2021-10-04 07:16:01 +00:00
|
|
|
package session
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/stashapp/stash/pkg/logger"
|
|
|
|
)
|
|
|
|
|
|
|
|
type ExternalAccessError net.IP
|
|
|
|
|
|
|
|
func (e ExternalAccessError) Error() string {
|
|
|
|
return fmt.Sprintf("stash accessed from external IP %s", net.IP(e).String())
|
|
|
|
}
|
|
|
|
|
2022-03-17 00:33:59 +00:00
|
|
|
func CheckAllowPublicWithoutAuth(c ExternalAccessConfig, r *http.Request) error {
|
2021-10-04 07:16:01 +00:00
|
|
|
if !c.HasCredentials() && !c.GetDangerousAllowPublicWithoutAuth() && !c.IsNewSystem() {
|
|
|
|
requestIPString, _, err := net.SplitHostPort(r.RemoteAddr)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("error parsing remote host (%s): %w", r.RemoteAddr, err)
|
|
|
|
}
|
|
|
|
|
2021-10-20 05:52:15 +00:00
|
|
|
// presence of scope ID in IPv6 addresses prevents parsing. Remove if present
|
|
|
|
scopeIDIndex := strings.Index(requestIPString, "%")
|
|
|
|
if scopeIDIndex != -1 {
|
|
|
|
requestIPString = requestIPString[0:scopeIDIndex]
|
|
|
|
}
|
|
|
|
|
2021-10-04 07:16:01 +00:00
|
|
|
requestIP := net.ParseIP(requestIPString)
|
2021-10-20 05:52:15 +00:00
|
|
|
if requestIP == nil {
|
|
|
|
return fmt.Errorf("unable to parse remote host (%s)", requestIPString)
|
|
|
|
}
|
2021-10-04 07:16:01 +00:00
|
|
|
|
|
|
|
if r.Header.Get("X-FORWARDED-FOR") != "" {
|
|
|
|
// Request was proxied
|
|
|
|
proxyChain := strings.Split(r.Header.Get("X-FORWARDED-FOR"), ", ")
|
|
|
|
|
2022-02-02 23:16:22 +00:00
|
|
|
// validate proxies against local network only
|
|
|
|
if !isLocalIP(requestIP) {
|
|
|
|
return ExternalAccessError(requestIP)
|
2021-10-04 07:16:01 +00:00
|
|
|
} else {
|
2022-02-02 23:16:22 +00:00
|
|
|
// Safe to validate X-Forwarded-For
|
|
|
|
for i := range proxyChain {
|
|
|
|
ip := net.ParseIP(proxyChain[i])
|
|
|
|
if !isLocalIP(ip) {
|
|
|
|
return ExternalAccessError(ip)
|
2021-10-04 07:16:01 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2022-02-02 23:16:22 +00:00
|
|
|
|
Enable gocritic (#1848)
* Don't capitalize local variables
ValidCodecs -> validCodecs
* Capitalize deprecation markers
A deprecated marker should be capitalized.
* Use re.MustCompile for static regexes
If the regex fails to compile, it's a programmer error, and should be
treated as such. The regex is entirely static.
* Simplify else-if constructions
Rewrite
else { if cond {}}
to
else if cond {}
* Use a switch statement to analyze formats
Break an if-else chain. While here, simplify code flow.
Also introduce a proper static error for unsupported image formats,
paving the way for being able to check against the error.
* Rewrite ifElse chains into switch statements
The "Effective Go" https://golang.org/doc/effective_go#switch document
mentions it is more idiomatic to write if-else chains as switches when
it is possible.
Find all the plain rewrite occurrences in the code base and rewrite.
In some cases, the if-else chains are replaced by a switch scrutinizer.
That is, the code sequence
if x == 1 {
..
} else if x == 2 {
..
} else if x == 3 {
...
}
can be rewritten into
switch x {
case 1:
..
case 2:
..
case 3:
..
}
which is clearer for the compiler: it can decide if the switch is
better served by a jump-table then a branch-chain.
* Rewrite switches, introduce static errors
Introduce two new static errors:
* `ErrNotImplmented`
* `ErrNotSupported`
And use these rather than forming new generative errors whenever the
code is called. Code can now test on the errors (since they are static
and the pointers to them wont change).
