Backup_Repos/stash
1
0
Fork 0
mirror of https://github.com/stashapp/stash.git synced 2025-12-08 01:13:09 +01:00
Code Issues Projects Releases Wiki Activity
stash/pkg/session/authentication.go
SmallCoccinelle e14bb8432c
Enable gocritic (#1848) 
* Don't capitalize local variables

ValidCodecs -> validCodecs

* Capitalize deprecation markers

A deprecated marker should be capitalized.

* Use re.MustCompile for static regexes

If the regex fails to compile, it's a programmer error, and should be
treated as such. The regex is entirely static.

* Simplify else-if constructions

Rewrite

   else { if cond {}}

to

   else if cond {}

* Use a switch statement to analyze formats

Break an if-else chain. While here, simplify code flow.

Also introduce a proper static error for unsupported image formats,
paving the way for being able to check against the error.

* Rewrite ifElse chains into switch statements

The "Effective Go" https://golang.org/doc/effective_go#switch document
mentions it is more idiomatic to write if-else chains as switches when
it is possible.

Find all the plain rewrite occurrences in the code base and rewrite.
In some cases, the if-else chains are replaced by a switch scrutinizer.
That is, the code sequence

  if x == 1 {
      ..
  } else if x == 2 {
      ..
  } else if x == 3 {
      ...
  }

can be rewritten into

  switch x {
  case 1:
    ..
  case 2:
    ..
  case 3:
    ..
  }

which is clearer for the compiler: it can decide if the switch is
better served by a jump-table then a branch-chain.

* Rewrite switches, introduce static errors

Introduce two new static errors:

* `ErrNotImplmented`
* `ErrNotSupported`

And use these rather than forming new generative errors whenever the
code is called. Code can now test on the errors (since they are static
and the pointers to them wont change).

Also rewrite ifElse chains into switches in this part of the code base.

* Introduce a StashBoxError in configuration

Since all stashbox errors are the same, treat them as such in the code
base. While here, rewrite an ifElse chain.

In the future, it might be beneifical to refactor configuration errors
into one error which can handle missing fields, which context the error
occurs in and so on. But for now, try to get an overview of the error
categories by hoisting them into static errors.

* Get rid of an else-block in transaction handling

If we succesfully `recover()`, we then always `panic()`. This means the
rest of the code is not reachable, so we can avoid having an else-block
here.

It also solves an ifElse-chain style check in the code base.

* Use strings.ReplaceAll

Rewrite

    strings.Replace(s, o, n, -1)

into

    strings.ReplaceAll(s, o, n)

To make it consistent and clear that we are doing an all-replace in the
string rather than replacing parts of it. It's more of a nitpick since
there are no implementation differences: the stdlib implementation is
just to supply -1.

* Rewrite via gocritic's assignOp

Statements of the form

    x = x + e

is rewritten into

    x += e

where applicable.

* Formatting

* Review comments handled

Stash-box is a proper noun.

Rewrite a switch into an if-chain which returns on the first error
encountered.

* Use context.TODO() over context.Background()

Patch in the same vein as everything else: use the TODO() marker so we
can search for it later and link it into the context tree/tentacle once
it reaches down to this level in the code base.

* Tell the linter to ignore a section in manager_tasks.go

The section is less readable, so mark it with a nolint for now. Because
the rewrite enables a ifElseChain, also mark that as nolint for now.

* Use strings.ReplaceAll over strings.Replace

* Apply an ifElse rewrite

else { if .. { .. } } rewrite into else if { .. }

* Use switch-statements over ifElseChains

Rewrite chains of if-else into switch statements. Where applicable,
add an early nil-guard to simplify case analysis. Also, in
ScanTask's Start(..), invert the logic to outdent the whole block, and
help the reader: if it's not a scene, the function flow is now far more
local to the top of the function, and it's clear that the rest of the
function has to do with scene management.

* Enable gocritic on the code base.

Disable appendAssign for now since we aren't passing that check yet.

