUSTOM_CSS | set to "true" to include custom.css (from APP_STATIC_URL) in static pages
APP_UNTRUSTED_URL | URL at which to serve/expect plugin content. APP_UNTRUSTED_URL | URL at which to serve/expect plugin content.
GRIST_ADAPT_DOMAIN | set to "true" to support multiple base domains (careful, host header should be trustworthy) GRIST_ADAPT_DOMAIN | set to "true" to support multiple base domains (careful, host header should be trustworthy)
GRIST_ALLOWED_HOSTS | comma-separated list of permitted domains origin for requests (e.g. my.site,another.com)
GRIST_APP_ROOT | directory containing Grist sandbox and assets (specifically the sandbox and static subdirectories). GRIST_APP_ROOT | directory containing Grist sandbox and assets (specifically the sandbox and static subdirectories).
GRIST_BACKUP_DELAY_SECS | wait this long after a doc change before making a backup GRIST_BACKUP_DELAY_SECS | wait this long after a doc change before making a backup
GRIST_BOOT_KEY | if set, offer diagnostics at /boot/GRIST_BOOT_KEY GRIST_BOOT_KEY | if set, offer diagnostics at /boot/GRIST_BOOT_KEY

View File

@ -18,7 +18,7 @@ import {makeId} from 'app/server/lib/idUtils';
import log from 'app/server/lib/log'; import log from 'app/server/lib/log';
import {IPermitStore, Permit} from 'app/server/lib/Permit'; import {IPermitStore, Permit} from 'app/server/lib/Permit';
import {AccessTokenInfo} from 'app/server/lib/AccessTokens'; import {AccessTokenInfo} from 'app/server/lib/AccessTokens';
import {allowHost, getOriginUrl, isEnvironmentAllowedHost, optStringParam} from 'app/server/lib/requestUtils'; import {allowHost, getOriginUrl, optStringParam} from 'app/server/lib/requestUtils';
import * as cookie from 'cookie'; import * as cookie from 'cookie';
import {NextFunction, Request, RequestHandler, Response} from 'express'; import {NextFunction, Request, RequestHandler, Response} from 'express';
import {IncomingMessage} from 'http'; import {IncomingMessage} from 'http';
@ -271,7 +271,7 @@ export async function addRequestUser(
// custom-domain owner could hijack such sessions. // custom-domain owner could hijack such sessions.
const allowedOrg = getAllowedOrgForSessionID(mreq.sessionID); const allowedOrg = getAllowedOrgForSessionID(mreq.sessionID);
if (allowedOrg) { if (allowedOrg) {
if (allowHost(req, allowedOrg.host) || isEnvironmentAllowedHost(allowedOrg.host)) { if (allowHost(req, allowedOrg.host)) {
customHostSession = ` custom-host-match ${allowedOrg.host}`; customHostSession = ` custom-host-match ${allowedOrg.host}`;
} else { } else {
// We need an exception for internal forwarding from home server to doc-workers. These use // We need an exception for internal forwarding from home server to doc-workers. These use

