mirror of
https://github.com/dkmstr/openuds.git
synced 2024-12-22 13:34:04 +03:00
Added extra security
Sessions, if enhaced_security is active, is cheched against the request IP.
This commit is contained in:
parent
7f8e06a090
commit
f02a8b8720
@ -73,6 +73,7 @@ EXPIRY_KEY = 'ek'
|
||||
AUTHORIZED_KEY = 'ak'
|
||||
ROOT_ID = -20091204 # Any negative number will do the trick
|
||||
UDS_COOKIE_LENGTH = 48
|
||||
IP_KEY = 'session_ip'
|
||||
|
||||
RT = typing.TypeVar('RT')
|
||||
|
||||
@ -413,6 +414,8 @@ def webLogin(
|
||||
request.authorized = (
|
||||
False # For now, we don't know if the user is authorized until MFA is checked
|
||||
)
|
||||
# Store request ip in session
|
||||
request.session[IP_KEY] = request.ip
|
||||
# If Enabled zero trust, do not cache credentials
|
||||
if GlobalConfig.ENFORCE_ZERO_TRUST.getBool(False):
|
||||
password = '' # nosec: clear password if zero trust is enabled
|
||||
|
@ -1246,7 +1246,7 @@ class UserInterface(metaclass=UserInterfaceType):
|
||||
def deserialize(value: bytes) -> typing.Any:
|
||||
if opt_deserializer:
|
||||
return opt_deserializer(value)
|
||||
return serializer.deserialize(value)
|
||||
return serializer.deserialize(value) or []
|
||||
|
||||
if not values:
|
||||
return
|
||||
|
@ -67,4 +67,7 @@ def deserialize(data: typing.Optional[bytes]) -> typing.Any:
|
||||
return pickle.loads(lzma.decompress(DESERIALIZERS[data[0:2]](data[2:]))) # nosec: Secured by encryption
|
||||
else:
|
||||
# Old version, try to unpickle it
|
||||
try:
|
||||
return pickle.loads(data) # nosec: Backward compatibility
|
||||
except Exception:
|
||||
return None
|
||||
|
@ -38,7 +38,7 @@ logger = logging.getLogger(__name__)
|
||||
from django.http import HttpResponseForbidden
|
||||
|
||||
from uds.core.util.config import GlobalConfig
|
||||
from uds.core.auths.auth import isTrustedSource
|
||||
from uds.core.auths.auth import isTrustedSource, IP_KEY
|
||||
|
||||
|
||||
from . import builder
|
||||
@ -66,6 +66,20 @@ def _process_request(request: 'ExtendedHttpRequest') -> typing.Optional['HttpRes
|
||||
request.path,
|
||||
)
|
||||
return HttpResponseForbidden(content='Forbbiden', content_type='text/plain')
|
||||
|
||||
if GlobalConfig.ENHANCED_SECURITY.getBool():
|
||||
# Check that ip stored in session is the same as the one that is requesting if user is logged in
|
||||
session_ip = request.session.get(IP_KEY, None)
|
||||
if request.user and session_ip and session_ip != request.ip:
|
||||
logger.info(
|
||||
'Denied request from %s to %s. User %s is logged in from a different IP (%s)',
|
||||
request.ip,
|
||||
request.path,
|
||||
request.user,
|
||||
request.session.get('ip', None),
|
||||
)
|
||||
return HttpResponseForbidden(content='Forbbiden', content_type='text/plain')
|
||||
|
||||
return None
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user