mirror of https://github.com/gophish/gophish
Add Trusted Origins to CSRF Handler (#2301)
Enables the user to add addresses that they expect incoming connections to come from. Helpful in cases where TLS termination is handled by a load balancer upstream, rather than the application itself.pull/2162/merge
parent
3863ad31b9
commit
78e9a51168
|
@ -3,7 +3,8 @@
|
||||||
"listen_url": "127.0.0.1:3333",
|
"listen_url": "127.0.0.1:3333",
|
||||||
"use_tls": true,
|
"use_tls": true,
|
||||||
"cert_path": "gophish_admin.crt",
|
"cert_path": "gophish_admin.crt",
|
||||||
"key_path": "gophish_admin.key"
|
"key_path": "gophish_admin.key",
|
||||||
|
"trusted_origins": []
|
||||||
},
|
},
|
||||||
"phish_server": {
|
"phish_server": {
|
||||||
"listen_url": "0.0.0.0:80",
|
"listen_url": "0.0.0.0:80",
|
||||||
|
|
|
@ -15,6 +15,7 @@ type AdminServer struct {
|
||||||
KeyPath string `json:"key_path"`
|
KeyPath string `json:"key_path"`
|
||||||
CSRFKey string `json:"csrf_key"`
|
CSRFKey string `json:"csrf_key"`
|
||||||
AllowedInternalHosts []string `json:"allowed_internal_hosts"`
|
AllowedInternalHosts []string `json:"allowed_internal_hosts"`
|
||||||
|
TrustedOrigins []string `json:"trusted_origins"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// PhishServer represents the Phish server configuration details
|
// PhishServer represents the Phish server configuration details
|
||||||
|
|
|
@ -154,7 +154,8 @@ func (as *AdminServer) registerRoutes() {
|
||||||
}
|
}
|
||||||
csrfHandler := csrf.Protect(csrfKey,
|
csrfHandler := csrf.Protect(csrfKey,
|
||||||
csrf.FieldName("csrf_token"),
|
csrf.FieldName("csrf_token"),
|
||||||
csrf.Secure(as.config.UseTLS))
|
csrf.Secure(as.config.UseTLS),
|
||||||
|
csrf.TrustedOrigins(as.config.TrustedOrigins))
|
||||||
adminHandler := csrfHandler(router)
|
adminHandler := csrfHandler(router)
|
||||||
adminHandler = mid.Use(adminHandler.ServeHTTP, mid.CSRFExceptions, mid.GetContext, mid.ApplySecurityHeaders)
|
adminHandler = mid.Use(adminHandler.ServeHTTP, mid.CSRFExceptions, mid.GetContext, mid.ApplySecurityHeaders)
|
||||||
|
|
||||||
|
|
|
@ -25,6 +25,12 @@ if [ -n "${ADMIN_KEY_PATH+set}" ] ; then
|
||||||
'.admin_server.key_path = $ADMIN_KEY_PATH' config.json > config.json.tmp && \
|
'.admin_server.key_path = $ADMIN_KEY_PATH' config.json > config.json.tmp && \
|
||||||
cat config.json.tmp > config.json
|
cat config.json.tmp > config.json
|
||||||
fi
|
fi
|
||||||
|
if [ -n "${ADMIN_TRUSTED_ORIGINS+set}" ] ; then
|
||||||
|
jq -r \
|
||||||
|
--arg ADMIN_TRUSTED_ORIGINS "${ADMIN_TRUSTED_ORIGINS}" \
|
||||||
|
'.admin_server.trusted_origins = ($ADMIN_TRUSTED_ORIGINS|split(","))' config.json > config.json.tmp && \
|
||||||
|
cat config.json.tmp > config.json
|
||||||
|
fi
|
||||||
|
|
||||||
# set config for phish_server
|
# set config for phish_server
|
||||||
if [ -n "${PHISH_LISTEN_URL+set}" ] ; then
|
if [ -n "${PHISH_LISTEN_URL+set}" ] ; then
|
||||||
|
|
Loading…
Reference in New Issue