Prevent DNS rebinding attack on admin routes

2025-07-01 18:47:29 -04:00 · 2022-05-22 15:59:35 +02:00
2 changed files with 9 additions and 14 deletions
--- a/admin/yarn.lock
+++ b/admin/yarn.lock
@ -3806,9 +3806,9 @@ json-to-pretty-yaml@^1.2.2:
    remove-trailing-spaces "^1.0.6"

 json5@^1.0.1:
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/json5/-/json5-1.0.2.tgz#63d98d60f21b313b77c4d6da18bfa69d80e1d593"
-  integrity sha512-g1MWMLBiz8FKi1e4w0UyVL3w+iJceWAFBAaBnnGKOpNa5f8TLktkbre1+s6oICydWAm+HRUGTmI+//xv2hvXYA==
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/json5/-/json5-1.0.1.tgz#779fb0018604fa854eacbf6252180d83543e3dbe"
+  integrity sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==
  dependencies:
    minimist "^1.2.0"

@ -4242,9 +4242,9 @@ minimatch@^3.0.4, minimatch@^3.1.2:
    brace-expansion "^1.1.7"

 minimist@^1.2.0, minimist@^1.2.6, minimist@~1.2.5:
-  version "1.2.7"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.7.tgz#daa1c4d91f507390437c6a8bc01078e7000c4d18"
-  integrity sha512-bzfL1YUZsP41gmu/qjrEk0Q6i2ix/cVeAhbCbqH9u3zYutS1cLg00qhrD0M2MVdCcx4Sc0UpP2eBWo9rotpq6g==
+  version "1.2.6"
+  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.6.tgz#8637a5b759ea0d6e98702cfb3a9283323c93af44"
+  integrity sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==

 mkdirp@^1.0.4:
  version "1.0.4"
--- a/cmd/hetty/hetty.go
+++ b/cmd/hetty/hetty.go
@ -221,17 +221,12 @@ func (cmd *HettyCommand) Exec(ctx context.Context, _ []string) error {
 		hostname, _ := os.Hostname()
 		host, _, _ := net.SplitHostPort(req.Host)

-		// Serve local admin routes when either:
-		// - The `Host` is well-known, e.g. `hetty.proxy`, `localhost:[port]`
-		//   or the listen addr `[host]:[port]`.
-		// - The request is not for TLS proxying (e.g. no `CONNECT`) and not
-		//   for proxying an external URL. E.g. Request-Line (RFC 7230, Section 3.1.1)
-		//   has no scheme.
+		// Serve local admin routes when the `Host` is well-known, e.g. `[hostname]:[port]`,
+		// `hetty.proxy`, `localhost:[port]` or the listen addr `[host]:[port]`.
 		return strings.EqualFold(host, hostname) ||
 			req.Host == "hetty.proxy" ||
 			req.Host == fmt.Sprintf("%v:%v", "localhost", listenPort) ||
-			req.Host == fmt.Sprintf("%v:%v", listenHost, listenPort) ||
-			req.Method != http.MethodConnect && !strings.HasPrefix(req.RequestURI, "http://")
+			req.Host == fmt.Sprintf("%v:%v", listenHost, listenPort)
 	}).Subrouter().StrictSlash(true)

 	// GraphQL server.