From 0f740a0e7635c342a620613c87d159bf8ebe4144 Mon Sep 17 00:00:00 2001 From: Peter Giacomo Lombardo Date: Wed, 20 Nov 2024 16:01:34 +0100 Subject: [PATCH] Security: Only trust local proxies unless overidden (#2797) --- config/defaults/settings.yml | 18 ++++++++++++++++++ config/environments/development.rb | 13 +++++++++++++ config/environments/production.rb | 13 +++++++++++++ config/settings.yml | 18 ++++++++++++++++++ 4 files changed, 62 insertions(+) diff --git a/config/defaults/settings.yml b/config/defaults/settings.yml index 2c341ef3180d..816fdb776c96 100644 --- a/config/defaults/settings.yml +++ b/config/defaults/settings.yml @@ -695,6 +695,24 @@ throttling: # Environment Variable Override: PWP__THROTTLING__SECOND='20' second: 60 +### Trusted Proxies +# +# By default, Password Pusher will only proxy related headers from proxies on +# the local network. If you are using a proxy that is not on the local network, +# you will need to add the IP address of the proxy to the list below. +# +# This is useful if you are using a remote reverse proxy such as Cloudflare to +# serve the application. If local, you can leave this setting as is. +# +# Multiple IP addresses can be added by separating them with a comma. +# +# Environment Variable Override: +# PWP__TRUSTED_PROXIES='' +# PWP__TRUSTED_PROXIES=',' +# +# trusted_proxies: +# - '1.2.3.4' +# - '2.3.4.5' ### Mail Server Configuration # diff --git a/config/environments/development.rb b/config/environments/development.rb index e0e68b582065..0b5ae41f3cb0 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -118,6 +118,19 @@ # Raise error when a before_action's only/except options reference missing actions config.action_controller.raise_on_missing_callback_actions = true + # The list of trusted proxies from which we will accept proxy related headers. + config.action_dispatch.trusted_proxies = [ + "127.0.0.1", # Localhost + /^::1$/, # IPv6 localhost + /192\.168\.\d{1,3}\.\d{1,3}/, # Local network + /10\.\d{1,3}\.\d{1,3}\.\d{1,3}/ # Private networks + ] + + if Settings.trusted_proxies.present? + trusted_proxies = Settings.trusted_proxies.split(",").map(&:strip) + config.action_dispatch.trusted_proxies.concat(trusted_proxies) + end + # If a user sets the allowed_hosts setting, we need to add the domain(s) to the list of allowed hosts if Settings.allowed_hosts.present? if Settings.allowed_hosts.is_a?(Array) diff --git a/config/environments/production.rb b/config/environments/production.rb index 696a190cebb7..6322e6d9e5d1 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -54,6 +54,19 @@ # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. config.force_ssl = ENV.key?("FORCE_SSL") + # The list of trusted proxies from which we will accept proxy related headers. + config.action_dispatch.trusted_proxies = [ + "127.0.0.1", # Localhost + /^::1$/, # IPv6 localhost + /192\.168\.\d{1,3}\.\d{1,3}/, # Local network + /10\.\d{1,3}\.\d{1,3}\.\d{1,3}/ # Private networks + ] + + if Settings.trusted_proxies.present? + trusted_proxies = Settings.trusted_proxies.split(",").map(&:strip) + config.action_dispatch.trusted_proxies.concat(trusted_proxies) + end + # Logging config.logger = if ENV["RAILS_LOG_TO_STDOUT"].present? || Settings.log_to_stdout # Log to STDOUT by default diff --git a/config/settings.yml b/config/settings.yml index 2c341ef3180d..816fdb776c96 100644 --- a/config/settings.yml +++ b/config/settings.yml @@ -695,6 +695,24 @@ throttling: # Environment Variable Override: PWP__THROTTLING__SECOND='20' second: 60 +### Trusted Proxies +# +# By default, Password Pusher will only proxy related headers from proxies on +# the local network. If you are using a proxy that is not on the local network, +# you will need to add the IP address of the proxy to the list below. +# +# This is useful if you are using a remote reverse proxy such as Cloudflare to +# serve the application. If local, you can leave this setting as is. +# +# Multiple IP addresses can be added by separating them with a comma. +# +# Environment Variable Override: +# PWP__TRUSTED_PROXIES='' +# PWP__TRUSTED_PROXIES=',' +# +# trusted_proxies: +# - '1.2.3.4' +# - '2.3.4.5' ### Mail Server Configuration #