Check both X-Original-Forwarded-For and X-Forwarded-For

CybercentreCanada · Apr 17, 2020 · 6dff48d · 6dff48d
1 parent 9184441
commit 6dff48d
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 6 deletions.
diff --git a/assemblyline_ui/api/base.py b/assemblyline_ui/api/base.py
@@ -43,7 +43,8 @@ def auto_auth_check(self):
         uname = request.environ.get('HTTP_X_USER', None)
 
         if apikey is not None and uname is not None:
-            ip = request.headers.get("X-Forwarded-For", request.remote_addr)
+            ip = request.headers.get("X-Original-Forwarded-For",
+                                     request.headers.get("X-Forwarded-For", request.remote_addr))
             with elasticapm.capture_span(name=f"@api_login:auto_auth_check()", span_type="authentication"):
                 try:
                     # TODO: apikey_handler is slow to verify the password (bcrypt's fault)

diff --git a/assemblyline_ui/api/v4/authentication.py b/assemblyline_ui/api/v4/authentication.py
@@ -221,7 +221,8 @@ def login(**_):
         }
 
         logged_in_uname = None
-        ip = request.headers.get("X-Forwarded-For", request.remote_addr)
+        ip = request.headers.get("X-Original-Forwarded-For",
+                                 request.headers.get("X-Forwarded-For", request.remote_addr))
         try:
             logged_in_uname, priv = default_authenticator(auth, request, flsk_session, STORAGE)
             session_duration = config.ui.session_duration

diff --git a/assemblyline_ui/security/authenticator.py b/assemblyline_ui/security/authenticator.py
@@ -83,9 +83,11 @@ def get_logged_in_user(self):
             else:
                 session['expire_at'] = cur_time + session.get('duration', 3600)
 
-        if request.headers.get("X-Forwarded-For", request.remote_addr) != session.get('ip', None):
-            current_app.logger.debug(f'[{session_id}] X-Forwarded-For does not match session IP '
-                                     f'{request.headers.get("X-Forwarded-For", None)} != {session.get("ip", None)}')
+        ip = request.headers.get("X-Original-Forwarded-For",
+                                 request.headers.get("X-Forwarded-For", request.remote_addr))
+        if ip != session.get('ip', None):
+            current_app.logger.debug(f'[{session_id}] IP found in headers does not match session IP '
+                                     f'{ip} != {session.get("ip", None)}')
             abort(401)
 
         if request.headers.get("User-Agent", None) != session.get('user_agent', None):

diff --git a/assemblyline_ui/sio/base.py b/assemblyline_ui/sio/base.py
@@ -80,7 +80,8 @@ def get_request_id(request_p):
 
 
 def get_user_info(request_p, session_p):
-    src_ip = request_p.headers.get("X-Forwarded-For", request_p.remote_addr)
+    src_ip = request_p.headers.get("X-Original-Forwarded-For",
+                                   request_p.headers.get("X-Forwarded-For", request.remote_addr))
     sid = get_request_id(request_p)
     uname = None
     current_session = KV_SESSION.get(session_p.get("session_id", None))