Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: allowed hosts based on cidr #10504

Closed
wants to merge 1 commit into from

Conversation

fcecagno
Copy link
Contributor

@fcecagno fcecagno commented Jul 3, 2024

Description

This modification install django-allow-cidr (https://pypi.org/project/django-allow-cidr/) so Django allowed hosts can be set as CIDR instead of domain name or IP address. This is very important for Kubernetes deployments: if Django metrics are enabled and we configure a ServiceMonitor to fetch metrics, an arbitrary pod will fetch the metrics from the Django pods, which typically won't be allowed:

defectdojo-django-77df897865-qldpd uwsgi [03/Jul/2024 04:14:43] ERROR [django.security.DisallowedHost:125] Invalid HTTP_HOST header: '10.244.2.56:8080'. You may need to add '10.244.2.56' to ALLOWED_HOSTS.
defectdojo-django-77df897865-qldpd uwsgi Traceback (most recent call last):
defectdojo-django-77df897865-qldpd uwsgi   File "/usr/local/lib/python3.11/site-packages/django/core/handlers/exception.py", line 56, in inner
defectdojo-django-77df897865-qldpd uwsgi     response = get_response(request)
defectdojo-django-77df897865-qldpd uwsgi                ^^^^^^^^^^^^^^^^^^^^^
defectdojo-django-77df897865-qldpd uwsgi   File "/usr/local/lib/python3.11/site-packages/django/utils/deprecation.py", line 135, in __call__
defectdojo-django-77df897865-qldpd uwsgi     response = self.process_request(request)
defectdojo-django-77df897865-qldpd uwsgi                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
defectdojo-django-77df897865-qldpd uwsgi   File "/usr/local/lib/python3.11/site-packages/django/middleware/common.py", line 48, in process_request
defectdojo-django-77df897865-qldpd uwsgi     host = request.get_host()
defectdojo-django-77df897865-qldpd uwsgi            ^^^^^^^^^^^^^^^^^^
defectdojo-django-77df897865-qldpd uwsgi   File "/usr/local/lib/python3.11/site-packages/django/http/request.py", line 152, in get_host
defectdojo-django-77df897865-qldpd uwsgi     raise DisallowedHost(msg)
defectdojo-django-77df897865-qldpd uwsgi django.core.exceptions.DisallowedHost: Invalid HTTP_HOST header: '10.244.2.56:8080'. You may need to add '10.244.2.56' to ALLOWED_HOSTS.
defectdojo-django-77df897865-qldpd uwsgi [03/Jul/2024 04:14:43] WARNING [django.request:241] Bad Request: /django_metrics/metrics
defectdojo-django-77df897865-qldpd nginx 10.244.3.193 - monitoring [03/Jul/2024:04:14:43 +0000] "GET /django_metrics/metrics HTTP/1.1" 400 12865 "-" "Prometheus/2.52.0" "-"

Setting extraConfigs.DD_ALLOWED_CIDR_NETS: '10.244.0.0/16', the request will work and the problem will go away. If DD_ALLOWED_CIDR_NETS is not set, the previous behavior is kept.

@github-actions github-actions bot added the settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR label Jul 3, 2024
Copy link

dryrunsecurity bot commented Jul 3, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
IDOR Analyzer 0 findings
Configured Codepaths Analyzer 0 findings
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 1 finding
Secrets Analyzer 0 findings
Server-Side Request Forgery Analyzer 0 findings
Sensitive Files Analyzer 1 finding

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes focus on updating the dependencies and security-related configurations for the DefectDojo application, which is a web-based open-source application for managing application security programs.

The key changes include:

  1. Addition of the django-allow-cidr library (version 0.7.1) to the project's dependencies. This library allows restricting access to the Django application based on the client's IP address or CIDR range, which can help mitigate certain types of attacks, such as brute-force attacks or denial-of-service (DoS) attacks.

  2. Updates to the checksum file (dojo/settings/.settings.dist.py.sha256sum) to reflect changes made to the corresponding configuration file (dojo/settings/.settings.dist.py). This is a standard practice to ensure the integrity of the configuration file.

  3. Introduction of a new setting called DD_ALLOWED_CIDR_NETS in the Django settings file (dojo/settings/settings.dist.py). This setting allows specifying a list of CIDR network ranges that are allowed to access the application, which is an important security feature.

  4. Inclusion of various security-related settings in the dojo/settings/template-env file, such as HttpOnly and Secure flags on cookies, HTTPS enforcement, and content type sniffing prevention. These settings help improve the application's security by implementing best practices.

From an application security perspective, these changes appear to be focused on enhancing the security of the DefectDojo application. However, it is essential to review the actual values of the security-related configurations and ensure they are properly secured and aligned with the application's security requirements.

Files Changed:

  1. requirements.txt: The changes include the addition of the django-allow-cidr library (version 0.7.1) to the project's dependencies.

  2. dojo/settings/.settings.dist.py.sha256sum: The checksum value for the dojo/settings/.settings.dist.py file has been updated, indicating changes to the corresponding configuration file.

  3. dojo/settings/settings.dist.py: A new setting called DD_ALLOWED_CIDR_NETS has been introduced, which allows specifying a list of CIDR network ranges that are allowed to access the application.

  4. dojo/settings/template-env: This file includes various security-related settings, such as HttpOnly and Secure flags on cookies, HTTPS enforcement, and content type sniffing prevention.

Powered by DryRun Security

@fcecagno fcecagno changed the title Allowed hosts based on cidr feat: allowed hosts based on cidr Jul 3, 2024
@kiblik
Copy link
Contributor

kiblik commented Jul 3, 2024

Can you include also some unit tests? Maybe similar to:

@override_settings(
AUTH_REMOTEUSER_ENABLED=True,
AUTH_REMOTEUSER_USERNAME_HEADER="HTTP_REMOTE_USER",
AUTH_REMOTEUSER_TRUSTED_PROXY=IPSet(['192.168.0.0/24', '192.168.2.0/24']),
)
def test_trusted_proxy(self):
resp = self.client1.get('/profile',
REMOTE_ADDR='192.168.0.42',
headers={
"Remote-User": self.user.username,
}
)
self.assertEqual(resp.status_code, 200)
@override_settings(
AUTH_REMOTEUSER_ENABLED=True,
AUTH_REMOTEUSER_USERNAME_HEADER="HTTP_REMOTE_USER",
AUTH_REMOTEUSER_TRUSTED_PROXY=IPSet(['192.168.0.0/24', '192.168.2.0/24']),
)
def test_untrusted_proxy(self):
with self.assertLogs('dojo.remote_user', level='DEBUG') as cm:
resp = self.client1.get('/profile',
REMOTE_ADDR='192.168.1.42',
headers={
"Remote-User": self.user.username,
}
)
self.assertEqual(resp.status_code, 302)
self.assertIn('Requested came from untrusted proxy', cm.output[0])

Copy link
Contributor

github-actions bot commented Jul 3, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@mtesauro
Copy link
Contributor

mtesauro commented Jul 3, 2024

@fcecagno No problem with this change but agree with kiblik about the need for a unit test before it gets reviewed/approved.

@fcecagno
Copy link
Contributor Author

fcecagno commented Jul 3, 2024

Thanks for the review, I agree with you and will work on this.

@mtesauro
Copy link
Contributor

Closed as stale.

We're happy to have you reopen this PR if you're ready to complete the missing parts.

@mtesauro mtesauro closed this Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
conflicts-detected settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants