diff --git a/config.json b/config.json index a2b813eb..8d6ff39d 100644 --- a/config.json +++ b/config.json @@ -3,7 +3,8 @@ "listen_url": "127.0.0.1:3333", "use_tls": true, "cert_path": "gophish_admin.crt", - "key_path": "gophish_admin.key" + "key_path": "gophish_admin.key", + "trusted_origins": [] }, "phish_server": { "listen_url": "0.0.0.0:80", diff --git a/config/config.go b/config/config.go index 98ec6b6a..62b7a850 100644 --- a/config/config.go +++ b/config/config.go @@ -15,6 +15,7 @@ type AdminServer struct { KeyPath string `json:"key_path"` CSRFKey string `json:"csrf_key"` AllowedInternalHosts []string `json:"allowed_internal_hosts"` + TrustedOrigins []string `json:"trusted_origins"` } // PhishServer represents the Phish server configuration details diff --git a/controllers/route.go b/controllers/route.go index 72285518..382039fb 100644 --- a/controllers/route.go +++ b/controllers/route.go @@ -154,7 +154,8 @@ func (as *AdminServer) registerRoutes() { } csrfHandler := csrf.Protect(csrfKey, csrf.FieldName("csrf_token"), - csrf.Secure(as.config.UseTLS)) + csrf.Secure(as.config.UseTLS), + csrf.TrustedOrigins(as.config.TrustedOrigins)) adminHandler := csrfHandler(router) adminHandler = mid.Use(adminHandler.ServeHTTP, mid.CSRFExceptions, mid.GetContext, mid.ApplySecurityHeaders) diff --git a/docker/run.sh b/docker/run.sh index 17cceb5d..bdfc22fa 100755 --- a/docker/run.sh +++ b/docker/run.sh @@ -25,6 +25,12 @@ if [ -n "${ADMIN_KEY_PATH+set}" ] ; then '.admin_server.key_path = $ADMIN_KEY_PATH' config.json > config.json.tmp && \ cat config.json.tmp > config.json fi +if [ -n "${ADMIN_TRUSTED_ORIGINS+set}" ] ; then + jq -r \ + --arg ADMIN_TRUSTED_ORIGINS "${ADMIN_TRUSTED_ORIGINS}" \ + '.admin_server.trusted_origins = ($ADMIN_TRUSTED_ORIGINS|split(","))' config.json > config.json.tmp && \ + cat config.json.tmp > config.json +fi # set config for phish_server if [ -n "${PHISH_LISTEN_URL+set}" ] ; then