Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: check custom header for dev tools connection verification #18827

Merged
merged 6 commits into from
Mar 1, 2024
Merged

feat: check custom header for dev tools connection verification #18827

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ea116b1
feat: check custom header for dev tools connection verification
mcollovati Feb 28, 2024
1e792da
apply review suggestions and add tests
mcollovati Feb 29, 2024
7a7185a
add verification for multiple header occurrencies
mcollovati Feb 29, 2024
d9050d5
Merge branch 'main' into feat/devtools-ip-check
mcollovati Feb 29, 2024
429036c
apply review suggestions
mcollovati Feb 29, 2024
f44a0b0
Merge branch 'main' into feat/devtools-ip-check
Artur- Mar 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions flow-server/src/main/java/com/vaadin/flow/server/InitParameters.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,12 @@ public class InitParameters implements Serializable {
*/
public static final String SERVLET_PARAMETER_DEVMODE_HOSTS_ALLOWED = "devmode.hostsAllowed";

/**
* The name of the custom HTTP header that contains the client IP address.
* If not specified, {@literal X-Forwarded-For} will be checked.
*/
public static final String SERVLET_PARAMETER_DEVMODE_REMOTE_ADDRESS_HEADER = "devmode.remoteAddressHeader";

/**
* Configuration parameter name for enabling pnpm.
*
Expand Down
37 changes: 26 additions & 11 deletions flow-server/src/main/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import java.util.List;
import java.util.Locale;
import java.util.Optional;
import java.util.stream.Stream;

import org.apache.commons.io.FilenameUtils;
import org.jsoup.Jsoup;
Expand All @@ -49,7 +50,6 @@
import com.vaadin.flow.server.BootstrapHandler;
import com.vaadin.flow.server.Constants;
import com.vaadin.flow.server.DevToolsToken;
import com.vaadin.flow.server.InitParameters;
import com.vaadin.flow.server.Mode;
import com.vaadin.flow.server.VaadinContext;
import com.vaadin.flow.server.VaadinRequest;
Expand All @@ -67,6 +67,8 @@
import elemental.json.JsonObject;
import elemental.json.impl.JsonUtil;

import static com.vaadin.flow.server.InitParameters.SERVLET_PARAMETER_DEVMODE_HOSTS_ALLOWED;
import static com.vaadin.flow.server.InitParameters.SERVLET_PARAMETER_DEVMODE_REMOTE_ADDRESS_HEADER;
import static com.vaadin.flow.shared.ApplicationConstants.CONTENT_TYPE_TEXT_HTML_UTF_8;
import static java.nio.charset.StandardCharsets.UTF_8;

Expand Down Expand Up @@ -397,21 +399,32 @@ static boolean isAllowedDevToolsHost(AbstractConfiguration configuration,
VaadinRequest request) {
String remoteAddress = request.getRemoteAddr();
String hostsAllowed = configuration.getStringProperty(
InitParameters.SERVLET_PARAMETER_DEVMODE_HOSTS_ALLOWED, null);
SERVLET_PARAMETER_DEVMODE_HOSTS_ALLOWED, null);

if (!isAllowedDevToolsHost(remoteAddress, hostsAllowed)) {
if (!isAllowedDevToolsHost(remoteAddress, hostsAllowed, true)) {
return false;
}
String remoteHeaderIp = configuration.getStringProperty(
SERVLET_PARAMETER_DEVMODE_REMOTE_ADDRESS_HEADER, null);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we assuming this is a single header with a single address? Should it be in the docs?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the assumption is a single header with a single address, as this is supposed to be safely handled by the proxy server.
I'll update the docs

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

if (remoteHeaderIp != null) {
return isAllowedDevToolsHost(request.getHeader(remoteHeaderIp),
hostsAllowed, false);
}

String forwardedFor = request.getHeader("X-Forwarded-For");
if (forwardedFor != null) {
if (forwardedFor.contains(",")) {
// X-Forwarded-For: <client>, <proxy1>, <proxy2>
// Elements are comma-separated, with optional whitespace
// surrounding the commas.
forwardedFor = forwardedFor.split(",")[0];
}
if (!isAllowedDevToolsHost(forwardedFor.trim(), hostsAllowed)) {
return false;
// Validate all hops
return Stream.of(forwardedFor.split(",")).map(String::trim)
.allMatch(ip -> isAllowedDevToolsHost(ip, hostsAllowed,
false));

} else {
return isAllowedDevToolsHost(forwardedFor.trim(), hostsAllowed,
false);
}
}

