shaba/openuds
1
0
Fork 1
mirror of https://github.com/dkmstr/openuds.git synced 2025-01-11 05:17:55 +03:00
Code Issues Releases Wiki Activity

Added extra security

Browse Source 
Sessions, if enhaced_security is active, is cheched against the request IP.
This commit is contained in:
Adolfo Gómez García 2023-03-25 01:06:40 +01:00
parent 7f8e06a090
commit f02a8b8720
No known key found for this signature in database
GPG Key ID: DD1ABF20724CDA23
4 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
server/src/uds/core/auths/auth.py
View File

@ -73,6 +73,7 @@ EXPIRY_KEY = 'ek'
AUTHORIZED_KEY = 'ak' AUTHORIZED_KEY = 'ak'
ROOT_ID = -20091204 # Any negative number will do the trick ROOT_ID = -20091204 # Any negative number will do the trick
UDS_COOKIE_LENGTH = 48 UDS_COOKIE_LENGTH = 48
IP_KEY = 'session_ip'
RT = typing.TypeVar('RT') RT = typing.TypeVar('RT')
@ -413,6 +414,8 @@ def webLogin(
request.authorized = ( request.authorized = (
False # For now, we don't know if the user is authorized until MFA is checked False # For now, we don't know if the user is authorized until MFA is checked
) )
# Store request ip in session
request.session[IP_KEY] = request.ip
# If Enabled zero trust, do not cache credentials # If Enabled zero trust, do not cache credentials
if GlobalConfig.ENFORCE_ZERO_TRUST.getBool(False): if GlobalConfig.ENFORCE_ZERO_TRUST.getBool(False):
password = '' # nosec: clear password if zero trust is enabled password = '' # nosec: clear password if zero trust is enabled

2
server/src/uds/core/ui/user_interface.py
View File

@ -1246,7 +1246,7 @@ class UserInterface(metaclass=UserInterfaceType):
def deserialize(value: bytes) -> typing.Any: def deserialize(value: bytes) -> typing.Any:
if opt_deserializer: if opt_deserializer:
return opt_deserializer(value) return opt_deserializer(value)
return serializer.deserialize(value) return serializer.deserialize(value) or []
if not values: if not values:
return return

5
server/src/uds/core/util/serializer.py
View File

@ -67,4 +67,7 @@ def deserialize(data: typing.Optional[bytes]) -> typing.Any:
return pickle.loads(lzma.decompress(DESERIALIZERS[data[0:2]](data[2:]))) # nosec: Secured by encryption return pickle.loads(lzma.decompress(DESERIALIZERS[data[0:2]](data[2:]))) # nosec: Secured by encryption
else: else:
# Old version, try to unpickle it # Old version, try to unpickle it
return pickle.loads(data) # nosec: Backward compatibility try:
return pickle.loads(data) # nosec: Backward compatibility
except Exception:
return None

16
server/src/uds/middleware/security.py
View File

@ -38,7 +38,7 @@ logger = logging.getLogger(__name__)
from django.http import HttpResponseForbidden from django.http import HttpResponseForbidden
from uds.core.util.config import GlobalConfig from uds.core.util.config import GlobalConfig
from uds.core.auths.auth import isTrustedSource from uds.core.auths.auth import isTrustedSource, IP_KEY
from . import builder from . import builder
@ -66,6 +66,20 @@ def _process_request(request: 'ExtendedHttpRequest') -> typing.Optional['HttpRes
request.path, request.path,
) )
return HttpResponseForbidden(content='Forbbiden', content_type='text/plain') return HttpResponseForbidden(content='Forbbiden', content_type='text/plain')
if GlobalConfig.ENHANCED_SECURITY.getBool():
# Check that ip stored in session is the same as the one that is requesting if user is logged in
session_ip = request.session.get(IP_KEY, None)
if request.user and session_ip and session_ip != request.ip:
logger.info(
'Denied request from %s to %s. User %s is logged in from a different IP (%s)',
request.ip,
request.path,
request.user,
request.session.get('ip', None),
)
return HttpResponseForbidden(content='Forbbiden', content_type='text/plain')
return None return None