WIP: fix IP disclosure when request doesnt have Host header

rundeck · May 24, 2024 · 0c1528a · 0c1528a
1 parent ed8163a
commit 0c1528a
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 0 deletions.
diff --git a/rundeckapp/grails-app/conf/spring/resources.groovy b/rundeckapp/grails-app/conf/spring/resources.groovy
@@ -887,6 +887,8 @@ beans={
             [it.key.toString(), it.value.toString()]
         }
         useForwardHeaders = useForwardHeadersConfig ?: Boolean.getBoolean('rundeck.jetty.connector.forwarded')
+        serverUrl = grailsApplication.config.getProperty('server.address', String.class)
+        serverPort = grailsApplication.config.getProperty('server.port', String.class)
     }
 
     def stsMaxAgeSeconds = grailsApplication.config.getProperty("rundeck.web.jetty.servlet.stsMaxAgeSeconds",Integer.class,-1)

diff --git a/rundeckapp/grails-app/init/rundeckapp/init/servlet/BanHttpMethodCustomizer.groovy b/rundeckapp/grails-app/init/rundeckapp/init/servlet/BanHttpMethodCustomizer.groovy
@@ -3,6 +3,7 @@ package rundeckapp.init.servlet
 import org.eclipse.jetty.http.HttpMethod
 import org.eclipse.jetty.http.HttpStatus
 import org.eclipse.jetty.server.Connector
+import org.eclipse.jetty.server.HostHeaderCustomizer
 import org.eclipse.jetty.server.HttpConfiguration
 import org.eclipse.jetty.server.HttpConnectionFactory
 import org.eclipse.jetty.server.Request
@@ -24,6 +25,28 @@ class BanHttpMethodCustomizer implements JettyServerCustomizer {
     }
 }
 
+class RundeckHostHeaderCustomizer implements JettyServerCustomizer {
+    String serverUrl
+    int serverPort
+
+    RundeckHostHeaderCustomizer(String serverUrl) {
+        this.serverUrl = serverUrl
+    }
+
+    RundeckHostHeaderCustomizer(String serverUrl, int serverPort) {
+        this.serverUrl = serverUrl
+        this.serverPort = serverPort
+    }
+
+    @Override
+    void customize(Server server) {
+        server.connectors.each {connector ->
+            HttpConfiguration config = connector.getConnectionFactory(HttpConnectionFactory.class).httpConfiguration
+            config.addCustomizer(new HostHeaderCustomizer(serverUrl, serverPort))
+        }
+    }
+}
+
 /**
  * Includes and validates paths and http methods banned for security reasons
  */

diff --git a/rundeckapp/grails-app/init/rundeckapp/init/servlet/JettyServletContainerCustomizer.groovy b/rundeckapp/grails-app/init/rundeckapp/init/servlet/JettyServletContainerCustomizer.groovy
@@ -17,6 +17,7 @@ package rundeckapp.init.servlet
 
 import com.dtolabs.rundeck.core.init.CustomWebAppInitializer
 import org.eclipse.jetty.server.Handler
+import org.eclipse.jetty.server.HostHeaderCustomizer
 import org.eclipse.jetty.server.Server
 import org.eclipse.jetty.server.handler.ContextHandler
 import org.eclipse.jetty.webapp.AbstractConfiguration
@@ -36,6 +37,8 @@ class JettyServletContainerCustomizer implements WebServerFactoryCustomizer<Jett
      */
     Map<String, String> initParams = [:]
     Boolean useForwardHeaders
+    String serverUrl
+    String serverPort
 
     @Override
     void customize(final JettyServletWebServerFactory factory) {
@@ -50,6 +53,7 @@ class JettyServletContainerCustomizer implements WebServerFactoryCustomizer<Jett
             }
         })
         factory.addServerCustomizers(new BanHttpMethodCustomizer())
+        factory.addServerCustomizers(new RundeckHostHeaderCustomizer(serverUrl, Integer.parseInt(serverPort ?: "4440")))
         factory.addConfigurations(new JettyConfigPropsInitParameterConfiguration(initParams))
         factory.useForwardHeaders=useForwardHeaders
     }