Skip to content

Commit

Permalink
Security: Only trust local proxies unless overidden (#2797)
Browse files Browse the repository at this point in the history
  • Loading branch information
pglombardo authored Nov 20, 2024
1 parent 3526012 commit 0f740a0
Show file tree
Hide file tree
Showing 4 changed files with 62 additions and 0 deletions.
18 changes: 18 additions & 0 deletions config/defaults/settings.yml
Original file line number Diff line number Diff line change
Expand Up @@ -695,6 +695,24 @@ throttling:
# Environment Variable Override: PWP__THROTTLING__SECOND='20'
second: 60

### Trusted Proxies
#
# By default, Password Pusher will only proxy related headers from proxies on
# the local network. If you are using a proxy that is not on the local network,
# you will need to add the IP address of the proxy to the list below.
#
# This is useful if you are using a remote reverse proxy such as Cloudflare to
# serve the application. If local, you can leave this setting as is.
#
# Multiple IP addresses can be added by separating them with a comma.
#
# Environment Variable Override:
# PWP__TRUSTED_PROXIES='<ipaddress>'
# PWP__TRUSTED_PROXIES='<ipaddress1>,<ipaddress2>'
#
# trusted_proxies:
# - '1.2.3.4'
# - '2.3.4.5'

### Mail Server Configuration
#
Expand Down
13 changes: 13 additions & 0 deletions config/environments/development.rb
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,19 @@
# Raise error when a before_action's only/except options reference missing actions
config.action_controller.raise_on_missing_callback_actions = true

# The list of trusted proxies from which we will accept proxy related headers.
config.action_dispatch.trusted_proxies = [
"127.0.0.1", # Localhost
/^::1$/, # IPv6 localhost
/192\.168\.\d{1,3}\.\d{1,3}/, # Local network
/10\.\d{1,3}\.\d{1,3}\.\d{1,3}/ # Private networks
]

if Settings.trusted_proxies.present?
trusted_proxies = Settings.trusted_proxies.split(",").map(&:strip)
config.action_dispatch.trusted_proxies.concat(trusted_proxies)
end

# If a user sets the allowed_hosts setting, we need to add the domain(s) to the list of allowed hosts
if Settings.allowed_hosts.present?
if Settings.allowed_hosts.is_a?(Array)
Expand Down
13 changes: 13 additions & 0 deletions config/environments/production.rb
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,19 @@
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = ENV.key?("FORCE_SSL")

# The list of trusted proxies from which we will accept proxy related headers.
config.action_dispatch.trusted_proxies = [
"127.0.0.1", # Localhost
/^::1$/, # IPv6 localhost
/192\.168\.\d{1,3}\.\d{1,3}/, # Local network
/10\.\d{1,3}\.\d{1,3}\.\d{1,3}/ # Private networks
]

if Settings.trusted_proxies.present?
trusted_proxies = Settings.trusted_proxies.split(",").map(&:strip)
config.action_dispatch.trusted_proxies.concat(trusted_proxies)
end

# Logging
config.logger = if ENV["RAILS_LOG_TO_STDOUT"].present? || Settings.log_to_stdout
# Log to STDOUT by default
Expand Down
18 changes: 18 additions & 0 deletions config/settings.yml
Original file line number Diff line number Diff line change
Expand Up @@ -695,6 +695,24 @@ throttling:
# Environment Variable Override: PWP__THROTTLING__SECOND='20'
second: 60

### Trusted Proxies
#
# By default, Password Pusher will only proxy related headers from proxies on
# the local network. If you are using a proxy that is not on the local network,
# you will need to add the IP address of the proxy to the list below.
#
# This is useful if you are using a remote reverse proxy such as Cloudflare to
# serve the application. If local, you can leave this setting as is.
#
# Multiple IP addresses can be added by separating them with a comma.
#
# Environment Variable Override:
# PWP__TRUSTED_PROXIES='<ipaddress>'
# PWP__TRUSTED_PROXIES='<ipaddress1>,<ipaddress2>'
#
# trusted_proxies:
# - '1.2.3.4'
# - '2.3.4.5'

### Mail Server Configuration
#
Expand Down

0 comments on commit 0f740a0

Please sign in to comment.