mirrors/puter
1
0
Fork 0
mirror of https://github.com/HeyPuter/puter synced 2024-11-15 06:15:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Validate the Host header before responding to requests

Browse Source
This commit is contained in:
Nariman Jelveh 2024-04-27 18:52:01 -07:00
parent 92f6c8003b
commit 053728a03f
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
packages/backend/src/services/WebServerService.js
View File

@ -283,6 +283,29 @@ class WebServerService extends BaseService {
return next(); return next();
}); });
// Validate host header against allowed domains to prevent host header injection
// https://www.owasp.org/index.php/Host_Header_Injection
app.use((req, res, next)=>{
const allowedDomains = [config.domain.toLowerCase(), config.static_hosting_domain.toLowerCase()];
// Retrieve the Host header and ensure it's in a valid format
const hostHeader = req.headers.host;
if (!hostHeader) {
return res.status(400).send('Missing Host header.');
}
// Parse the Host header to isolate the hostname (strip out port if present)
const hostName = hostHeader.split(':')[0].trim().toLowerCase();
// Check if the hostname matches any of the allowed domains
if (allowedDomains.some(allowedDomain => hostName === allowedDomain)) {
next(); // Proceed if the host is valid
} else {
return res.status(400).send('Invalid Host header.');
}
})
app.use(express.json({limit: '50mb'})); app.use(express.json({limit: '50mb'}));
const cookieParser = require('cookie-parser'); const cookieParser = require('cookie-parser');