github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

perf(common): 检查referer (#4697) 

Co-authored-by: ibuler <ibuler@qq.com>
pull/4707/head^2
fit2bot 2020-09-27 11:48:21 +08:00 committed by GitHub
parent 91f1280f97
commit 82de636b5c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
apps/jumpserver/conf.py
View File

@ -269,7 +269,10 @@ class Config(dict):
'TIME_ZONE': 'Asia/Shanghai', 'TIME_ZONE': 'Asia/Shanghai',
'CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED': True, 'CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED': True,
'USER_LOGIN_SINGLE_MACHINE_ENABLED': False, 'USER_LOGIN_SINGLE_MACHINE_ENABLED': False,
'TICKETS_ENABLED': True 'TICKETS_ENABLED': True,
'SESSION_COOKIE_SECURE': False,
'CSRF_COOKIE_SECURE': False,
'REFERER_CHECK_ENABLED': False,
} }
def compatible_auth_openid_of_key(self): def compatible_auth_openid_of_key(self):

28
apps/jumpserver/middleware.py
View File

@ -3,9 +3,11 @@
import os import os
import re import re
import pytz import pytz
from django.core.exceptions import MiddlewareNotUsed
from django.utils import timezone from django.utils import timezone
from django.shortcuts import HttpResponse from django.shortcuts import HttpResponse
from django.conf import settings from django.conf import settings
from django.http.response import HttpResponseForbidden
from .utils import set_current_request from .utils import set_current_request
@ -61,7 +63,31 @@ class RequestMiddleware:
set_current_request(request) set_current_request(request)
response = self.get_response(request) response = self.get_response(request)
is_request_api = request.path.startswith('/api') is_request_api = request.path.startswith('/api')
if not settings.SESSION_EXPIRE_AT_BROWSER_CLOSE and not is_request_api: if not settings.SESSION_EXPIRE_AT_BROWSER_CLOSE and \
not is_request_api:
age = request.session.get_expiry_age() age = request.session.get_expiry_age()
request.session.set_expiry(age) request.session.set_expiry(age)
return response return response
class RefererCheckMiddleware:
def __init__(self, get_response):
if not settings.REFERER_CHECK_ENABLED:
raise MiddlewareNotUsed
self.get_response = get_response
self.http_pattern = re.compile('https?://')
def check_referer(self, request):
referer = request.META.get('HTTP_REFERER', '')
referer = self.http_pattern.sub('', referer)
if not referer:
return True
remote_host = request.get_host()
return referer.startswith(remote_host)
def __call__(self, request):
match = self.check_referer(request)
if not match:
return HttpResponseForbidden('CSRF CHECK ERROR')
response = self.get_response(request)
return response

5
apps/jumpserver/settings/base.py
View File

@ -81,6 +81,7 @@ MIDDLEWARE = [
'jumpserver.middleware.TimezoneMiddleware', 'jumpserver.middleware.TimezoneMiddleware',
'jumpserver.middleware.DemoMiddleware', 'jumpserver.middleware.DemoMiddleware',
'jumpserver.middleware.RequestMiddleware', 'jumpserver.middleware.RequestMiddleware',
'jumpserver.middleware.RefererCheckMiddleware',
'orgs.middleware.OrgMiddleware', 'orgs.middleware.OrgMiddleware',
] ]
@ -245,6 +246,6 @@ CACHES = {
} }
} }
FORCE_SCRIPT_NAME = CONFIG.FORCE_SCRIPT_NAME FORCE_SCRIPT_NAME = CONFIG.FORCE_SCRIPT_NAME
SESSION_COOKIE_SECURE = CONFIG.SESSION_COOKIE_SECURE
CSRF_COOKIE_SECURE = CONFIG.CSRF_COOKIE_SECURE

1
apps/jumpserver/settings/custom.py
View File

@ -105,3 +105,4 @@ CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED = CONFIG.CHANGE_AUTH_PLAN_SECURE_MODE_ENABL
DATETIME_DISPLAY_FORMAT = '%Y-%m-%d %H:%M:%S' DATETIME_DISPLAY_FORMAT = '%Y-%m-%d %H:%M:%S'
TICKETS_ENABLED = CONFIG.TICKETS_ENABLED TICKETS_ENABLED = CONFIG.TICKETS_ENABLED
REFERER_CHECK_ENABLED = CONFIG.REFERER_CHECK_ENABLED