Forbid access to blacklisted routes

pull/2543/head
Solotchi Veaceslav 10 years ago
parent b0108b5ad5
commit bbcf34f020
  1. 5
      Gemfile
  2. 3
      Gemfile.lock
  3. 2
      config/application.rb
  4. 19
      config/configuration.yml.example
  5. 12
      config/initializers/rack-attack.rb
  6. 29
      doc/CONFIGURATION.md
  7. 3
      lib/open_project/configuration.rb
  8. 4
      lib/open_project/configuration/helpers.rb

@ -80,6 +80,11 @@ gem 'daemons'
# (see https://community.openproject.org/work_packages/3029) # (see https://community.openproject.org/work_packages/3029)
gem 'rack-protection', :git => "https://github.com/finnlabs/rack-protection.git", :ref => '5a7d1bd' gem 'rack-protection', :git => "https://github.com/finnlabs/rack-protection.git", :ref => '5a7d1bd'
# Rack::Attack is a rack middleware to protect your web app from bad clients.
# It allows whitelisting, blacklisting, throttling, and tracking based on arbitrary properties of the request.
# https://github.com/kickstarter/rack-attack
gem 'rack-attack'
gem 'syck', :platforms => [:ruby_20, :mingw_20, :ruby_21, :mingw_21], :require => false gem 'syck', :platforms => [:ruby_20, :mingw_20, :ruby_21, :mingw_21], :require => false
gem 'gon', '~> 4.0' gem 'gon', '~> 4.0'

@ -300,6 +300,8 @@ GEM
rack (1.4.5) rack (1.4.5)
rack-accept (0.4.5) rack-accept (0.4.5)
rack (>= 0.4) rack (>= 0.4)
rack-attack (4.2.0)
rack
rack-cache (1.2) rack-cache (1.2)
rack (>= 0.4) rack (>= 0.4)
rack-mount (0.8.3) rack-mount (0.8.3)
@ -494,6 +496,7 @@ DEPENDENCIES
pry-stack_explorer pry-stack_explorer
quiet_assets quiet_assets
rabl (= 0.9.3) rabl (= 0.9.3)
rack-attack
rack-protection! rack-protection!
rack-test (~> 0.6.2) rack-test (~> 0.6.2)
rack_session_access rack_session_access

@ -82,6 +82,8 @@ module OpenProject
env['PATH_INFO'] =~ /\/api\/v3/ env['PATH_INFO'] =~ /\/api\/v3/
} }
config.middleware.use Rack::Attack
# Custom directories with classes and modules you want to be autoloadable. # Custom directories with classes and modules you want to be autoloadable.
# config.autoload_paths += %W(#{config.root}/extras) # config.autoload_paths += %W(#{config.root}/extras)
config.autoload_paths << Rails.root.join('lib') config.autoload_paths << Rails.root.join('lib')

@ -132,6 +132,25 @@
# - plugins # - plugins
# - info # - info
# #
# Also there is a posibility to specify which routes are forbidden,
# they should be listed as an array in yml format more information
# regarding yml format you can find here:
# http://symfony.com/doc/current/components/yaml/yaml_format.html
# You can also use wildcards (*) in your url
#
# production:
# blacklisted_routes:
# - 'admin/info'
# - 'admin/plugins'
# - 'export_card_configurations'
# - 'project_types'
# - 'colors'
# - 'settings'
# - 'admin/enumerations'
# - 'workflows/*'
# - 'statuses'
# - 'types'
# - 'admin/roles'
# default configuration options for all environments # default configuration options for all environments

@ -0,0 +1,12 @@
if OpenProject::Configuration.blacklisted_routes.any?
# Block logins from a bad user agent
Rack::Attack.blacklist('block forbidden routes') do |req|
regex = OpenProject::Configuration.blacklisted_routes.map! { |str| Regexp.new(str) }
regex.any? { |i| i =~ req.path }
end
Rack::Attack.blacklisted_response = lambda do |_env|
# All blacklisted routes would return a 404.
[404, {}, ['Not found']]
end
end

@ -85,6 +85,7 @@ storage config above like this:
* [`attachments_storage`](#attachments-storage) (default: file) * [`attachments_storage`](#attachments-storage) (default: file)
* [`hidden_menu_items`](#hidden-menu-items) (default: {}) * [`hidden_menu_items`](#hidden-menu-items) (default: {})
* [`disabled_modules`](#disabled-modules) (default: []) * [`disabled_modules`](#disabled-modules) (default: [])
* [`blacklisted_routes`](#blacklisted-routes) (default: [])
### disable password login ### disable password login
@ -181,6 +182,34 @@ For instance 'Roles' and 'Types' under 'Administration' can be disabled by defin
OPENPROJECT_HIDDEN__MENU__ITEMS_ADMIN__MENU='roles types' OPENPROJECT_HIDDEN__MENU__ITEMS_ADMIN__MENU='roles types'
``` ```
### blacklisted routes
*default: []*
You can blacklist specific routes
The following example forbid all routes for above disabled menu:
```
blacklisted_routes:
- 'admin/info'
- 'admin/plugins'
- 'export_card_configurations'
- 'project_types'
- 'colors'
- 'settings'
- 'admin/enumerations'
- 'workflows/*'
- 'statuses'
- 'types'
- 'admin/roles'
```
The configuration can be overridden through environment variables.
```
OPENPROJECT_BLACKLISTED__ROUTES='admin/info admin/plugins'
```
### disabled modules ### disabled modules
*default: []* *default: []*

@ -77,7 +77,8 @@ module OpenProject
'disable_password_choice' => false, 'disable_password_choice' => false,
'disabled_modules' => [], # allow to disable default modules 'disabled_modules' => [], # allow to disable default modules
'hidden_menu_items' => {} 'hidden_menu_items' => {},
'blacklisted_routes' => []
} }
@config = nil @config = nil

@ -82,6 +82,10 @@ module OpenProject
array self['disabled_modules'] array self['disabled_modules']
end end
def blacklisted_routes
array self['blacklisted_routes']
end
def available_file_uploaders def available_file_uploaders
{ {
fog: ::FogFileUploader, fog: ::FogFileUploader,

Loading…
Cancel
Save