From e15f7d7f28c5f439b9cc79025407095c2aaeb26c Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Tue, 14 Jul 2020 21:53:39 +0200 Subject: [PATCH] flows: fix potential open redirect vuln --- passbook/flows/views.py | 7 ++-- scripts/ci.docker-compose.yml | 25 +++++++++++ scripts/prometheus/grafana.helm.yaml | 10 ----- scripts/prometheus/instance.yaml | 63 ---------------------------- 4 files changed, 29 insertions(+), 76 deletions(-) create mode 100644 scripts/ci.docker-compose.yml delete mode 100644 scripts/prometheus/grafana.helm.yaml delete mode 100644 scripts/prometheus/instance.yaml diff --git a/passbook/flows/views.py b/passbook/flows/views.py index 158c529fc..c01ede83b 100644 --- a/passbook/flows/views.py +++ b/passbook/flows/views.py @@ -22,7 +22,7 @@ from passbook.flows.exceptions import EmptyFlowException, FlowNonApplicableExcep from passbook.flows.models import Flow, FlowDesignation, Stage from passbook.flows.planner import FlowPlan, FlowPlanner from passbook.lib.utils.reflection import class_to_path, path_to_class -from passbook.lib.utils.urls import redirect_with_qs +from passbook.lib.utils.urls import is_url_absolute, redirect_with_qs from passbook.lib.views import bad_request_message LOGGER = get_logger() @@ -50,8 +50,9 @@ class FlowExecutorView(View): def handle_invalid_flow(self, exc: BaseException) -> HttpResponse: """When a flow is non-applicable check if user is on the correct domain""" if NEXT_ARG_NAME in self.request.GET: - LOGGER.debug("f(exec): Redirecting to next on fail") - return redirect(self.request.GET.get(NEXT_ARG_NAME)) + if not is_url_absolute(self.request.GET.get(NEXT_ARG_NAME)): + LOGGER.debug("f(exec): Redirecting to next on fail") + return redirect(self.request.GET.get(NEXT_ARG_NAME)) message = exc.__doc__ if exc.__doc__ else str(exc) return bad_request_message(self.request, message) diff --git a/scripts/ci.docker-compose.yml b/scripts/ci.docker-compose.yml new file mode 100644 index 000000000..1cbe9aa27 --- /dev/null +++ b/scripts/ci.docker-compose.yml @@ -0,0 +1,25 @@ +version: '3.7' + +services: + postgresql: + container_name: postgres + image: postgres:11 + volumes: + - db-data:/var/lib/postgresql/data + environment: + POSTGRES_USER: passbook + POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77" + POSTGRES_DB: passbook + ports: + - 5432:5432 + restart: always + redis: + container_name: redis + image: redis + ports: + - 6379:6379 + restart: always + +volumes: + db-data: + driver: local diff --git a/scripts/prometheus/grafana.helm.yaml b/scripts/prometheus/grafana.helm.yaml deleted file mode 100644 index 5fdbe54c4..000000000 --- a/scripts/prometheus/grafana.helm.yaml +++ /dev/null @@ -1,10 +0,0 @@ -ingress: - enabled: true - hosts: - - some.address.tld - -grafana.ini: - auth.anonymous: - enabled: true - org_name: Main Org. - org_role: Viewer diff --git a/scripts/prometheus/instance.yaml b/scripts/prometheus/instance.yaml deleted file mode 100644 index 24487c50c..000000000 --- a/scripts/prometheus/instance.yaml +++ /dev/null @@ -1,63 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: prometheus ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: prometheus -rules: - - apiGroups: [""] - resources: - - nodes - - services - - endpoints - - pods - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: - - configmaps - verbs: ["get"] - - nonResourceURLs: ["/metrics"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: prometheus -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus -subjects: - - kind: ServiceAccount - name: prometheus - namespace: prod-passbook-ng ---- -apiVersion: monitoring.coreos.com/v1 -kind: Prometheus -metadata: - name: prometheus -spec: - serviceAccountName: prometheus - serviceMonitorSelector: - matchLabels: - app.kubernetes.io/name: passbook - enableAdminAPI: false - ruleSelector: - matchLabels: - app.kubernetes.io/name: passbook - storage: - volumeClaimTemplate: - metadata: - labels: - prometheus: k8s - name: prometheus-storage - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 15Gi