* Document the nolint additions

* Document StashBoxBatchPerformerTagInput
2021-10-18 14:12:40 +11:00

118 lines
3.8 KiB
Go
Raw Blame History

package session
import (
"fmt"
"net"
"net/http"
"strings"
"github.com/stashapp/stash/pkg/logger"
"github.com/stashapp/stash/pkg/manager/config"
)
type ExternalAccessError net.IP
func (e ExternalAccessError) Error() string {
return fmt.Sprintf("stash accessed from external IP %s", net.IP(e).String())
}
type UntrustedProxyError net.IP
func (e UntrustedProxyError) Error() string {
return fmt.Sprintf("untrusted proxy %s", net.IP(e).String())
}
func CheckAllowPublicWithoutAuth(c *config.Instance, r *http.Request) error {
if !c.HasCredentials() && !c.GetDangerousAllowPublicWithoutAuth() && !c.IsNewSystem() {
requestIPString, _, err := net.SplitHostPort(r.RemoteAddr)
if err != nil {
return fmt.Errorf("error parsing remote host (%s): %w", r.RemoteAddr, err)
}
requestIP := net.ParseIP(requestIPString)
if r.Header.Get("X-FORWARDED-FOR") != "" {
// Request was proxied
trustedProxies := c.GetTrustedProxies()
proxyChain := strings.Split(r.Header.Get("X-FORWARDED-FOR"), ", ")
if len(trustedProxies) == 0 {
// validate proxies against local network only
if !isLocalIP(requestIP) {
return ExternalAccessError(requestIP)
} else {
// Safe to validate X-Forwarded-For
for i := range proxyChain {
ip := net.ParseIP(proxyChain[i])
if !isLocalIP(ip) {
return ExternalAccessError(ip)
}
}
}
} else {
// validate proxies against trusted proxies list
if isIPTrustedProxy(requestIP, trustedProxies) {
// Safe to validate X-Forwarded-For
// validate backwards, as only the last one is not attacker-controlled
for i := len(proxyChain) - 1; i >= 0; i-- {
ip := net.ParseIP(proxyChain[i])
if i == 0 {
// last entry is originating device, check if from the public internet
if !isLocalIP(ip) {
return ExternalAccessError(ip)
}
} else if !isIPTrustedProxy(ip, trustedProxies) {
return UntrustedProxyError(ip)
}
}
} else {
// Proxy not on safe proxy list
return UntrustedProxyError(requestIP)
}
}
} else if !isLocalIP(requestIP) { // request was not proxied
return ExternalAccessError(requestIP)
}
}
return nil
}
func CheckExternalAccessTripwire(c *config.Instance) *ExternalAccessError {
if !c.HasCredentials() && !c.GetDangerousAllowPublicWithoutAuth() {
if remoteIP := c.GetSecurityTripwireAccessedFromPublicInternet(); remoteIP != "" {
err := ExternalAccessError(net.ParseIP(remoteIP))
return &err
}
}
return nil
}
func isLocalIP(requestIP net.IP) bool {
_, cgNatAddrSpace, _ := net.ParseCIDR("100.64.0.0/10")
return requestIP.IsPrivate() || requestIP.IsLoopback() || cgNatAddrSpace.Contains(requestIP)
}
func isIPTrustedProxy(ip net.IP, trustedProxies []string) bool {
if len(trustedProxies) == 0 {
return isLocalIP(ip)
}
for _, v := range trustedProxies {
if ip.Equal(net.ParseIP(v)) {
return true
}
}
return false
}
func LogExternalAccessError(err ExternalAccessError) {
logger.Errorf("Stash has been accessed from the internet (public IP %s), without authentication. \n"+
"This is extremely dangerous! The whole world can see your stash page and browse your files! \n"+
"You probably forwarded a port from your router. At the very least, add a password to stash in the settings. \n"+
"Stash will not serve requests until you edit config.yml, remove the security_tripwire_accessed_from_public_internet key and restart stash. \n"+
"This behaviour can be overridden (but not recommended) by setting dangerous_allow_public_without_auth to true in config.yml. \n"+
"More information is available at https://github.com/stashapp/stash/wiki/Authentication-Required-When-Accessing-Stash-From-the-Internet \n"+
"Stash is not answering any other requests to protect your privacy.", net.IP(err).String())
}
Reference in a new issue View git blame Copy permalink