Add Trusted Origins to CSRF Handler (#2301)

Enables the user to add addresses that they expect incoming connections
to come from. Helpful in cases where TLS termination is handled by a
load balancer upstream, rather than the application itself.
This commit is contained in:
Mark Cabanero 2022-09-06 07:20:19 -07:00 committed by GitHub
parent 3863ad31b9
commit 78e9a51168
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 11 additions and 2 deletions

View file

@ -3,7 +3,8 @@
"listen_url": "127.0.0.1:3333", "listen_url": "127.0.0.1:3333",
"use_tls": true, "use_tls": true,
"cert_path": "gophish_admin.crt", "cert_path": "gophish_admin.crt",
"key_path": "gophish_admin.key" "key_path": "gophish_admin.key",
"trusted_origins": []
}, },
"phish_server": { "phish_server": {
"listen_url": "0.0.0.0:80", "listen_url": "0.0.0.0:80",

View file

@ -15,6 +15,7 @@ type AdminServer struct {
KeyPath string `json:"key_path"` KeyPath string `json:"key_path"`
CSRFKey string `json:"csrf_key"` CSRFKey string `json:"csrf_key"`
AllowedInternalHosts []string `json:"allowed_internal_hosts"` AllowedInternalHosts []string `json:"allowed_internal_hosts"`
TrustedOrigins []string `json:"trusted_origins"`
} }
// PhishServer represents the Phish server configuration details // PhishServer represents the Phish server configuration details

View file

@ -154,7 +154,8 @@ func (as *AdminServer) registerRoutes() {
} }
csrfHandler := csrf.Protect(csrfKey, csrfHandler := csrf.Protect(csrfKey,
csrf.FieldName("csrf_token"), csrf.FieldName("csrf_token"),
csrf.Secure(as.config.UseTLS)) csrf.Secure(as.config.UseTLS),
csrf.TrustedOrigins(as.config.TrustedOrigins))
adminHandler := csrfHandler(router) adminHandler := csrfHandler(router)
adminHandler = mid.Use(adminHandler.ServeHTTP, mid.CSRFExceptions, mid.GetContext, mid.ApplySecurityHeaders) adminHandler = mid.Use(adminHandler.ServeHTTP, mid.CSRFExceptions, mid.GetContext, mid.ApplySecurityHeaders)

View file

@ -25,6 +25,12 @@ if [ -n "${ADMIN_KEY_PATH+set}" ] ; then
'.admin_server.key_path = $ADMIN_KEY_PATH' config.json > config.json.tmp && \ '.admin_server.key_path = $ADMIN_KEY_PATH' config.json > config.json.tmp && \
cat config.json.tmp > config.json cat config.json.tmp > config.json
fi fi
if [ -n "${ADMIN_TRUSTED_ORIGINS+set}" ] ; then
jq -r \
--arg ADMIN_TRUSTED_ORIGINS "${ADMIN_TRUSTED_ORIGINS}" \
'.admin_server.trusted_origins = ($ADMIN_TRUSTED_ORIGINS|split(","))' config.json > config.json.tmp && \
cat config.json.tmp > config.json
fi
# set config for phish_server # set config for phish_server
if [ -n "${PHISH_LISTEN_URL+set}" ] ; then if [ -n "${PHISH_LISTEN_URL+set}" ] ; then