fix: 修复安全漏洞 (#1004)

修复认证系统的 xss 漏洞和 /api/auth 的 host 头攻击漏洞

.changeset/seven-glasses-rest.md

@@ -0,0 +1,8 @@
+---
+"@scow/gateway": minor
+"@scow/cli": minor
+"@scow/docs": minor
+"@scow/auth": patch
+---
+
+修复 scow 存在的 web 安全漏洞

apps/auth/views/login.liquid

@@ -97,7 +97,7 @@
               {% endif %}
 
               <input type="hidden" name="token" value="{{ token }}" />
-              <input type="hidden" name="callbackUrl" value="{{ callbackUrl }}" />
+              <input type="hidden" name="callbackUrl" value="{{ callbackUrl | escape }}" />
 
               {% if err %}
                 <p class="my-4 text-center text-red-600">{{ authTexts.login.invalidInput }}</p>
@@ -116,7 +116,7 @@
                 <button type="submit" name="action" value="bindOtp" class="px text-gray-400">
                   {{ authTexts.login.bindOtp }}
                 </button>
-                <input type="hidden" name="callbackUrl" value="{{ callbackUrl }}" />
+                <input type="hidden" name="callbackUrl" value="{{ callbackUrl | escape }}" />
               </form>
             </div>
           {% endif %}

apps/auth/views/otp/bindOtp.liquid

@@ -23,7 +23,7 @@
               <button type="submit" name="action" value="backToLoginUI" class="text-x text-gray-500 mr-4">
                 {{ authTexts.bindOtp.returnLogin }}
               </button>
-              <input type="hidden" name="callbackUrl" value="{{ callbackUrl }}">
+              <input type="hidden" name="callbackUrl" value="{{ callbackUrl | escape }}">
             </form>
           </div>
         {% unless bindLimitMinutes %}
@@ -53,7 +53,7 @@
                 {{ authTexts.bindOtp.confirm }}
             </button>
           </div>
-          <input type="hidden" name="callbackUrl" value="{{ callbackUrl }}">
+          <input type="hidden" name="callbackUrl" value="{{ callbackUrl | escape }}">
         </form>
 
         {%  else %}
@@ -113,7 +113,7 @@
           </div>
           <input type="hidden" name="otpSessionToken" value="{{ otpSessionToken }}" />
           <input type="hidden" name="emailAddress" value="{{ emailAddress }}" />
-          <input type="hidden" name="callbackUrl" value="{{ callbackUrl }}">
+          <input type="hidden" name="callbackUrl" value="{{ callbackUrl | escape }}">
         </form>
         {% endunless %}
         </div>

apps/auth/views/otp/qrcode.liquid

@@ -4,5 +4,5 @@
   <input
     type="hidden"
     name="callbackUrl"
-    value="{{ callbackUrl }}">
+    value="{{ callbackUrl | escape }}">
 </div>

apps/cli/assets/install.yaml

@@ -129,6 +129,9 @@
 #             include includes/headers;
 #             include includes/websocket;
 #          }
+#   # 允许访问的域名或 IP，多个域名或 IP 间用空格隔开
+#   # 默认接受所有域名和 IP,"_" 即表示接受所有域名和 IP
+#   allowedServerName: "_"
 
 # 插件配置
 # plugins:

apps/cli/src/compose/index.ts

@@ -113,6 +113,10 @@ export const createComposeSpec = (config: InstallConfigSchema) => {
   const publicPath = "/__public__/";
   const publicDir = "/app/apps/gateway/public/";
 
+  const defaultServerBlock = `server {
+    listen 80 default_server;
+    return 444;
+  }`;
   // GATEWAY
   addService("gateway", {
     image: scowImage,
@@ -126,6 +130,8 @@ export const createComposeSpec = (config: InstallConfigSchema) => {
       "PUBLIC_PATH": publicPath,
       "PUBLIC_DIR": publicDir,
       "EXTRA": config.gateway.extra,
+      "ALLOWED_SERVER_NAME": config.gateway.allowedServerName,
+      "DEFAULT_SERVER_BLOCK": config.gateway.allowedServerName === "_" ? "" : defaultServerBlock,
     },
     ports: { [config.port]: 80 },
     volumes: {

apps/cli/src/config/install.ts

@@ -45,6 +45,11 @@ export const InstallConfigSchema = Type.Object({
       description: "更多nginx配置，可接受的格式为nginx的server可接受的属性配置，可增加在当前系统nginx端口（默认80）的服务等",
       default: "",
     }),
+
+    allowedServerName: Type.String({
+      description: "允许访问的域名或 IP",
+      default: "_",
+    }),
   }, { default: {} }),
 
   portal: Type.Optional(Type.Object({

apps/gateway/assets/nginx.conf

@@ -1,5 +1,7 @@
 server {
 
+  server_name ${ALLOWED_SERVER_NAME};
+
   resolver ${RESOLVER} valid=10s;
   resolver_timeout 5s;
 
@@ -60,3 +62,5 @@ server {
 
   ${EXTRA}
 }
+
+${DEFAULT_SERVER_BLOCK}

apps/gateway/src/env.ts

@@ -35,5 +35,8 @@ export const config = envConfig({
 
   PUBLIC_DIR: str({ desc: "静态文件在文件系统中的路径。以/结尾", default: "/app/apps/gateway/public/" }),
   PUBLIC_PATH: str({ desc: "静态文件路径前缀。以/开头，以/结尾", default: "/__public__/" }),
+
+  ALLOWED_SERVER_NAME: str({ desc: "允许访问的域名或 IP，多个域名和 IP 间用空格隔开", default: "_" }),
+  DEFAULT_SERVER_BLOCK: str({ desc: "当配置了ALLOWED_SERVER_NAME为特定IP或域名时，设置默认服务块拒绝其他访问", default: "" }),
 });
 

docs/docs/deploy/config/gateway/config/index.md

@@ -15,15 +15,29 @@ title: 配置
 ```yaml title="install.yml"
 # 网关配置
 gateway:
-   # 更多nginx配置
-    extra: >
-        location /extra {
-            proxy_pass http://extra-web:3000;
-            include includes/headers;
-            include includes/websocket;
-         }
+  # 更多nginx配置
+  extra: >
+      location /extra {
+          proxy_pass http://extra-web:3000;
+          include includes/headers;
+          include includes/websocket;
+        }
 ```
 
 您增加`extra`配置后，可以在使用`./cli compose up -d`启动scow后，使用 ` ./cli compose exec gateway sh` 进入gateway服务，在 `/etc/nginx/http.d` 目录下的 `default.conf` 文件最下方查看到您添加的配置。
 如果gateway服务启动失败，说明您的配置不符合规范，请保证其正确性。
 
+## 域名白名单配置
+
+scow 网关默认不限制 HTTP Host 头
+
+为了防止 host 头攻击的发生，可以通过设置域名白名单来限制 Host 的域名或 IP
+
+```
+gateway:
+  # 同 nginx server_name 配置
+  allowedServerName: example.com www.example.com
+```
+
+多个域名或 IP 间用空格间隔即可。
+