From 07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f Mon Sep 17 00:00:00 2001
From: Genadi Samokovarov <gsamokovarov@gmail.com>
Date: Thu, 14 Jun 2018 11:09:00 +0300
Subject: Introduce a guard against DNS rebinding attacks

The ActionDispatch::HostAuthorization is a new middleware that prevent
against DNS rebinding and other Host header attacks. By default it is
included only in the development environment with the following
configuration:

    Rails.application.config.hosts = [
      IPAddr.new("0.0.0.0/0"), # All IPv4 addresses.
      IPAddr.new("::/0"),      # All IPv6 addresses.
      "localhost"              # The localhost reserved domain.
    ]

In other environments, `Rails.application.config.hosts` is empty and no
Host header checks will be done. If you want to guard against header
attacks on production, you have to manually permit the allowed hosts
with:

    Rails.application.config.hosts << "product.com"

The host of a request is checked against the hosts entries with the case
operator (#===), which lets hosts support entries of type RegExp,
Proc and IPAddr to name a few. Here is an example with a regexp.

    # Allow requests from subdomains like `www.product.com` and
    # `beta1.product.com`.
    Rails.application.config.hosts << /.*\.product\.com/

A special case is supported that allows you to permit all sub-domains:

    # Allow requests from subdomains like `www.product.com` and
    # `beta1.product.com`.
    Rails.application.config.hosts << ".product.com"
---
 .../action_dispatch/middleware/debug_exceptions.rb |  43 +--------
 .../lib/action_dispatch/middleware/debug_view.rb   |  50 ++++++++++
 .../middleware/host_authorization.rb               | 105 +++++++++++++++++++++
 .../templates/rescues/blocked_host.html.erb        |   7 ++
 .../templates/rescues/blocked_host.text.erb        |   5 +
 5 files changed, 169 insertions(+), 41 deletions(-)
 create mode 100644 actionpack/lib/action_dispatch/middleware/debug_view.rb
 create mode 100644 actionpack/lib/action_dispatch/middleware/host_authorization.rb
 create mode 100644 actionpack/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb
 create mode 100644 actionpack/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb

(limited to 'actionpack/lib/action_dispatch')

diff --git a/actionpack/lib/action_dispatch/middleware/debug_exceptions.rb b/actionpack/lib/action_dispatch/middleware/debug_exceptions.rb
index 7669767ae3..eadb59173d 100644
--- a/actionpack/lib/action_dispatch/middleware/debug_exceptions.rb
+++ b/actionpack/lib/action_dispatch/middleware/debug_exceptions.rb
@@ -3,53 +3,14 @@
 require "action_dispatch/http/request"
 require "action_dispatch/middleware/exception_wrapper"
 require "action_dispatch/routing/inspector"
+
 require "action_view"
 require "action_view/base"
 
-require "pp"
-
 module ActionDispatch
   # This middleware is responsible for logging exceptions and
   # showing a debugging page in case the request is local.
   class DebugExceptions
-    RESCUES_TEMPLATE_PATH = File.expand_path("templates", __dir__)
-
-    class DebugView < ActionView::Base
-      def debug_params(params)
-        clean_params = params.clone
-        clean_params.delete("action")
-        clean_params.delete("controller")
-
-        if clean_params.empty?
-          "None"
-        else
-          PP.pp(clean_params, +"", 200)
-        end
-      end
-
-      def debug_headers(headers)
-        if headers.present?
-          headers.inspect.gsub(",", ",\n")
-        else
-          "None"
-        end
-      end
-
-      def debug_hash(object)
-        object.to_hash.sort_by { |k, _| k.to_s }.map { |k, v| "#{k}: #{v.inspect rescue $!.message}" }.join("\n")
-      end
-
-      def render(*)
-        logger = ActionView::Base.logger
-
-        if logger && logger.respond_to?(:silence)
-          logger.silence { super }
-        else
-          super
-        end
-      end
-    end
-
     cattr_reader :interceptors, instance_accessor: false, default: []
 
     def self.register_interceptor(object = nil, &block)
@@ -152,7 +113,7 @@ module ActionDispatch
       end
 