View File

@ -8,7 +8,6 @@ import {RequestWithGrist} from 'app/server/lib/GristServer';
import log from 'app/server/lib/log'; import log from 'app/server/lib/log';
import {Permit} from 'app/server/lib/Permit'; import {Permit} from 'app/server/lib/Permit';
import {Request, Response} from 'express'; import {Request, Response} from 'express';
import _ from 'lodash';
import {Writable} from 'stream'; import {Writable} from 'stream';
// log api details outside of dev environment (when GRIST_HOSTED_VERSION is set) // log api details outside of dev environment (when GRIST_HOSTED_VERSION is set)
@ -87,7 +86,7 @@ export function trustOrigin(req: Request, resp: Response): boolean {
const origin = req.get('origin'); const origin = req.get('origin');
if (!origin) { return true; } // Not a CORS request. if (!origin) { return true; } // Not a CORS request.
if (process.env.GRIST_HOST && req.hostname === process.env.GRIST_HOST) { return true; } if (process.env.GRIST_HOST && req.hostname === process.env.GRIST_HOST) { return true; }
if (!allowHost(req, new URL(origin)) && !isEnvironmentAllowedHost(new URL(origin))) { return false; } if (!allowHost(req, new URL(origin))) { return false; }
// For a request to a custom domain, the full hostname must match. // For a request to a custom domain, the full hostname must match.
resp.header("Access-Control-Allow-Origin", origin); resp.header("Access-Control-Allow-Origin", origin);
@ -104,14 +103,14 @@ export function allowHost(req: Request, allowedHost: string|URL) {
const allowedUrl = (typeof allowedHost === 'string') ? new URL(`${proto}://${allowedHost}`) : allowedHost; const allowedUrl = (typeof allowedHost === 'string') ? new URL(`${proto}://${allowedHost}`) : allowedHost;
if (mreq.isCustomHost) { if (mreq.isCustomHost) {
// For a request to a custom domain, the full hostname must match. // For a request to a custom domain, the full hostname must match.
return actualUrl.hostname === allowedUrl.hostname; return actualUrl.hostname === allowedUrl.hostname;
} else { } else {
// For requests to a native subdomains, only the base domain needs to match. // For requests to a native subdomains, only the base domain needs to match.
const allowedDomain = parseSubdomain(allowedUrl.hostname); const allowedDomain = parseSubdomain(allowedUrl.hostname);
const actualDomain = parseSubdomain(actualUrl.hostname); const actualDomain = parseSubdomain(actualUrl.hostname);
return (!_.isEmpty(actualDomain) ? return actualDomain.base ?
actualDomain.base === allowedDomain.base : actualDomain.base === allowedDomain.base :
allowedUrl.hostname === actualUrl.hostname); actualUrl.hostname === allowedUrl.hostname;
} }
} }
@ -119,13 +118,6 @@ export function matchesBaseDomain(domain: string, baseDomain: string) {
return domain === baseDomain || domain.endsWith("." + baseDomain); return domain === baseDomain || domain.endsWith("." + baseDomain);
} }
export function isEnvironmentAllowedHost(url: string|URL) {
const urlHost = (typeof url === 'string') ? url : url.hostname;
return (process.env.GRIST_ALLOWED_HOSTS || "").split(",").some(domain =>
domain && matchesBaseDomain(urlHost, domain)
);
}
export function isParameterOn(parameter: any): boolean { export function isParameterOn(parameter: any): boolean {
return gutil.isAffirmative(parameter); return gutil.isAffirmative(parameter);
} }

View File

@ -4865,23 +4865,6 @@ function testDocApi() {
}); });
describe("Allowed Origin", () => { describe("Allowed Origin", () => {
it('should allow only example.com', async () => {
async function checkOrigin(origin: string, allowed: boolean) {
const resp = await axios.get(`${serverUrl}/api/docs/${docIds.Timesheets}/tables/Table1/data`,
{...chimpy, headers: {...chimpy.headers, "Origin": origin}}
);
assert.equal(resp.headers['access-control-allow-credentials'], allowed ? 'true' : undefined);
assert.equal(resp.status, allowed ? 200 : 403);
}
await checkOrigin("https://www.toto.com", false);
await checkOrigin("https://badexample.com", false);
await checkOrigin("https://bad.com/example.com/toto", false);
await checkOrigin("https://example.com/path", true);
await checkOrigin("https://example.com:3000/path", true);
await checkOrigin("https://good.example.com/toto", true);
});
it("should respond with correct CORS headers", async function () { it("should respond with correct CORS headers", async function () {
const wid = await getWorkspaceId(userApi, 'Private'); const wid = await getWorkspaceId(userApi, 'Private');
const docId = await userApi.newDoc({name: 'CorsTestDoc'}, wid); const docId = await userApi.newDoc({name: 'CorsTestDoc'}, wid);

View File

@ -49,7 +49,6 @@ export class TestServer {
GRIST_PORT: '0', GRIST_PORT: '0',
GRIST_DISABLE_S3: 'true', GRIST_DISABLE_S3: 'true',
REDIS_URL: process.env.TEST_REDIS_URL, REDIS_URL: process.env.TEST_REDIS_URL,
GRIST_ALLOWED_HOSTS: `example.com,localhost`,
GRIST_TRIGGER_WAIT_DELAY: '100', GRIST_TRIGGER_WAIT_DELAY: '100',
// this is calculated value, some tests expect 4 attempts and some will try 3 times // this is calculated value, some tests expect 4 attempts and some will try 3 times
GRIST_TRIGGER_MAX_ATTEMPTS: '4', GRIST_TRIGGER_MAX_ATTEMPTS: '4',