From 78e9a5116845e0dbe09d02c2bd1f85c3e6f69de1 Mon Sep 17 00:00:00 2001
From: Mark Cabanero <4522043+mcab@users.noreply.github.com>
Date: Tue, 6 Sep 2022 07:20:19 -0700
Subject: [PATCH] Add Trusted Origins to CSRF Handler (#2301)

Enables the user to add addresses that they expect incoming connections
to come from. Helpful in cases where TLS termination is handled by a
load balancer upstream, rather than the application itself.
---
 config.json          | 3 ++-
 config/config.go     | 1 +
 controllers/route.go | 3 ++-
 docker/run.sh        | 6 ++++++
 4 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/config.json b/config.json
index a2b813eb..8d6ff39d 100644
--- a/config.json
+++ b/config.json
@@ -3,7 +3,8 @@
 		"listen_url": "127.0.0.1:3333",
 		"use_tls": true,
 		"cert_path": "gophish_admin.crt",
-		"key_path": "gophish_admin.key"
+		"key_path": "gophish_admin.key",
+		"trusted_origins": []
 	},
 	"phish_server": {
 		"listen_url": "0.0.0.0:80",
diff --git a/config/config.go b/config/config.go
index 98ec6b6a..62b7a850 100644
--- a/config/config.go
+++ b/config/config.go
@@ -15,6 +15,7 @@ type AdminServer struct {
 	KeyPath              string   `json:"key_path"`
 	CSRFKey              string   `json:"csrf_key"`
 	AllowedInternalHosts []string `json:"allowed_internal_hosts"`
+	TrustedOrigins       []string `json:"trusted_origins"`
 }
 
 // PhishServer represents the Phish server configuration details
diff --git a/controllers/route.go b/controllers/route.go
index 72285518..382039fb 100644
--- a/controllers/route.go
+++ b/controllers/route.go
@@ -154,7 +154,8 @@ func (as *AdminServer) registerRoutes() {
 	}
 	csrfHandler := csrf.Protect(csrfKey,
 		csrf.FieldName("csrf_token"),
-		csrf.Secure(as.config.UseTLS))
+		csrf.Secure(as.config.UseTLS),
+		csrf.TrustedOrigins(as.config.TrustedOrigins))
 	adminHandler := csrfHandler(router)
 	adminHandler = mid.Use(adminHandler.ServeHTTP, mid.CSRFExceptions, mid.GetContext, mid.ApplySecurityHeaders)
 
diff --git a/docker/run.sh b/docker/run.sh
index 17cceb5d..bdfc22fa 100755
--- a/docker/run.sh
+++ b/docker/run.sh
@@ -25,6 +25,12 @@ if [ -n "${ADMIN_KEY_PATH+set}" ] ; then
         '.admin_server.key_path = $ADMIN_KEY_PATH' config.json > config.json.tmp && \
         cat config.json.tmp > config.json
 fi
+if [ -n "${ADMIN_TRUSTED_ORIGINS+set}" ] ; then
+    jq -r \
+        --arg ADMIN_TRUSTED_ORIGINS "${ADMIN_TRUSTED_ORIGINS}" \
+        '.admin_server.trusted_origins = ($ADMIN_TRUSTED_ORIGINS|split(","))' config.json > config.json.tmp && \
+        cat config.json.tmp > config.json
+fi
 
 # set config for phish_server
 if [ -n "${PHISH_LISTEN_URL+set}" ] ; then