       def create_template(request, wrapper)
-        DebugView.new([RESCUES_TEMPLATE_PATH],
+        DebugView.new(
           request: request,
           exception_wrapper: wrapper,
           exception: wrapper.exception,
diff --git a/actionpack/lib/action_dispatch/middleware/debug_view.rb b/actionpack/lib/action_dispatch/middleware/debug_view.rb
new file mode 100644
index 0000000000..ac12dc13a1
--- /dev/null
+++ b/actionpack/lib/action_dispatch/middleware/debug_view.rb
@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require "pp"
+
+require "action_view"
+require "action_view/base"
+
+module ActionDispatch
+  class DebugView < ActionView::Base # :nodoc:
+    RESCUES_TEMPLATE_PATH = File.expand_path("templates", __dir__)
+
+    def initialize(assigns)
+      super([RESCUES_TEMPLATE_PATH], assigns)
+    end
+
+    def debug_params(params)
+      clean_params = params.clone
+      clean_params.delete("action")
+      clean_params.delete("controller")
+
+      if clean_params.empty?
+        "None"
+      else
+        PP.pp(clean_params, +"", 200)
+      end
+    end
+
+    def debug_headers(headers)
+      if headers.present?
+        headers.inspect.gsub(",", ",\n")
+      else
+        "None"
+      end
+    end
+
+    def debug_hash(object)
+      object.to_hash.sort_by { |k, _| k.to_s }.map { |k, v| "#{k}: #{v.inspect rescue $!.message}" }.join("\n")
+    end
+
+    def render(*)
+      logger = ActionView::Base.logger
+
+      if logger && logger.respond_to?(:silence)
+        logger.silence { super }
+      else
+        super
+      end
+    end
+  end
+end
diff --git a/actionpack/lib/action_dispatch/middleware/host_authorization.rb b/actionpack/lib/action_dispatch/middleware/host_authorization.rb
new file mode 100644
index 0000000000..48f7c25216
--- /dev/null
+++ b/actionpack/lib/action_dispatch/middleware/host_authorization.rb
@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+require "action_dispatch/http/request"
+
+module ActionDispatch
+  # This middleware guards from DNS rebinding attacks by white-listing the
+  # hosts a request can be sent to.
+  #
+  # When a request comes to an unauthorized host, the +response_app+
+  # application will be executed and rendered. If no +response_app+ is given, a
+  # default one will run, which responds with +403 Forbidden+.
+  class HostAuthorization
+    class Permissions # :nodoc:
+      def initialize(hosts)
+        @hosts = sanitize_hosts(hosts)
+      end
+
+      def empty?
+        @hosts.empty?
+      end
+
+      def allows?(host)
+        @hosts.any? do |allowed|
+          begin
+            allowed === host
+          rescue
+            # IPAddr#=== raises an error if you give it a hostname instead of
+            # IP. Treat similar errors as blocked access.
+            false
+          end
+        end
+      end
+
+      private
+
+        def sanitize_hosts(hosts)
+          Array(hosts).map do |host|
+            case host
+            when Regexp then sanitize_regexp(host)
+            when String then sanitize_string(host)
+            else host
+            end
+          end
+        end
+
+        def sanitize_regexp(host)
+          /\A#{host}\z/
+        end
+
+        def sanitize_string(host)
+          if host.start_with?(".")
+            /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/
+          else
+            host
+          end
+        end
+    end
+
+    DEFAULT_RESPONSE_APP = -> env do
+      request = Request.new(env)
+
+      format = request.xhr? ? "text/plain" : "text/html"
+      template = DebugView.new(host: request.host)
+      body = template.render(template: "rescues/blocked_host", layout: "rescues/layout")
+
+      [403, {
+        "Content-Type" => "#{format}; charset=#{Response.default_charset}",
+        "Content-Length" => body.bytesize.to_s,
+      }, [body]]
+    end
+
+    def initialize(app, hosts, response_app = nil)
+      @app = app
+      @permissions = Permissions.new(hosts)
+      @response_app = response_app || DEFAULT_RESPONSE_APP
+    end
+
+    def call(env)
+      return @app.call(env) if @permissions.empty?
+
+      request = Request.new(env)
+
+      if authorized?(request)
+        mark_as_authorized(request)
+        @app.call(env)
+      else
+        @response_app.call(env)
+      end
+    end
+
+    private
+
+      def authorized?(request)
+        origin_host = request.get_header("HTTP_HOST").to_s.sub(/:\d+\z/, "")
+        forwarded_host = request.x_forwarded_host.to_s.split(/,\s?/).last.to_s.sub(/:\d+\z/, "")
+
+        @permissions.allows?(origin_host) &&
+          (forwarded_host.blank? || @permissions.allows?(forwarded_host))
+      end
+
+      def mark_as_authorized(request)
+        request.set_header("action_dispatch.authorized_host", request.host)
+      end
+  end
+end
diff --git a/actionpack/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb b/actionpack/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb
new file mode 100644
index 0000000000..2fa78dd385
--- /dev/null
+++ b/actionpack/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb
@@ -0,0 +1,7 @@
+<header>
+  <h1>Blocked host: <%= @host %></h1>
+</header>
+<div id="container">
+  <h2>To allow requests to <%= @host %>, add the following configuration:</h2>
+  <pre>Rails.application.config.hosts &lt;&lt; "<%= @host %>"</pre>
+</div>
diff --git a/actionpack/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb b/actionpack/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb
new file mode 100644
index 0000000000..4e2d1d0b08
--- /dev/null
+++ b/actionpack/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb
@@ -0,0 +1,5 @@
+Blocked host: <%= @host %>
+
+To allow requests to <%= @host %>, add the following configuration:
+
+  Rails.application.config.hosts << "<%= @host %>"
-- 
cgit v1.2.3