Also rewrite ifElse chains into switches in this part of the code base.
* Introduce a StashBoxError in configuration
Since all stashbox errors are the same, treat them as such in the code
base. While here, rewrite an ifElse chain.
In the future, it might be beneifical to refactor configuration errors
into one error which can handle missing fields, which context the error
occurs in and so on. But for now, try to get an overview of the error
categories by hoisting them into static errors.
* Get rid of an else-block in transaction handling
If we succesfully `recover()`, we then always `panic()`. This means the
rest of the code is not reachable, so we can avoid having an else-block
here.
It also solves an ifElse-chain style check in the code base.
* Use strings.ReplaceAll
Rewrite
strings.Replace(s, o, n, -1)
into
strings.ReplaceAll(s, o, n)
To make it consistent and clear that we are doing an all-replace in the
string rather than replacing parts of it. It's more of a nitpick since
there are no implementation differences: the stdlib implementation is
just to supply -1.
* Rewrite via gocritic's assignOp
Statements of the form
x = x + e
is rewritten into
x += e
where applicable.
* Formatting
* Review comments handled
Stash-box is a proper noun.
Rewrite a switch into an if-chain which returns on the first error
encountered.
* Use context.TODO() over context.Background()
Patch in the same vein as everything else: use the TODO() marker so we
can search for it later and link it into the context tree/tentacle once
it reaches down to this level in the code base.
* Tell the linter to ignore a section in manager_tasks.go
The section is less readable, so mark it with a nolint for now. Because
the rewrite enables a ifElseChain, also mark that as nolint for now.
* Use strings.ReplaceAll over strings.Replace
* Apply an ifElse rewrite
else { if .. { .. } } rewrite into else if { .. }
* Use switch-statements over ifElseChains
Rewrite chains of if-else into switch statements. Where applicable,
add an early nil-guard to simplify case analysis. Also, in
ScanTask's Start(..), invert the logic to outdent the whole block, and
help the reader: if it's not a scene, the function flow is now far more
local to the top of the function, and it's clear that the rest of the
function has to do with scene management.
* Enable gocritic on the code base.
Disable appendAssign for now since we aren't passing that check yet.
* Document the nolint additions
* Document StashBoxBatchPerformerTagInput
2021-10-18 03:12:40 +00:00
|
|
|
} else if !isLocalIP(requestIP) { // request was not proxied
|
|
|
|
return ExternalAccessError(requestIP)
|
2021-10-04 07:16:01 +00:00
|
|
|
}
|
Enable gocritic (#1848)
* Don't capitalize local variables
ValidCodecs -> validCodecs
* Capitalize deprecation markers
A deprecated marker should be capitalized.
* Use re.MustCompile for static regexes
If the regex fails to compile, it's a programmer error, and should be
treated as such. The regex is entirely static.
* Simplify else-if constructions
Rewrite
else { if cond {}}
to
else if cond {}
* Use a switch statement to analyze formats
Break an if-else chain. While here, simplify code flow.
Also introduce a proper static error for unsupported image formats,
paving the way for being able to check against the error.
* Rewrite ifElse chains into switch statements
The "Effective Go" https://golang.org/doc/effective_go#switch document
mentions it is more idiomatic to write if-else chains as switches when
it is possible.
Find all the plain rewrite occurrences in the code base and rewrite.
In some cases, the if-else chains are replaced by a switch scrutinizer.
That is, the code sequence
if x == 1 {
..
} else if x == 2 {
..
} else if x == 3 {
...
}
can be rewritten into
switch x {
case 1:
..
case 2:
..
case 3:
..
}
which is clearer for the compiler: it can decide if the switch is
better served by a jump-table then a branch-chain.
* Rewrite switches, introduce static errors
Introduce two new static errors:
* `ErrNotImplmented`
* `ErrNotSupported`
And use these rather than forming new generative errors whenever the
code is called. Code can now test on the errors (since they are static
and the pointers to them wont change).
Also rewrite ifElse chains into switches in this part of the code base.
* Introduce a StashBoxError in configuration
Since all stashbox errors are the same, treat them as such in the code
base. While here, rewrite an ifElse chain.
