From f44c21ce590514ee9ff9fc030edf8d022a1c2477 Mon Sep 17 00:00:00 2001 From: CalDescent Date: Wed, 12 Jan 2022 19:32:52 +0000 Subject: [PATCH] Disallow any kind of website/app/data rendering when localAuthBypassEnabled is enabled. This allows node operators to return their authentication to the legacy rules (local requests allowed), without introducing javascript vulnerabilities. The websites, apps, etc are just prevented from loading, to avoid the risk of any API calls from javascript. --- src/main/java/org/qortal/api/Security.java | 13 +++++++++++++ .../org/qortal/api/resource/RenderResource.java | 3 +++ 2 files changed, 16 insertions(+) diff --git a/src/main/java/org/qortal/api/Security.java b/src/main/java/org/qortal/api/Security.java index 09c98988..4aca2c49 100644 --- a/src/main/java/org/qortal/api/Security.java +++ b/src/main/java/org/qortal/api/Security.java @@ -64,6 +64,19 @@ public abstract class Security { } } + public static void disallowLoopbackRequestsIfAuthBypassEnabled(HttpServletRequest request) { + if (Settings.getInstance().isLocalAuthBypassEnabled()) { + try { + InetAddress remoteAddr = InetAddress.getByName(request.getRemoteAddr()); + if (remoteAddr.isLoopbackAddress()) { + throw ApiExceptionFactory.INSTANCE.createCustomException(request, ApiError.UNAUTHORIZED, "Local requests not allowed when localAuthBypassEnabled is enabled in settings"); + } + } catch (UnknownHostException e) { + throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.UNAUTHORIZED); + } + } + } + public static void requirePriorAuthorization(HttpServletRequest request, String resourceId, Service service, String identifier) { ArbitraryDataResource resource = new ArbitraryDataResource(resourceId, null, service, identifier); if (!ArbitraryDataRenderManager.getInstance().isAuthorized(resource)) { diff --git a/src/main/java/org/qortal/api/resource/RenderResource.java b/src/main/java/org/qortal/api/resource/RenderResource.java index 49743159..97411e54 100644 --- a/src/main/java/org/qortal/api/resource/RenderResource.java +++ b/src/main/java/org/qortal/api/resource/RenderResource.java @@ -100,6 +100,7 @@ public class RenderResource { @SecurityRequirement(name = "apiKey") public boolean authorizeResource(@HeaderParam(Security.API_KEY_HEADER) String apiKey, @PathParam("resourceId") String resourceId) { Security.checkApiCallAllowed(request); + Security.disallowLoopbackRequestsIfAuthBypassEnabled(request); ArbitraryDataResource resource = new ArbitraryDataResource(resourceId, null, null, null); ArbitraryDataRenderManager.getInstance().addToAuthorizedResources(resource); return true; @@ -112,6 +113,7 @@ public class RenderResource { @PathParam("service") Service service, @PathParam("resourceId") String resourceId) { Security.checkApiCallAllowed(request); + Security.disallowLoopbackRequestsIfAuthBypassEnabled(request); ArbitraryDataResource resource = new ArbitraryDataResource(resourceId, null, service, null); ArbitraryDataRenderManager.getInstance().addToAuthorizedResources(resource); return true; @@ -125,6 +127,7 @@ public class RenderResource { @PathParam("resourceId") String resourceId, @PathParam("identifier") String identifier) { Security.checkApiCallAllowed(request); + Security.disallowLoopbackRequestsIfAuthBypassEnabled(request); ArbitraryDataResource resource = new ArbitraryDataResource(resourceId, null, service, identifier); ArbitraryDataRenderManager.getInstance().addToAuthorizedResources(resource); return true;