MCPcopy Index your code
hub / github.com/pgadmin-org/pgadmin4 / limit_host_addr

Function limit_host_addr

web/pgadmin/__init__.py:793–825  ·  view source on GitHub ↗

This function validate the hosts from ALLOWED_HOSTS before allowing HTTP request to avoid Host Header Injection attack :return: None/JSON response with 403 HTTP status code

()

Source from the content-addressed store, hash-verified

791
792 @app.before_request
793 def limit_host_addr():
794 """
795 This function validate the hosts from ALLOWED_HOSTS before allowing
796 HTTP request to avoid Host Header Injection attack
797 :return: None/JSON response with 403 HTTP status code
798 """
799 client_host = str(request.host).split(':', maxsplit=1)[0]
800 valid = True
801 allowed_hosts = config.ALLOWED_HOSTS
802
803 if len(allowed_hosts) != 0:
804 regex = re.compile(
805 r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:/\d{1,2}|)')
806 # Create separate list for ip addresses and host names
807 ip_set = list(filter(lambda ip: regex.match(ip), allowed_hosts))
808 host_set = list(filter(lambda ip: not regex.match(ip),
809 allowed_hosts))
810 is_ip = regex.match(client_host)
811 if is_ip:
812 ip_address = []
813 for ip in ip_set:
814 ip_address.extend(list(ipaddress.ip_network(ip)))
815 valid = ip_address.__contains__(
816 ipaddress.ip_address(client_host)
817 )
818 else:
819 valid = host_set.__contains__(client_host)
820
821 if not valid:
822 return make_json_response(
823 status=403, success=0,
824 errormsg=_("403 FORBIDDEN")
825 )
826
827 ##########################################################################
828 # Handle the desktop login

Callers

nothing calls this directly

Calls 2

make_json_responseFunction · 0.90
extendMethod · 0.80

Tested by

no test coverage detected