In the future, it might be beneifical to refactor configuration errors
into one error which can handle missing fields, which context the error
occurs in and so on. But for now, try to get an overview of the error
categories by hoisting them into static errors.
* Get rid of an else-block in transaction handling
If we succesfully `recover()`, we then always `panic()`. This means the
rest of the code is not reachable, so we can avoid having an else-block
here.
It also solves an ifElse-chain style check in the code base.
* Use strings.ReplaceAll
Rewrite
strings.Replace(s, o, n, -1)
into
strings.ReplaceAll(s, o, n)
To make it consistent and clear that we are doing an all-replace in the
string rather than replacing parts of it. It's more of a nitpick since
there are no implementation differences: the stdlib implementation is
just to supply -1.
* Rewrite via gocritic's assignOp
Statements of the form
x = x + e
is rewritten into
x += e
where applicable.
* Formatting
* Review comments handled
Stash-box is a proper noun.
Rewrite a switch into an if-chain which returns on the first error
encountered.
* Use context.TODO() over context.Background()
Patch in the same vein as everything else: use the TODO() marker so we
can search for it later and link it into the context tree/tentacle once
it reaches down to this level in the code base.
* Tell the linter to ignore a section in manager_tasks.go
The section is less readable, so mark it with a nolint for now. Because
the rewrite enables a ifElseChain, also mark that as nolint for now.
* Use strings.ReplaceAll over strings.Replace
* Apply an ifElse rewrite
else { if .. { .. } } rewrite into else if { .. }
* Use switch-statements over ifElseChains
Rewrite chains of if-else into switch statements. Where applicable,
add an early nil-guard to simplify case analysis. Also, in
ScanTask's Start(..), invert the logic to outdent the whole block, and
help the reader: if it's not a scene, the function flow is now far more
local to the top of the function, and it's clear that the rest of the
function has to do with scene management.
* Enable gocritic on the code base.
Disable appendAssign for now since we aren't passing that check yet.
* Document the nolint additions
* Document StashBoxBatchPerformerTagInput
2021-10-18 03:12:40 +00:00
|
|
|
|
2021-10-04 07:16:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-03-17 00:33:59 +00:00
|
|
|
func CheckExternalAccessTripwire(c ExternalAccessConfig) *ExternalAccessError {
|
2021-10-04 07:16:01 +00:00
|
|
|
if !c.HasCredentials() && !c.GetDangerousAllowPublicWithoutAuth() {
|
|
|
|
if remoteIP := c.GetSecurityTripwireAccessedFromPublicInternet(); remoteIP != "" {
|
|
|
|
err := ExternalAccessError(net.ParseIP(remoteIP))
|
|
|
|
return &err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func isLocalIP(requestIP net.IP) bool {
|
|
|
|
_, cgNatAddrSpace, _ := net.ParseCIDR("100.64.0.0/10")
|
2021-10-20 05:52:15 +00:00
|
|
|
return requestIP.IsPrivate() || requestIP.IsLoopback() || requestIP.IsLinkLocalUnicast() || cgNatAddrSpace.Contains(requestIP)
|
2021-10-04 07:16:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func LogExternalAccessError(err ExternalAccessError) {
|
|
|
|
logger.Errorf("Stash has been accessed from the internet (public IP %s), without authentication. \n"+
|
|
|
|
"This is extremely dangerous! The whole world can see your stash page and browse your files! \n"+
|
|
|
|
"You probably forwarded a port from your router. At the very least, add a password to stash in the settings. \n"+
|
|
|
|
"Stash will not serve requests until you edit config.yml, remove the security_tripwire_accessed_from_public_internet key and restart stash. \n"+
|
|
|
|
"This behaviour can be overridden (but not recommended) by setting dangerous_allow_public_without_auth to true in config.yml. \n"+
|
2024-11-21 21:28:09 +00:00
|
|
|
"More information is available at https://docs.stashapp.cc/faq/setup/#protecting-against-accidental-exposure-to-the-internet \n"+
|
2021-10-04 07:16:01 +00:00
|
|
|
"Stash is not answering any other requests to protect your privacy.", net.IP(err).String())
|
|
|
|
}
|