mirror of https://github.com/stashapp/stash.git
87 lines
2.9 KiB
Go
87 lines
2.9 KiB
Go
package session
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/stashapp/stash/pkg/logger"
|
|
)
|
|
|
|
type ExternalAccessError net.IP
|
|
|
|
func (e ExternalAccessError) Error() string {
|
|
return fmt.Sprintf("stash accessed from external IP %s", net.IP(e).String())
|
|
}
|
|
|
|
func CheckAllowPublicWithoutAuth(c ExternalAccessConfig, r *http.Request) error {
|
|
if !c.HasCredentials() && !c.GetDangerousAllowPublicWithoutAuth() && !c.IsNewSystem() {
|
|
requestIPString, _, err := net.SplitHostPort(r.RemoteAddr)
|
|
if err != nil {
|
|
return fmt.Errorf("error parsing remote host (%s): %w", r.RemoteAddr, err)
|
|
}
|
|
|
|
// presence of scope ID in IPv6 addresses prevents parsing. Remove if present
|
|
scopeIDIndex := strings.Index(requestIPString, "%")
|
|
if scopeIDIndex != -1 {
|
|
requestIPString = requestIPString[0:scopeIDIndex]
|
|
}
|
|
|
|
requestIP := net.ParseIP(requestIPString)
|
|
if requestIP == nil {
|
|
return fmt.Errorf("unable to parse remote host (%s)", requestIPString)
|
|
}
|
|
|
|
if r.Header.Get("X-FORWARDED-FOR") != "" {
|
|
// Request was proxied
|
|
proxyChain := strings.Split(r.Header.Get("X-FORWARDED-FOR"), ", ")
|
|
|
|
// validate proxies against local network only
|
|
if !isLocalIP(requestIP) {
|
|
return ExternalAccessError(requestIP)
|
|
} else {
|
|
// Safe to validate X-Forwarded-For
|
|
for i := range proxyChain {
|
|
ip := net.ParseIP(proxyChain[i])
|
|
if !isLocalIP(ip) {
|
|
return ExternalAccessError(ip)
|
|
}
|
|
}
|
|
}
|
|
|
|
} else if !isLocalIP(requestIP) { // request was not proxied
|
|
return ExternalAccessError(requestIP)
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func CheckExternalAccessTripwire(c ExternalAccessConfig) *ExternalAccessError {
|
|
if !c.HasCredentials() && !c.GetDangerousAllowPublicWithoutAuth() {
|
|
if remoteIP := c.GetSecurityTripwireAccessedFromPublicInternet(); remoteIP != "" {
|
|
err := ExternalAccessError(net.ParseIP(remoteIP))
|
|
return &err
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func isLocalIP(requestIP net.IP) bool {
|
|
_, cgNatAddrSpace, _ := net.ParseCIDR("100.64.0.0/10")
|
|
return requestIP.IsPrivate() || requestIP.IsLoopback() || requestIP.IsLinkLocalUnicast() || cgNatAddrSpace.Contains(requestIP)
|
|
}
|
|
|
|
func LogExternalAccessError(err ExternalAccessError) {
|
|
logger.Errorf("Stash has been accessed from the internet (public IP %s), without authentication. \n"+
|
|
"This is extremely dangerous! The whole world can see your stash page and browse your files! \n"+
|
|
"You probably forwarded a port from your router. At the very least, add a password to stash in the settings. \n"+
|
|
"Stash will not serve requests until you edit config.yml, remove the security_tripwire_accessed_from_public_internet key and restart stash. \n"+
|
|
"This behaviour can be overridden (but not recommended) by setting dangerous_allow_public_without_auth to true in config.yml. \n"+
|
|
"More information is available at https://docs.stashapp.cc/faq/setup/#protecting-against-accidental-exposure-to-the-internet \n"+
|
|
"Stash is not answering any other requests to protect your privacy.", net.IP(err).String())
|
|
}
|