IdP: add safeguard --idp-h-key and also require --xff-src

2026-04-05 07:17:57 +10:00 · 2024-03-12 22:57:47 +00:00
parent e8b7f65f82
commit d71f844b43
7 changed files with 55 additions and 7 deletions
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -300,6 +300,7 @@ class HttpCli(object):
            zs = "%s:%s" % self.s.getsockname()[:2]
            self.host = zs[7:] if zs.startswith("::ffff:") else zs

+        trusted_xff = False
        n = self.args.rproxy
        if n:
            zso = self.headers.get(self.args.xff_hdr)
@@ -333,6 +334,7 @@ class HttpCli(object):
                    self.is_vproxied = bool(self.args.R)
                    self.log_src = self.conn.set_rproxy(self.ip)
                    self.host = self.headers.get("x-forwarded-host") or self.host
+                    trusted_xff = True

        if self.is_banned():
            return False
@@ -467,7 +469,41 @@ class HttpCli(object):
                    if self.args.idp_h_grp
                    else ""
                )
-                self.asrv.idp_checkin(self.conn.hsrv.broker, idp_usr, idp_grp)
+
+                if not trusted_xff:
+                    pip = self.conn.addr[0]
+                    trusted_xff = self.args.xff_re and self.args.xff_re.match(pip)
+
+                # always require --xff-src with idp, but check against original (xff_src) rather than computed value (xff_re) to allow 'any'
+                trusted_xff_strict = trusted_xff and self.args.xff_src
+
+                trusted_key = (
+                    not self.args.idp_h_key
+                ) or self.args.idp_h_key in self.headers
+
+                if trusted_key and trusted_xff_strict:
+                    self.asrv.idp_checkin(self.conn.hsrv.broker, idp_usr, idp_grp)
+                else:
+                    if not trusted_key:
+                        t = 'the idp-h-key header ("%s") is not present in the request; will NOT trust the other headers saying that the client\'s username is "%s" and group is "%s"'
+                        self.log(t % (self.args.idp_h_key, idp_usr, idp_grp), 3)
+
+                    if not trusted_xff_strict:
+                        t = 'got IdP headers from untrusted source "%s" claiming the client\'s username is "%s" and group is "%s";  if you trust this, you must allowlist this proxy with "--xff-src=%s"'
+                        if not self.args.idp_h_key:
+                            t += "  Note: you probably also want to specify --idp-h-key <SECRET-HEADER-NAME> for additional security"
+
+                        pip = self.conn.addr[0]
+                        zs = (
+                            ".".join(pip.split(".")[:2]) + "."
+                            if "." in pip
+                            else ":".join(pip.split(":")[:4]) + ":"
+                        )
+                        self.log(t % (pip, idp_usr, idp_grp, zs), 3)
+
+                    idp_usr = "*"
+                    idp_grp = ""
+
                if idp_usr in self.asrv.vfs.aread:
                    self.uname = idp_usr
                else: