Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix PR Add a setting flag to allow optional use of X-Forwarded-Host #2010

Closed
wants to merge 2 commits into from
Closed

Fix PR Add a setting flag to allow optional use of X-Forwarded-Host #2010

wants to merge 2 commits into from

Conversation

t0rchwo0d
Copy link

No description provided.

@t0rchwo0d
Copy link
Author

I'm sorry. I forgot to merge the updates from the main branch. Please wait a moment.

@t0rchwo0d t0rchwo0d force-pushed the add-configuration-option-for-xfh branch from dda0e67 to 4c02543 Compare April 19, 2024 15:24
@t0rchwo0d t0rchwo0d force-pushed the add-configuration-option-for-xfh branch from 4c02543 to 6b2a4cd Compare April 19, 2024 15:25
@t0rchwo0d
Copy link
Author

I'm sorry. I forgot to merge the updates from the main branch. Please wait a moment.

It's done. Please review it

dentarg
dentarg requested changes Apr 19, 2024
View reviewed changes
Copy link
Member

@dentarg dentarg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not the solution we are looking for. For example, this does not account for the forwarded header.

I think we want something like Rails have, where you can allow values you trust for the host and forwarded host header: https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization

@t0rchwo0d
Copy link
Author

t0rchwo0d commented Apr 19, 2024
edited

This is not the solution we are looking for. For example, this does not account for the forwarded header.

I think we want something like Rails have, where you can allow values you trust for the host and forwarded host header: https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization

Hi, @dentarg

It's not Ruby, but I referred to Python Django's case.

I'm not a Ruby developer, so I chose the simplest way possible.

https://docs.djangoproject.com/en/5.0/ref/settings/#use-x-forwarded-host

zzak
zzak reviewed Apr 19, 2024
View reviewed changes
.gitignore Outdated Show resolved Hide resolved
@t0rchwo0d @zzak
Update .gitignore
91a2e10 
Co-authored-by: zzak <zzakscott@gmail.com>
@t0rchwo0d t0rchwo0d requested a review from dentarg April 20, 2024 00:21
@t0rchwo0d
Copy link
Author

t0rchwo0d commented Apr 20, 2024
edited

Hi, @dentarg

I think you want similar approach to fixing the issue as case in Rails.

Unfortunately, I'm not a Ruby expert but rather a security engineer, so I don't have the resources to write code at that level without any issues.

I mentioned it in the previous comment, but please also consider the approach used in Django for fixing the issue.

However, I can review the code for fixng issue.
Thank you for your review.

@dentarg
Copy link
Member

dentarg commented Apr 20, 2024

As I've stated, just adding a setting use_x_forwarded_host does not cover the forwarded header.

@t0rchwo0d
Copy link
Author

As I've stated, just adding a setting use_x_forwarded_host does not cover the forwarded header.

Okay, got it. I'll close this ticket.
Let me know if there are any updates on the reported issue.
I'll pass along the information to Synk for reference.

Thank you for your review.

@t0rchwo0d t0rchwo0d closed this Apr 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zzak zzak zzak left review comments

@dentarg dentarg Awaiting requested review from dentarg

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@t0rchwo0d @dentarg @zzak