stash/pkg/session/authentication.go

87 lines
2.9 KiB
Go

package session
import (
"fmt"
"net"
"net/http"
"strings"
"github.com/stashapp/stash/pkg/logger"
)
type ExternalAccessError net.IP
func (e ExternalAccessError) Error() string {
return fmt.Sprintf("stash accessed from external IP %s", net.IP(e).String())
}
func CheckAllowPublicWithoutAuth(c ExternalAccessConfig, r *http.Request) error {
if !c.HasCredentials() && !c.GetDangerousAllowPublicWithoutAuth() && !c.IsNewSystem() {
requestIPString, _, err := net.SplitHostPort(r.RemoteAddr)
if err != nil {
return fmt.Errorf("error parsing remote host (%s): %w", r.RemoteAddr, err)
}
// presence of scope ID in IPv6 addresses prevents parsing. Remove if present
scopeIDIndex := strings.Index(requestIPString, "%")
if scopeIDIndex != -1 {
requestIPString = requestIPString[0:scopeIDIndex]
}
requestIP := net.ParseIP(requestIPString)
if requestIP == nil {
return fmt.Errorf("unable to parse remote host (%s)", requestIPString)
}
if r.Header.Get("X-FORWARDED-FOR") != "" {
// Request was proxied
proxyChain := strings.Split(r.Header.Get("X-FORWARDED-FOR"), ", ")
// validate proxies against local network only
if !isLocalIP(requestIP) {
return ExternalAccessError(requestIP)
} else {
// Safe to validate X-Forwarded-For
for i := range proxyChain {
ip := net.ParseIP(proxyChain[i])
if !isLocalIP(ip) {
return ExternalAccessError(ip)
}
}
}
} else if !isLocalIP(requestIP) { // request was not proxied
return ExternalAccessError(requestIP)
}
}
return nil
}
func CheckExternalAccessTripwire(c ExternalAccessConfig) *ExternalAccessError {
if !c.HasCredentials() && !c.GetDangerousAllowPublicWithoutAuth() {
if remoteIP := c.GetSecurityTripwireAccessedFromPublicInternet(); remoteIP != "" {
err := ExternalAccessError(net.ParseIP(remoteIP))
return &err
}
}
return nil
}
func isLocalIP(requestIP net.IP) bool {
_, cgNatAddrSpace, _ := net.ParseCIDR("100.64.0.0/10")
return requestIP.IsPrivate() || requestIP.IsLoopback() || requestIP.IsLinkLocalUnicast() || cgNatAddrSpace.Contains(requestIP)
}
func LogExternalAccessError(err ExternalAccessError) {
logger.Errorf("Stash has been accessed from the internet (public IP %s), without authentication. \n"+
"This is extremely dangerous! The whole world can see your stash page and browse your files! \n"+
"You probably forwarded a port from your router. At the very least, add a password to stash in the settings. \n"+
"Stash will not serve requests until you edit config.yml, remove the security_tripwire_accessed_from_public_internet key and restart stash. \n"+
"This behaviour can be overridden (but not recommended) by setting dangerous_allow_public_without_auth to true in config.yml. \n"+
"More information is available at https://docs.stashapp.cc/faq/setup/#protecting-against-accidental-exposure-to-the-internet \n"+
"Stash is not answering any other requests to protect your privacy.", net.IP(err).String())
}