chrissewell/hetty
1
0
Fork 0
mirror of https://github.com/dstotijn/hetty.git synced 2025-07-01 18:47:29 -04:00
Code Issues Packages Projects Releases Wiki Activity

Prevent DNS rebinding attack on admin routes

Browse Source
This commit is contained in:
David Stotijn
2022-05-22 15:59:35 +02:00
parent f7def87d0f
commit 57a3527667
1 changed files with 3 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
cmd/hetty/hetty.go
View File

@ -221,17 +221,12 @@ func (cmd *HettyCommand) Exec(ctx context.Context, _ []string) error {
hostname, _ := os.Hostname()
host, _, _ := net.SplitHostPort(req.Host)
// Serve local admin routes when either:
// - The `Host` is well-known, e.g. `hetty.proxy`, `localhost:[port]`
// or the listen addr `[host]:[port]`.
// - The request is not for TLS proxying (e.g. no `CONNECT`) and not
// for proxying an external URL. E.g. Request-Line (RFC 7230, Section 3.1.1)
// has no scheme.
// Serve local admin routes when the `Host` is well-known, e.g. `[hostname]:[port]`,
// `hetty.proxy`, `localhost:[port]` or the listen addr `[host]:[port]`.
return strings.EqualFold(host, hostname) ||
req.Host == "hetty.proxy" ||
req.Host == fmt.Sprintf("%v:%v", "localhost", listenPort) ||
req.Host == fmt.Sprintf("%v:%v", listenHost, listenPort) ||
req.Method != http.MethodConnect && !strings.HasPrefix(req.RequestURI, "http://")
req.Host == fmt.Sprintf("%v:%v", listenHost, listenPort)
}).Subrouter().StrictSlash(true)
// GraphQL server.