mirror of
https://github.com/HeyPuter/puter
synced 2024-11-15 06:15:47 +00:00
Validate the Host
header before responding to requests
This commit is contained in:
parent
92f6c8003b
commit
053728a03f
@ -283,6 +283,29 @@ class WebServerService extends BaseService {
|
||||
return next();
|
||||
});
|
||||
|
||||
// Validate host header against allowed domains to prevent host header injection
|
||||
// https://www.owasp.org/index.php/Host_Header_Injection
|
||||
app.use((req, res, next)=>{
|
||||
const allowedDomains = [config.domain.toLowerCase(), config.static_hosting_domain.toLowerCase()];
|
||||
|
||||
// Retrieve the Host header and ensure it's in a valid format
|
||||
const hostHeader = req.headers.host;
|
||||
|
||||
if (!hostHeader) {
|
||||
return res.status(400).send('Missing Host header.');
|
||||
}
|
||||
|
||||
// Parse the Host header to isolate the hostname (strip out port if present)
|
||||
const hostName = hostHeader.split(':')[0].trim().toLowerCase();
|
||||
|
||||
// Check if the hostname matches any of the allowed domains
|
||||
if (allowedDomains.some(allowedDomain => hostName === allowedDomain)) {
|
||||
next(); // Proceed if the host is valid
|
||||
} else {
|
||||
return res.status(400).send('Invalid Host header.');
|
||||
}
|
||||
})
|
||||
|
||||
app.use(express.json({limit: '50mb'}));
|
||||
|
||||
const cookieParser = require('cookie-parser');
|
||||
|
Loading…
Reference in New Issue
Block a user