fix: use base URL from rack env in UI

pact-foundation · Jan 26, 2021 · 5bf2132 · 5bf2132
1 parent ecacc40
commit 5bf2132
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/lib/pact_broker/ui/controllers/base_controller.rb b/lib/pact_broker/ui/controllers/base_controller.rb
@@ -12,7 +12,11 @@ class Base < Padrino::Application
         set :dump_errors, false # The padrino logger logs these for us. If this is enabled we get duplicate logging.
 
         def base_url
-          PactBroker.configuration.base_url || ''
+          # Using the X-Forwarded headers in the UI can leave the app vulnerable
+          # https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
+          # Either use the explicitly configured base url or an empty string,
+          # rather than request.base_url, which uses the X-Forwarded headers.
+          env["pactbroker.base_url"] || ''
         end
       end
     end