Expand All @@ -420,15 +433,17 @@ static boolean isAllowedDevToolsHost(AbstractConfiguration configuration,
}

private static boolean isAllowedDevToolsHost(String remoteAddress,
String hostsAllowed) {
if (remoteAddress == null) {
// No remote address available so we cannot check...
String hostsAllowed, boolean allowLocal) {
if (remoteAddress == null || (hostsAllowed == null && !allowLocal)) {
// No check needed if the remote address is not available
// or if local addresses must be rejected and there are no host
// rules defined
return false;
}
// Always allow localhost
try {
InetAddress inetAddress = InetAddress.getByName(remoteAddress);
if (inetAddress.isLoopbackAddress()) {
if (inetAddress.isLoopbackAddress() && allowLocal) {
return true;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it IS a local address and local is NOT allowed, should this not immediately return false, i.e. if it is a loopback address, always return allowLocal

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

}
} catch (Exception e) {
Expand Down
97 changes: 88 additions & 9 deletions ...erver/src/test/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandlerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import java.util.Map;
import java.util.Optional;
import java.util.UUID;
import java.util.function.BiPredicate;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
Expand All @@ -51,7 +52,6 @@
import com.vaadin.flow.di.Lookup;
import com.vaadin.flow.di.ResourceProvider;
import com.vaadin.flow.internal.UsageStatistics;
import com.vaadin.flow.router.Location;
import com.vaadin.flow.router.QueryParameters;
import com.vaadin.flow.server.AppShellRegistry;
import com.vaadin.flow.server.BootstrapHandler;
Expand All @@ -73,11 +73,15 @@
import elemental.json.JsonObject;

import static com.vaadin.flow.server.Constants.VAADIN_WEBAPP_RESOURCES;
import static com.vaadin.flow.server.InitParameters.SERVLET_PARAMETER_DEVMODE_HOSTS_ALLOWED;
import static com.vaadin.flow.server.InitParameters.SERVLET_PARAMETER_DEVMODE_REMOTE_ADDRESS_HEADER;
import static com.vaadin.flow.server.frontend.FrontendUtils.INDEX_HTML;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertThrows;
import static org.junit.Assert.assertTrue;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;

Expand Down Expand Up @@ -990,11 +994,12 @@ private boolean isAllowedDevToolsHost(String hostsAllowedProperty,
Mockito.when(request.getRemoteAddr()).thenReturn(remoteAddr);
ApplicationConfiguration configuration = Mockito
.mock(ApplicationConfiguration.class);
Mockito.when(
configuration.getStringProperty("devmode.hostsAllowed", null))
.thenAnswer(q -> {
return hostsAllowedProperty;
});
Mockito.doAnswer(q -> hostsAllowedProperty).when(configuration)
.getStringProperty(SERVLET_PARAMETER_DEVMODE_HOSTS_ALLOWED,
null);
// Mockito.when(configuration.getStringProperty(
// SERVLET_PARAMETER_DEVMODE_HOSTS_ALLOWED, null))
// .thenAnswer(q -> hostsAllowedProperty);
Mockito.when(request.getHeader("X-Forwarded-For"))
.thenReturn(forwardedForHeader);
return IndexHtmlRequestHandler.isAllowedDevToolsHost(configuration,
Expand Down Expand Up @@ -1040,15 +1045,89 @@ public void devTools_allowedHostsMatchesIpAndForwardedFor() {
// Local proxy
Assert.assertTrue(
isAllowedDevToolsHost("1.2.3.4", "127.0.0.1", "1.2.3.4"));
Assert.assertTrue(isAllowedDevToolsHost("1.2.3.4", "127.0.0.1",
Assert.assertFalse(isAllowedDevToolsHost("1.2.3.4", "127.0.0.1",
"1.2.3.4, 3.4.5.6"));
Assert.assertTrue(isAllowedDevToolsHost("1.2.3.4", "127.0.0.1",
Assert.assertFalse(isAllowedDevToolsHost("1.2.3.4", "127.0.0.1",
" 1.2.3.4 , 3.4.5.6 "));
Assert.assertTrue(isAllowedDevToolsHost("1.2.3.4,3.4.5.6", "127.0.0.1",
"1.2.3.4, 3.4.5.6"));
Assert.assertTrue(isAllowedDevToolsHost("1.2.3.4,3.4.5.6", "127.0.0.1",
" 1.2.3.4 , 3.4.5.6 "));

// Non local proxy

Assert.assertTrue(isAllowedDevToolsHost("1.2.3.4, 5.5.5.5", "5.5.5.5",
" 1.2.3.4 "));
Assert.assertTrue(
isAllowedDevToolsHost("1.2.3.4,5.5.*", "5.5.5.5", "1.2.3.4"));
Assert.assertFalse(isAllowedDevToolsHost("1.2.3.4,5.5.*", "5.5.5.5",
"1.2.3.4, 3.4.5.6"));
Assert.assertFalse(isAllowedDevToolsHost("1.2.3.4,5.5.*", "5.5.5.5",
" 1.2.3.4 , 3.4.5.6 "));
Assert.assertTrue(isAllowedDevToolsHost("1.2.3.4,3.4.5.6,5.5.*",
"5.5.5.5", "1.2.3.4, 3.4.5.6"));
Assert.assertTrue(isAllowedDevToolsHost("1.2.3.4,3.4.5.6,5.5.*",
"5.5.5.5", " 1.2.3.4 , 3.4.5.6 "));

