flows: fix potential open redirect vuln

This commit is contained in:
Jens Langhammer 2020-07-14 21:53:39 +02:00
parent fbf9554a9e
commit e15f7d7f28
4 changed files with 29 additions and 76 deletions

View file

@ -22,7 +22,7 @@ from passbook.flows.exceptions import EmptyFlowException, FlowNonApplicableExcep
from passbook.flows.models import Flow, FlowDesignation, Stage
from passbook.flows.planner import FlowPlan, FlowPlanner
from passbook.lib.utils.reflection import class_to_path, path_to_class
from passbook.lib.utils.urls import redirect_with_qs
from passbook.lib.utils.urls import is_url_absolute, redirect_with_qs
from passbook.lib.views import bad_request_message
LOGGER = get_logger()
@ -50,8 +50,9 @@ class FlowExecutorView(View):
def handle_invalid_flow(self, exc: BaseException) -> HttpResponse:
"""When a flow is non-applicable check if user is on the correct domain"""
if NEXT_ARG_NAME in self.request.GET:
LOGGER.debug("f(exec): Redirecting to next on fail")
return redirect(self.request.GET.get(NEXT_ARG_NAME))
if not is_url_absolute(self.request.GET.get(NEXT_ARG_NAME)):
LOGGER.debug("f(exec): Redirecting to next on fail")
return redirect(self.request.GET.get(NEXT_ARG_NAME))
message = exc.__doc__ if exc.__doc__ else str(exc)
return bad_request_message(self.request, message)

View file

@ -0,0 +1,25 @@
version: '3.7'
services:
postgresql:
container_name: postgres
image: postgres:11
volumes:
- db-data:/var/lib/postgresql/data
environment:
POSTGRES_USER: passbook
POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
POSTGRES_DB: passbook
ports:
- 5432:5432
restart: always
redis:
container_name: redis
image: redis
ports:
- 6379:6379
restart: always
volumes:
db-data:
driver: local

View file

@ -1,10 +0,0 @@
ingress:
enabled: true
hosts:
- some.address.tld
grafana.ini:
auth.anonymous:
enabled: true
org_name: Main Org.
org_role: Viewer

View file

@ -1,63 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: prometheus
rules:
- apiGroups: [""]
resources:
- nodes
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- configmaps
verbs: ["get"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: prometheus
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus
subjects:
- kind: ServiceAccount
name: prometheus
namespace: prod-passbook-ng
---
apiVersion: monitoring.coreos.com/v1
kind: Prometheus
metadata:
name: prometheus
spec:
serviceAccountName: prometheus
serviceMonitorSelector:
matchLabels:
app.kubernetes.io/name: passbook
enableAdminAPI: false
ruleSelector:
matchLabels:
app.kubernetes.io/name: passbook
storage:
volumeClaimTemplate:
metadata:
labels:
prometheus: k8s
name: prometheus-storage
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 15Gi