This function validate the hosts from ALLOWED_HOSTS before allowing HTTP request to avoid Host Header Injection attack :return: None/JSON response with 403 HTTP status code
()
| 791 | |
| 792 | @app.before_request |
| 793 | def limit_host_addr(): |
| 794 | """ |
| 795 | This function validate the hosts from ALLOWED_HOSTS before allowing |
| 796 | HTTP request to avoid Host Header Injection attack |
| 797 | :return: None/JSON response with 403 HTTP status code |
| 798 | """ |
| 799 | client_host = str(request.host).split(':', maxsplit=1)[0] |
| 800 | valid = True |
| 801 | allowed_hosts = config.ALLOWED_HOSTS |
| 802 | |
| 803 | if len(allowed_hosts) != 0: |
| 804 | regex = re.compile( |
| 805 | r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:/\d{1,2}|)') |
| 806 | # Create separate list for ip addresses and host names |
| 807 | ip_set = list(filter(lambda ip: regex.match(ip), allowed_hosts)) |
| 808 | host_set = list(filter(lambda ip: not regex.match(ip), |
| 809 | allowed_hosts)) |
| 810 | is_ip = regex.match(client_host) |
| 811 | if is_ip: |
| 812 | ip_address = [] |
| 813 | for ip in ip_set: |
| 814 | ip_address.extend(list(ipaddress.ip_network(ip))) |
| 815 | valid = ip_address.__contains__( |
| 816 | ipaddress.ip_address(client_host) |
| 817 | ) |
| 818 | else: |
| 819 | valid = host_set.__contains__(client_host) |
| 820 | |
| 821 | if not valid: |
| 822 | return make_json_response( |
| 823 | status=403, success=0, |
| 824 | errormsg=_("403 FORBIDDEN") |
| 825 | ) |
| 826 | |
| 827 | ########################################################################## |
| 828 | # Handle the desktop login |
nothing calls this directly
no test coverage detected