// Verify full chain
String forwardedChain = "1.2.3.4,5.5.5.5,6.6.6.6,7.7.7.7";
Assert.assertFalse(
isAllowedDevToolsHost("1.2.3.4", "127.0.0.1", forwardedChain));
Assert.assertFalse(isAllowedDevToolsHost("1.2.3.4,5.5.5.5", "127.0.0.1",
forwardedChain));
Assert.assertFalse(isAllowedDevToolsHost("1.2.3.4,5.5.5.5,6.6.6.6",
"127.0.0.1", forwardedChain));
Assert.assertFalse(isAllowedDevToolsHost("1.2.3.4,5.5.5.5,7.7.7.7",
"127.0.0.1", forwardedChain));
Assert.assertTrue(
isAllowedDevToolsHost("1.2.3.4,5.5.5.5,6.6.6.6,7.7.7.7",
"127.0.0.1", forwardedChain));

}

@Test
public void devTools_forwardedForIsLocal_denyAccess() {
Assert.assertFalse(
isAllowedDevToolsHost(null, "127.0.0.1", "127.0.0.1"));
Assert.assertFalse(isAllowedDevToolsHost(null, "127.0.0.1", "::1"));
Assert.assertFalse(
isAllowedDevToolsHost(null, "127.0.0.1", "0:0:0:0:0:0:0:1"));
Assert.assertFalse(
isAllowedDevToolsHost(null, "127.0.0.1", "172.16.0.4"));
}

@Test
public void devTools_customRemoteIPHeader_allowedIfIpMatches() {

BiPredicate<String, String> verifier = (remoteIp,
spoofedForwarderFor) -> {
String customClientIpHeaderName = "Some-Proxy-Client-IP";

VaadinRequest request = Mockito.mock(VaadinRequest.class);
Mockito.when(request.getRemoteAddr()).thenReturn("127.0.0.1");
ApplicationConfiguration configuration = Mockito
.mock(ApplicationConfiguration.class);
Mockito.when(configuration.getStringProperty("devmode.hostsAllowed",
null)).thenAnswer(q -> "1.2.3.4,5.6.7.8");
Mockito.when(configuration.getStringProperty(
eq(SERVLET_PARAMETER_DEVMODE_REMOTE_ADDRESS_HEADER), any()))
.thenAnswer(q -> customClientIpHeaderName);
Mockito.when(request.getHeader(customClientIpHeaderName))
.thenReturn(remoteIp);
Mockito.when(request.getHeader("X-Forwarded-For"))
.thenReturn(spoofedForwarderFor);
return IndexHtmlRequestHandler.isAllowedDevToolsHost(configuration,
request);
};

// remote ip header is mandatory
Assert.assertFalse(verifier.test(null, null));
Assert.assertFalse(verifier.test(null, "1.2.3.4"));

// Should verify only remote ip header value
Assert.assertFalse(verifier.test("5.5.5.5", null));
Assert.assertFalse(verifier.test("5.5.5.5", "1.2.3.4,5.5.5.5"));
Assert.assertTrue(verifier.test("1.2.3.4", null));
Assert.assertTrue(verifier.test("5.6.7.8", "5.5.5.5,5.6.7.8"));
}

}
29 changes: 29 additions & 0 deletions vaadin-spring/src/main/java/com/vaadin/flow/spring/VaadinConfigurationProperties.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,13 @@ public static class Devmode {
*/
private String hostsAllowed = "";

/**
* The name of the custom HTTP header that contains the client IP
Artur- marked this conversation as resolved.
Show resolved Hide resolved
* address. If not specified, {@literal X-Forwarded-For} will be
* checked.
*/
private String remoteAddressHeader;

/**
* Gets the hosts allowed to connect to the dev mode server.
*
Expand All @@ -205,6 +212,28 @@ public void setHostsAllowed(String hostsAllowed) {
this.hostsAllowed = hostsAllowed;
}

/**
* Gets the name of the custom HTTP header that contains the client IP
* address.
*
* @return the name of the custom HTTP header that contains the client
* IP address.
*/
public String getRemoteAddressHeader() {
return remoteAddressHeader;
}

/**
* Sets the name of the custom HTTP header that contains the client IP
* address.
*
* @param remoteAddressHeader
* the name of the custom HTTP header that contains the
* client IP address.
*/
public void setRemoteAddressHeader(String remoteAddressHeader) {
this.remoteAddressHeader = remoteAddressHeader;
}
}

/**
Expand Down
Loading