1
0
mirror of https://github.com/dkmstr/openuds.git synced 2024-12-22 13:34:04 +03:00

Added extra security

Sessions, if enhaced_security is active, is cheched against the request IP.
This commit is contained in:
Adolfo Gómez García 2023-03-25 01:06:40 +01:00
parent 7f8e06a090
commit f02a8b8720
No known key found for this signature in database
GPG Key ID: DD1ABF20724CDA23
4 changed files with 23 additions and 3 deletions

View File

@ -73,6 +73,7 @@ EXPIRY_KEY = 'ek'
AUTHORIZED_KEY = 'ak'
ROOT_ID = -20091204 # Any negative number will do the trick
UDS_COOKIE_LENGTH = 48
IP_KEY = 'session_ip'
RT = typing.TypeVar('RT')
@ -413,6 +414,8 @@ def webLogin(
request.authorized = (
False # For now, we don't know if the user is authorized until MFA is checked
)
# Store request ip in session
request.session[IP_KEY] = request.ip
# If Enabled zero trust, do not cache credentials
if GlobalConfig.ENFORCE_ZERO_TRUST.getBool(False):
password = '' # nosec: clear password if zero trust is enabled

View File

@ -1246,7 +1246,7 @@ class UserInterface(metaclass=UserInterfaceType):
def deserialize(value: bytes) -> typing.Any:
if opt_deserializer:
return opt_deserializer(value)
return serializer.deserialize(value)
return serializer.deserialize(value) or []
if not values:
return

View File

@ -67,4 +67,7 @@ def deserialize(data: typing.Optional[bytes]) -> typing.Any:
return pickle.loads(lzma.decompress(DESERIALIZERS[data[0:2]](data[2:]))) # nosec: Secured by encryption
else:
# Old version, try to unpickle it
return pickle.loads(data) # nosec: Backward compatibility
try:
return pickle.loads(data) # nosec: Backward compatibility
except Exception:
return None

View File

@ -38,7 +38,7 @@ logger = logging.getLogger(__name__)
from django.http import HttpResponseForbidden
from uds.core.util.config import GlobalConfig
from uds.core.auths.auth import isTrustedSource
from uds.core.auths.auth import isTrustedSource, IP_KEY
from . import builder
@ -66,6 +66,20 @@ def _process_request(request: 'ExtendedHttpRequest') -> typing.Optional['HttpRes
request.path,
)
return HttpResponseForbidden(content='Forbbiden', content_type='text/plain')
if GlobalConfig.ENHANCED_SECURITY.getBool():
# Check that ip stored in session is the same as the one that is requesting if user is logged in
session_ip = request.session.get(IP_KEY, None)
if request.user and session_ip and session_ip != request.ip:
logger.info(
'Denied request from %s to %s. User %s is logged in from a different IP (%s)',
request.ip,
request.path,
request.user,
request.session.get('ip', None),
)
return HttpResponseForbidden(content='Forbbiden', content_type='text/plain')
return None