flows: fix potential open redirect vuln

This commit is contained in:
Jens Langhammer 2020-07-14 21:53:39 +02:00
parent fbf9554a9e
commit e15f7d7f28
4 changed files with 29 additions and 76 deletions

View File

@ -22,7 +22,7 @@ from passbook.flows.exceptions import EmptyFlowException, FlowNonApplicableExcep
from passbook.flows.models import Flow, FlowDesignation, Stage from passbook.flows.models import Flow, FlowDesignation, Stage
from passbook.flows.planner import FlowPlan, FlowPlanner from passbook.flows.planner import FlowPlan, FlowPlanner
from passbook.lib.utils.reflection import class_to_path, path_to_class from passbook.lib.utils.reflection import class_to_path, path_to_class
from passbook.lib.utils.urls import redirect_with_qs from passbook.lib.utils.urls import is_url_absolute, redirect_with_qs
from passbook.lib.views import bad_request_message from passbook.lib.views import bad_request_message
LOGGER = get_logger() LOGGER = get_logger()
@ -50,6 +50,7 @@ class FlowExecutorView(View):
def handle_invalid_flow(self, exc: BaseException) -> HttpResponse: def handle_invalid_flow(self, exc: BaseException) -> HttpResponse:
"""When a flow is non-applicable check if user is on the correct domain""" """When a flow is non-applicable check if user is on the correct domain"""
if NEXT_ARG_NAME in self.request.GET: if NEXT_ARG_NAME in self.request.GET:
if not is_url_absolute(self.request.GET.get(NEXT_ARG_NAME)):
LOGGER.debug("f(exec): Redirecting to next on fail") LOGGER.debug("f(exec): Redirecting to next on fail")
return redirect(self.request.GET.get(NEXT_ARG_NAME)) return redirect(self.request.GET.get(NEXT_ARG_NAME))
message = exc.__doc__ if exc.__doc__ else str(exc) message = exc.__doc__ if exc.__doc__ else str(exc)

View File

@ -0,0 +1,25 @@
version: '3.7'
services:
postgresql:
container_name: postgres
image: postgres:11
volumes:
- db-data:/var/lib/postgresql/data
environment:
POSTGRES_USER: passbook
POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
POSTGRES_DB: passbook
ports:
- 5432:5432
restart: always
redis:
container_name: redis
image: redis
ports:
- 6379:6379
restart: always
volumes:
db-data:
driver: local

View File

@ -1,10 +0,0 @@
ingress:
enabled: true
hosts:
- some.address.tld
grafana.ini:
auth.anonymous:
enabled: true
org_name: Main Org.
org_role: Viewer

View File

@ -1,63 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: prometheus
rules:
- apiGroups: [""]
resources:
- nodes
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- configmaps
verbs: ["get"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: prometheus
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus
subjects:
- kind: ServiceAccount
name: prometheus
namespace: prod-passbook-ng
---
apiVersion: monitoring.coreos.com/v1
kind: Prometheus
metadata:
name: prometheus
spec:
serviceAccountName: prometheus
serviceMonitorSelector:
matchLabels:
app.kubernetes.io/name: passbook
enableAdminAPI: false
ruleSelector:
matchLabels:
app.kubernetes.io/name: passbook
storage:
volumeClaimTemplate:
metadata:
labels:
prometheus: k8s
name: prometheus-storage
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 15Gi