Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect application's requests. #565

Closed
mrlsecurity opened this issue Jan 26, 2021 · 5 comments
Closed

Incorrect application's requests. #565

mrlsecurity opened this issue Jan 26, 2021 · 5 comments
Assignees
@alejandrosaenz117 @skewled
Labels
bug Something isn't working confirmed Selected for development

Comments

@mrlsecurity
Copy link

Describe the bug
An application makes requests to the http://localhost:5000/api/login, but:

  1. csp blocks it because, i access an app via internal ip, such as 172.17.0.60:5000
  2. i don't have bulwark locally, that's why request to http://localhost is useless.

image

for deploying i use docker-compose 1.28 (latest)
.env file as default.

Steps to Reproduce
Steps to reproduce the behavior:

  1. deploy via docker-compose on a remote machine
  2. access an application across the web via remote IP
  3. try to login
  4. See error

Also i tried to change .env file providing prod url as ip of the remote machine. but it didn't work. issue is similar to number 443? but i DO NOT NEED access the application via "localhost" url locally...
@mrlsecurity mrlsecurity added the bug Something isn't working label Jan 26, 2021
@alejandrosaenz117 alejandrosaenz117 added the confirmed Selected for development label Jan 26, 2021
@alejandrosaenz117
Copy link
Collaborator

@lizzmack101 thanks for submitting the bug. This might be related to helmetjs/helmet#237 as default-src is mandatory with Helmet. We will take a look.

@waterweasel4 waterweasel4 mentioned this issue Jan 26, 2021
Merged
18 tasks
@mrlsecurity
Copy link
Author

thanks for fast csp fix, i'd like to mention, that the problem of incorrect address to request - is present too.
Also, as i see in docker bulwark logs after deployment, is that the last action is like the following, and i suppose, that this could be a problem, because it doesn't see an .env file in root dir of the application:
image

Hope this will help to understand, what i mean.

@alejandrosaenz117
Copy link
Collaborator

thanks for fast csp fix, i'd like to mention, that the problem of incorrect address to request - is present too.
Also, as i see in docker bulwark logs after deployment, is that the last action is like the following, and i suppose, that this could be a problem, because it doesn't see an .env file in root dir of the application:
image

Hope this will help to understand, what i mean.

@lizzmack101 you are correct and this is a separate issue that we are investigating. It looks like we are missing two process.env variables in our .env file instructions. As you can see in the following code we have written:

const serverPort = process.env.PORT || 5000;
const serverIpAddress = process.env.IP || '127.0.0.1';

If we do not provide the PORT and IP it'll set default values (localhost). Could you try adding two additional process.env variables to your .env to see if it fixes the issue?

PORT: "5000"
IP: "172.17.0.60"

@alejandrosaenz117 alejandrosaenz117 mentioned this issue Jan 27, 2021
Closed
@mrlsecurity
Copy link
Author

So, I added to .env IP PORT lines,
IP=172.17.0.60
port=5000

but logs inside a container - still doesn't see .env file. Nothing changed in this case. See following screen:
image
image
image

After that, i do cp of .env inside a container "bulwark":
image
restart containers
image
image
but the application still enforces "localhost" url at login request
image

After this, I go inside the "bulwark" container and edit .env like this:
image

againt restart,

image

and still localhost request at login page:
image

@alejandrosaenz117 alejandrosaenz117 self-assigned this Jan 28, 2021
@alejandrosaenz117
Copy link
Collaborator

@lizzmack101 Thank you for your patience. We've been working behind the scenes to attempt to resolve this issue. The main cause of this bug was due to the fact that Angular had http://localhost:5000 hardcoded in the environment files. We have modified the application scripts to dynamically update Angular's environment with the correct API URL. This fix has been pushed to the develop branch and will be available in a week or two in the main branch. If you would like to test the fixed code, please checkout the develop branch and let us know. That would be greatly appreciated.

We have updated the README with the latest changes. Essentially, we have an additional environment variable for the server address:

MYSQL_DATABASE="bulwark"
MYSQL_PASSWORD="bulwark"
MYSQL_ROOT_PASSWORD="bulwark"
MYSQL_USER="root"
MYSQL_DB_CHECK="mysql"
DB_PASSWORD="bulwark"
DB_URL="172.16.16.3"
DB_ROOT="root"
DB_USERNAME="bulwark"
DB_PORT=3306
DB_NAME="bulwark"
DB_TYPE="mysql"
NODE_ENV="production"
DEV_URL="http://localhost:4200"
SERVER_ADDRESS="http://localhost"
PORT=5000
JWT_KEY="changeme"
JWT_REFRESH_KEY="changeme"
CRYPTO_SECRET="changeme"
CRYPTO_SALT="changeme"

Additionally, we have created the script npm run config to dynamically update Angular environment based on server_address and port. Additional information can be found here.

We look forward to hearing back from you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alejandrosaenz117 alejandrosaenz117

@skewled skewled

Labels
bug Something isn't working confirmed Selected for development
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alejandrosaenz117 @mrlsecurity @skewled