From 5344c2198ed282ccb74dbeef6ed2d2f99ba1c3ff Mon Sep 17 00:00:00 2001 From: pratixha Date: Fri, 13 May 2022 17:03:49 +0530 Subject: [PATCH 1/4] Support multiple hosts with allowed_hosts attribute Signed-off-by: pratixha --- docs-chef-io/content/supermarket/config_rb_supermarket.md | 7 +++++-- .../cookbooks/omnibus-supermarket/attributes/default.rb | 2 ++ src/supermarket/config/environments/production.rb | 7 +++++-- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/docs-chef-io/content/supermarket/config_rb_supermarket.md b/docs-chef-io/content/supermarket/config_rb_supermarket.md index f06645346..43ca83c1a 100644 --- a/docs-chef-io/content/supermarket/config_rb_supermarket.md +++ b/docs-chef-io/content/supermarket/config_rb_supermarket.md @@ -58,9 +58,12 @@ This configuration file has the following general settings: : This flag is to allow/restrict injection of arbitrary host headers in the API calls to supermarket. The scenarios in which this flag will be useful is e.g. if supermarket runs behind an AWS ELB (load balancer), the internal health-check API calls to supermarket invoked by the load balancer get responded with status code: 403 (forbidden) if this flag is set to `true`. So to unblock the health-check API calls invoked by the ELB we need to set this flag as `false` -`default['supermarket']['allowed_host']` +`default['supermarket']['allowed_hosts']` -: This attribute is to set the Allowed Host for supermarket to block arbitrary [Host header injection](https://crashtest-security.com/invalid-host-header/) in the API calls to supermarket. This is by default set as the value of the FQDN(`default['supermarket']['fqdn']`). You can also set this attribute explicitly as the the domain name of your supermarket website e.g. . You also need to keep the flag: `disable_host_header_attack` as `true` to make this attribute effective. If `disable_host_header_attack` is set to `false` then this attribute will be ignored. +: This attribute is to set the list of Allowed Hosts for supermarket to block arbitrary [Host header injection](https://crashtest-security.com/invalid-host-header/) in the API calls to supermarket. This is by default set as the value of the FQDN(`default['supermarket']['fqdn']`). You can also set this attribute explicitly as the the domain name of your supermarket website e.g. . You also need to keep the flag: `disable_host_header_attack` as `true` to make this attribute effective. If `disable_host_header_attack` is set to `false` then this attribute will be ignored. +: For allowing multiple hostnames in `default['supermarket']['allowed_hosts']`, +specify the values separated by comma e.g. below: +`'https://www.example1.com, https://www.example2.com'` `default['supermarket']['from_email']` diff --git a/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb b/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb index cf8a56de6..5426a0a2a 100644 --- a/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb +++ b/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb @@ -369,6 +369,8 @@ # Set this value to the domain name of your supermarket website e.g. supermarket.chef.io # You also need to keep the flag: disable_host_header_attack as true to make it effective # If disable_host_header_attack is false then this flag will be ignored. +# To set allowed_hosts to allow multiple hosts in the host header specify the hosts separated by comma(,) +# e.g. 'https://www.example1.com, https://www.example2.com' default['supermarket']['allowed_host'] = node['supermarket']['fqdn'] # ### Chef URL Settings diff --git a/src/supermarket/config/environments/production.rb b/src/supermarket/config/environments/production.rb index 60443ba71..4a461d7f1 100644 --- a/src/supermarket/config/environments/production.rb +++ b/src/supermarket/config/environments/production.rb @@ -115,7 +115,10 @@ # The value of ENV["DISABLE_HOST_HEADER_ATTACK"] will be parsed as string. # Hence we need to convert string to boolean. - if ActiveModel::Type::Boolean.new.cast(ENV["DISABLE_HOST_HEADER_ATTACK"]) && ENV["ALLOWED_HOST"].present? - config.hosts << ENV["ALLOWED_HOST"] + # It allows multiple hosts by specifying ENV["ALLOWED_HOSTS"] attribute in .env file. + if ActiveModel::Type::Boolean.new.cast(ENV["DISABLE_HOST_HEADER_ATTACK"]) && ENV["ALLOWED_HOSTS"].present? + ENV["ALLOWED_HOSTS"].split(",").each do |host| + config.hosts << host.strip + end end end From 1dd68817856b21c2f54217d516b71b064a7ceb07 Mon Sep 17 00:00:00 2001 From: pratixha Date: Mon, 16 May 2022 18:14:10 +0530 Subject: [PATCH 2/4] Replaced allowed_host with allowed_hosts Signed-off-by: pratixha --- dev-docs/habitat_configurations_for_development.md | 2 +- omnibus/cookbooks/omnibus-supermarket/attributes/default.rb | 4 ++-- src/supermarket/.env | 2 +- src/supermarket/habitat-web/plan.sh | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/dev-docs/habitat_configurations_for_development.md b/dev-docs/habitat_configurations_for_development.md index bc449578c..0dc5b3879 100644 --- a/dev-docs/habitat_configurations_for_development.md +++ b/dev-docs/habitat_configurations_for_development.md @@ -35,7 +35,7 @@ Start with `hab studio enter` port = 3000\ secret_key_base = ""\ protocol = 'https'\ - allowed_host = "localhost" + allowed_hosts = "localhost" [nginx]\ force_ssl = true\ diff --git a/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb b/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb index 5426a0a2a..aeec10262 100644 --- a/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb +++ b/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb @@ -365,13 +365,13 @@ # calls invoked by the load balancer get responded with status code 403 (forbidden) if this flag is set to true. # So to unblock the healthcheck API we need to set this flag as false default['supermarket']['disable_host_header_attack'] = true -# Setting allowed_host for supermarket to avoid arbitrary "Host" header injection +# Setting allowed_hosts for supermarket to avoid arbitrary "Host" header injection # Set this value to the domain name of your supermarket website e.g. supermarket.chef.io # You also need to keep the flag: disable_host_header_attack as true to make it effective # If disable_host_header_attack is false then this flag will be ignored. # To set allowed_hosts to allow multiple hosts in the host header specify the hosts separated by comma(,) # e.g. 