Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: check custom header for dev tools connection verification #18827

Merged
merged 6 commits into from
Mar 1, 2024
Merged

feat: check custom header for dev tools connection verification #18827

merged 6 commits into from
Mar 1, 2024

Conversation

mcollovati
Copy link
Collaborator

Allows to specify a custom header name to get the client address that is verified to allow access to dev tools.
In addition, validates all hops in the X-Forwaded-For chain.

@mcollovati
feat: check custom header for dev tools connection verification
ea116b1 
Allows to specify a custom header name to get the client address
that is verfied to allow access to dev tools.
In addition, validates all hops in the X-Forwaded-For chain.
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 28, 2024
edited
Loading

Test Results

1 095 files  ±0  1 095 suites  ±0   1h 20m 41s ⏱️ + 2m 35s
6 943 tests +4  6 894 ✅ +4  49 💤 ±0  0 ❌ ±0 
7 290 runs   - 3  7 229 ✅  - 3  61 💤 ±0  0 ❌ ±0 

Results for commit f44a0b0. ± Comparison against base commit 34aaa33.

♻️ This comment has been updated with latest results.

Artur-
Artur- reviewed Feb 29, 2024
View reviewed changes
vaadin-spring/src/main/java/com/vaadin/flow/spring/VaadinConfigurationProperties.java Show resolved Hide resolved
flow-server/src/main/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandler.java Outdated
return false;
}
// Always allow localhost
try {
InetAddress inetAddress = InetAddress.getByName(remoteAddress);
if (inetAddress.isLoopbackAddress()) {
if (inetAddress.isLoopbackAddress() && allowLocal) {
return true;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it IS a local address and local is NOT allowed, should this not immediately return false, i.e. if it is a loopback address, always return allowLocal

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@vaadin-bot vaadin-bot added +1.0.0 and removed +0.0.1 labels Feb 29, 2024
@mcollovati mcollovati marked this pull request as ready for review February 29, 2024 12:15
@vaadin-bot vaadin-bot added +0.0.1 and removed +1.0.0 labels Feb 29, 2024
Artur-
Artur- reviewed Feb 29, 2024
View reviewed changes
flow-server/src/main/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandler.java
// No remote address available so we cannot check...
String hostsAllowed, boolean allowLocal) {
if (remoteAddress == null || remoteAddress.isBlank()
|| (hostsAllowed == null && !allowLocal)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this interprets hostsAllowed == "" different from null while the code below interprets them as the same

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it ok to have the same behavior for null, empty and blank?
If so, I would directly trim to null the value read from the configuration

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would say it is better to have the same behavior and fewer cases

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Artur-
Artur- reviewed Feb 29, 2024
View reviewed changes
flow-server/src/main/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandler.java
String forwardedFor = request.getHeader("X-Forwarded-For");
if (forwardedFor != null) {
String remoteHeaderIp = configuration.getStringProperty(
SERVLET_PARAMETER_DEVMODE_REMOTE_ADDRESS_HEADER, null);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we assuming this is a single header with a single address? Should it be in the docs?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the assumption is a single header with a single address, as this is supposed to be safely handled by the proxy server.
I'll update the docs

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@mshabarov mshabarov requested a review from Artur- March 1, 2024 06:44
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Mar 1, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@mshabarov mshabarov merged commit b53d232 into main Mar 1, 2024
26 checks passed
@mshabarov mshabarov deleted the feat/devtools-ip-check branch March 1, 2024 08:53
@vaadin-bot
Copy link
Collaborator

This ticket/PR has been released with Vaadin 24.4.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Artur- Artur- Artur- approved these changes

Assignees
No one assigned
Labels
Released with Vaadin 24.4.0 +0.0.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mcollovati @vaadin-bot @Artur- @mshabarov