| import path from 'node:path'; |
| import { color, getConfigValue, safeReadFileSync } from '../util.js'; |
| import { serverDirectory } from '../server-directory.js'; |
| import { isHostAllowed, hostValidationMiddleware } from 'host-validation-middleware'; |
|
|
| const knownHosts = new Set(); |
| const maxKnownHosts = 1000; |
|
|
| const hostWhitelistEnabled = !!getConfigValue('hostWhitelist.enabled', false); |
| const hostWhitelist = Object.freeze(getConfigValue('hostWhitelist.hosts', [])); |
| const hostWhitelistScan = !!getConfigValue('hostWhitelist.scan', false, 'boolean'); |
|
|
| const hostNotAllowedHtml = safeReadFileSync(path.join(serverDirectory, 'public/error/host-not-allowed.html'))?.toString() ?? ''; |
|
|
| const validationMiddleware = hostValidationMiddleware({ |
| allowedHosts: hostWhitelist, |
| generateErrorMessage: () => hostNotAllowedHtml, |
| errorResponseContentType: 'text/html', |
| }); |
|
|
| |
| |
| |
| |
| |
| |
| |
| export default function hostWhitelistMiddleware(req, res, next) { |
| const hostValue = req.headers.host; |
| if (hostWhitelistScan && !isHostAllowed(hostValue, hostWhitelist) && !knownHosts.has(hostValue) && knownHosts.size < maxKnownHosts) { |
| const isFirstWarning = knownHosts.size === 0; |
| console.warn(color.red('Request from untrusted host:'), hostValue); |
| console.warn(`If you trust this host, you can add it to ${color.yellow('hostWhitelist.hosts')} in config.yaml`); |
| if (!hostWhitelistEnabled && isFirstWarning) { |
| console.warn(`To protect against host spoofing, consider setting ${color.yellow('hostWhitelist.enabled')} to true`); |
| } |
| if (isFirstWarning) { |
| console.warn(`To disable this warning, set ${color.yellow('hostWhitelist.scan')} to false`); |
| } |
| knownHosts.add(hostValue); |
| } |
|
|
| if (!hostWhitelistEnabled) { |
| return next(); |
| } |
|
|
| return validationMiddleware(req, res, next); |
| } |
|
|