'https://www.example1.com, https://www.example2.com' -default['supermarket']['allowed_host'] = node['supermarket']['fqdn'] +default['supermarket']['allowed_hosts'] = node['supermarket']['fqdn'] # ### Chef URL Settings # diff --git a/src/supermarket/.env b/src/supermarket/.env index 735e8ae66..fea51ab36 100644 --- a/src/supermarket/.env +++ b/src/supermarket/.env @@ -31,4 +31,4 @@ ROBOTS_ALLOW=/ ENFORCE_PRIVACY=true COOKSTYLE_COPS=Chef/Deprecations,Chef/Correctness,Chef/Sharing,Chef/RedundantCode,Chef/Modernize,Chef/Security,InSpec/Deprecations DISABLE_HOST_HEADER_ATTACK=true -ALLOWED_HOST=YOUR_SUPERMARKET_DOMAIN_NAME +ALLOWED_HOSTS=YOUR_SUPERMARKET_DOMAIN_NAME diff --git a/src/supermarket/habitat-web/plan.sh b/src/supermarket/habitat-web/plan.sh index c49a00b92..cbb10ee11 100644 --- a/src/supermarket/habitat-web/plan.sh +++ b/src/supermarket/habitat-web/plan.sh @@ -120,7 +120,7 @@ scaffolding_env[SENTRY_URL]="{{ cfg.sentry_url }}" scaffolding_env[STATSD_PORT]="{{ cfg.statsd_port }}" scaffolding_env[STATSD_URL]="{{ cfg.statsd_url }}" scaffolding_env[cookbook]="{{ cfg.app.cookbook }}" -scaffolding_env[ALLOWED_HOST]="{{ cfg.app.allowed_host }}" +scaffolding_env[ALLOWED_HOSTS]="{{ cfg.app.allowed_hosts }}" scaffolding_env[INSTALL_DIRECTORY]="{{ pkg.path }}" scaffolding_env[INSTALL_PATH]="{{ pkg.path }}" From 993ddebb0f76eeea775461fe346445af359f6811 Mon Sep 17 00:00:00 2001 From: Rajesh Paul Date: Mon, 23 May 2022 20:01:42 +0530 Subject: [PATCH 3/4] Changed documentation for multiple allowed_hosts for ELB (load balancer) use case --- omnibus/cookbooks/omnibus-supermarket/attributes/default.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb b/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb index aeec10262..b026b0d81 100644 --- a/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb +++ b/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb @@ -371,6 +371,10 @@ # If disable_host_header_attack is false then this flag will be ignored. # To set allowed_hosts to allow multiple hosts in the host header specify the hosts separated by comma(,) # e.g. 'https://www.example1.com, https://www.example2.com' +# One scenario to keep in mind is that when supermarket runs behind an ELB(load balancer) +# the internal healthcheck calls will send the private IP address of the instance in the host header. +# So we need to add the private IP address along with the hostname of supermarket in the allowed hosts as follows: +# e.g. 'https://supermarket-example.com, ' default['supermarket']['allowed_hosts'] = node['supermarket']['fqdn'] # ### Chef URL Settings From aa08b2f99725ac8b63352526c714f07299ba83f6 Mon Sep 17 00:00:00 2001 From: Rajesh Paul Date: Mon, 23 May 2022 20:32:20 +0530 Subject: [PATCH 4/4] setting the default value for disable_host_header_attack to false instead of true Signed-off-by: Rajesh Paul --- .../omnibus-supermarket/attributes/default.rb | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb b/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb index b026b0d81..a9920c21c 100644 --- a/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb +++ b/omnibus/cookbooks/omnibus-supermarket/attributes/default.rb @@ -361,13 +361,15 @@ # The below flag is to allow/disallow injection of arbitrary host headers in the API calls. # The scenarios in which this flag will be useful is e.g. -# if supermarket runs behind an AWS ELB (load balancer), the internal healthcheck -# calls invoked by the load balancer get responded with status code 403 (forbidden) if this flag is set to true. -# So to unblock the healthcheck API we need to set this flag as false -default['supermarket']['disable_host_header_attack'] = true -# Setting allowed_hosts for supermarket to avoid arbitrary "Host" header injection -# Set this value to the domain name of your supermarket website e.g. supermarket.chef.io -# You also need to keep the flag: disable_host_header_attack as true to make it effective +# if supermarket runs behind an ELB (load balancer), the internal healthcheck calls invoked +# by the load balancer get responded with status code 403 (forbidden) if this flag is set to true. +# So to unblock the healthcheck API we need to set this flag as false. Alternatively you can set this flag +# as true and include the private IP address of the instances (running behing ELB) +# in the attribute: default['supermarket']['allowed_hosts'] +default['supermarket']['disable_host_header_attack'] = false +# Setting allowed_hosts for supermarket to avoid arbitrary "Host" header injection. +# Set this attribute to the domain name of your supermarket website e.g. supermarket.chef.io +# You also need to set the flag: disable_host_header_attack as true to make it effective # If disable_host_header_attack is false then this flag will be ignored. # To set allowed_hosts to allow multiple hosts in the host header specify the hosts separated by comma(,) # e.g. 'https://www.example1.com, https://www.example2.com'