From 82de636b5c424f0e38b4b64c8614bd57334f6c9e Mon Sep 17 00:00:00 2001 From: fit2bot <68588906+fit2bot@users.noreply.github.com> Date: Sun, 27 Sep 2020 11:48:21 +0800 Subject: [PATCH] =?UTF-8?q?perf(common):=20=E6=A3=80=E6=9F=A5referer=20(#4?= =?UTF-8?q?697)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: ibuler --- apps/jumpserver/conf.py | 5 ++++- apps/jumpserver/middleware.py | 28 +++++++++++++++++++++++++++- apps/jumpserver/settings/base.py | 5 +++-- apps/jumpserver/settings/custom.py | 1 + 4 files changed, 35 insertions(+), 4 deletions(-) diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index bd1cbd439..11529202f 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -269,7 +269,10 @@ class Config(dict): 'TIME_ZONE': 'Asia/Shanghai', 'CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED': True, 'USER_LOGIN_SINGLE_MACHINE_ENABLED': False, - 'TICKETS_ENABLED': True + 'TICKETS_ENABLED': True, + 'SESSION_COOKIE_SECURE': False, + 'CSRF_COOKIE_SECURE': False, + 'REFERER_CHECK_ENABLED': False, } def compatible_auth_openid_of_key(self): diff --git a/apps/jumpserver/middleware.py b/apps/jumpserver/middleware.py index 277d8492a..8e4696a0f 100644 --- a/apps/jumpserver/middleware.py +++ b/apps/jumpserver/middleware.py @@ -3,9 +3,11 @@ import os import re import pytz +from django.core.exceptions import MiddlewareNotUsed from django.utils import timezone from django.shortcuts import HttpResponse from django.conf import settings +from django.http.response import HttpResponseForbidden from .utils import set_current_request @@ -61,7 +63,31 @@ class RequestMiddleware: set_current_request(request) response = self.get_response(request) is_request_api = request.path.startswith('/api') - if not settings.SESSION_EXPIRE_AT_BROWSER_CLOSE and not is_request_api: + if not settings.SESSION_EXPIRE_AT_BROWSER_CLOSE and \ + not is_request_api: age = request.session.get_expiry_age() request.session.set_expiry(age) return response + + +class RefererCheckMiddleware: + def __init__(self, get_response): + if not settings.REFERER_CHECK_ENABLED: + raise MiddlewareNotUsed + self.get_response = get_response + self.http_pattern = re.compile('https?://') + + def check_referer(self, request): + referer = request.META.get('HTTP_REFERER', '') + referer = self.http_pattern.sub('', referer) + if not referer: + return True + remote_host = request.get_host() + return referer.startswith(remote_host) + + def __call__(self, request): + match = self.check_referer(request) + if not match: + return HttpResponseForbidden('CSRF CHECK ERROR') + response = self.get_response(request) + return response diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py index 0f8cf98a8..c041d8c96 100644 --- a/apps/jumpserver/settings/base.py +++ b/apps/jumpserver/settings/base.py @@ -81,6 +81,7 @@ MIDDLEWARE = [ 'jumpserver.middleware.TimezoneMiddleware', 'jumpserver.middleware.DemoMiddleware', 'jumpserver.middleware.RequestMiddleware', + 'jumpserver.middleware.RefererCheckMiddleware', 'orgs.middleware.OrgMiddleware', ] @@ -245,6 +246,6 @@ CACHES = { } } - FORCE_SCRIPT_NAME = CONFIG.FORCE_SCRIPT_NAME - +SESSION_COOKIE_SECURE = CONFIG.SESSION_COOKIE_SECURE +CSRF_COOKIE_SECURE = CONFIG.CSRF_COOKIE_SECURE diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py index 54c625763..cdea6c52d 100644 --- a/apps/jumpserver/settings/custom.py +++ b/apps/jumpserver/settings/custom.py @@ -105,3 +105,4 @@ CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED = CONFIG.CHANGE_AUTH_PLAN_SECURE_MODE_ENABL DATETIME_DISPLAY_FORMAT = '%Y-%m-%d %H:%M:%S' TICKETS_ENABLED = CONFIG.TICKETS_ENABLED +REFERER_CHECK_ENABLED = CONFIG.REFERER_CHECK_ENABLED