Skip to content

Commit

Permalink
Bugfix/Auth URL Bypass (#3095)
Browse files Browse the repository at this point in the history 
add fixes to prevent bypassing api url
  • Loading branch information
@HenryHengZJ
HenryHengZJ authored Aug 27, 2024
1 parent ace8b85 commit 286121e
Showing 1 changed file with 40 additions and 20 deletions.
60 changes: 40 additions & 20 deletions packages/server/src/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,8 @@ export class App {
'/api/v1/ip',
'/api/v1/ping'
]
const URL_CASE_INSENSITIVE_REGEX: RegExp = /\/api\/v1\//i
const URL_CASE_SENSITIVE_REGEX: RegExp = /\/api\/v1\//

if (process.env.FLOWISE_USERNAME && process.env.FLOWISE_PASSWORD) {
const username = process.env.FLOWISE_USERNAME
Expand All @@ -143,37 +145,55 @@ export class App {
users: { [username]: password }
})
this.app.use(async (req, res, next) => {
if (/\/api\/v1\//i.test(req.url)) {
if (whitelistURLs.some((url) => new RegExp(url, 'i').test(req.url))) {
next()
} else if (req.headers['x-request-from'] === 'internal') {
basicAuthMiddleware(req, res, next)
} else {
const isKeyValidated = await validateAPIKey(req)
if (!isKeyValidated) {
return res.status(401).json({ error: 'Unauthorized Access' })
// Step 1: Check if the req path contains /api/v1 regardless of case
if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) {
// Step 2: Check if the req path is case sensitive
if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {
// Step 3: Check if the req path is in the whitelist
const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url))
if (isWhitelisted) {
next()
} else if (req.headers['x-request-from'] === 'internal') {
basicAuthMiddleware(req, res, next)
} else {
const isKeyValidated = await validateAPIKey(req)
if (!isKeyValidated) {
return res.status(401).json({ error: 'Unauthorized Access' })
}
next()
}
next()
} else {
return res.status(401).json({ error: 'Unauthorized Access' })
}
} else {
// If the req path does not contain /api/v1, then allow the request to pass through, example: /assets, /canvas
next()
}
})
} else {
this.app.use(async (req, res, next) => {
if (/\/api\/v1\//i.test(req.url)) {
if (whitelistURLs.some((url) => new RegExp(url, 'i').test(req.url))) {
next()
} else if (req.headers['x-request-from'] === 'internal') {
next()
} else {
const isKeyValidated = await validateAPIKey(req)
if (!isKeyValidated) {
return res.status(401).json({ error: 'Unauthorized Access' })
// Step 1: Check if the req path contains /api/v1 regardless of case
if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) {
// Step 2: Check if the req path is case sensitive
if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {
// Step 3: Check if the req path is in the whitelist
const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url))
if (isWhitelisted) {
next()
} else if (req.headers['x-request-from'] === 'internal') {
next()
} else {
const isKeyValidated = await validateAPIKey(req)
if (!isKeyValidated) {
return res.status(401).json({ error: 'Unauthorized Access' })
}
next()
}
next()
} else {
return res.status(401).json({ error: 'Unauthorized Access' })
}
} else {
// If the req path does not contain /api/v1, then allow the request to pass through, example: /assets, /canvas
next()
}
})
Expand Down

0 comments on commit 286121e

Please sign in to comment.