| | import path from 'node:path'; |
| | import { color, getConfigValue, safeReadFileSync } from '../util.js'; |
| | import { serverDirectory } from '../server-directory.js'; |
| | import { isHostAllowed, hostValidationMiddleware } from 'host-validation-middleware'; |
| |
|
| | const knownHosts = new Set(); |
| | const maxKnownHosts = 1000; |
| |
|
| | const hostWhitelistEnabled = !!getConfigValue('hostWhitelist.enabled', false); |
| | const hostWhitelist = Object.freeze(getConfigValue('hostWhitelist.hosts', [])); |
| | const hostWhitelistScan = !!getConfigValue('hostWhitelist.scan', false, 'boolean'); |
| |
|
| | const hostNotAllowedHtml = safeReadFileSync(path.join(serverDirectory, 'public/error/host-not-allowed.html'))?.toString() ?? ''; |
| |
|
| | const validationMiddleware = hostValidationMiddleware({ |
| | allowedHosts: hostWhitelist, |
| | generateErrorMessage: () => hostNotAllowedHtml, |
| | errorResponseContentType: 'text/html', |
| | }); |
| |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | export default function hostWhitelistMiddleware(req, res, next) { |
| | const hostValue = req.headers.host; |
| | if (hostWhitelistScan && !isHostAllowed(hostValue, hostWhitelist) && !knownHosts.has(hostValue) && knownHosts.size < maxKnownHosts) { |
| | const isFirstWarning = knownHosts.size === 0; |
| | console.warn(color.red('Request from untrusted host:'), hostValue); |
| | console.warn(`If you trust this host, you can add it to ${color.yellow('hostWhitelist.hosts')} in config.yaml`); |
| | if (!hostWhitelistEnabled && isFirstWarning) { |
| | console.warn(`To protect against host spoofing, consider setting ${color.yellow('hostWhitelist.enabled')} to true`); |
| | } |
| | if (isFirstWarning) { |
| | console.warn(`To disable this warning, set ${color.yellow('hostWhitelist.scan')} to false`); |
| | } |
| | knownHosts.add(hostValue); |
| | } |
| |
|
| | if (!hostWhitelistEnabled) { |
| | return next(); |
| | } |
| |
|
| | return validationMiddleware(req, res, next); |
| | } |
| |
|
