Improve localhost address validation (#9634)

* 🎨 Improv localhost address validation * 🐛 Compatible with browser extension
2025-12-19 16:10:12 +01:00 · 2023-11-12 08:52:34 +08:00 · 2023-11-12 08:52:34 +08:00 · c90072c3cf
commit c90072c3cf
parent 8a8fc17d21
2 changed files with 81 additions and 44 deletions
--- a/kernel/model/session.go
+++ b/kernel/model/session.go
@ -98,7 +98,7 @@ func LoginAuth(c *gin.Context) {
 		if err := session.Save(c); nil != err {
 			logging.LogErrorf("save session failed: " + err.Error())
-			c.Status(500)
+			c.Status(http.StatusInternalServerError)
 			return
 		}
 		return
@ -109,7 +109,7 @@ func LoginAuth(c *gin.Context) {
 	workspaceSession.Captcha = gulu.Rand.String(7)
 	if err := session.Save(c); nil != err {
 		logging.LogErrorf("save session failed: " + err.Error())
-		c.Status(500)
+		c.Status(http.StatusInternalServerError)
 		return
 	}
 }
@ -123,7 +123,7 @@ func GetCaptcha(c *gin.Context) {
 	})
 	if nil != err {
 		logging.LogErrorf("generates captcha failed: " + err.Error())
-		c.Status(500)
+		c.Status(http.StatusInternalServerError)
 		return
 	}
@ -132,16 +132,16 @@ func GetCaptcha(c *gin.Context) {
 	workspaceSession.Captcha = img.Text
 	if err = session.Save(c); nil != err {
 		logging.LogErrorf("save session failed: " + err.Error())
-		c.Status(500)
+		c.Status(http.StatusInternalServerError)
 		return
 	}
 	if err = img.WriteImage(c.Writer); nil != err {
 		logging.LogErrorf("writes captcha image failed: " + err.Error())
-		c.Status(500)
+		c.Status(http.StatusInternalServerError)
 		return
 	}
-	c.Status(200)
+	c.Status(http.StatusOK)
 }
 func CheckReadonly(c *gin.Context) {
@ -150,7 +150,7 @@ func CheckReadonly(c *gin.Context) {
 		result.Code = -1
 		result.Msg = Conf.Language(34)
 		result.Data = map[string]interface{}{"closeTimeout": 5000}
-		c.JSON(200, result)
+		c.JSON(http.StatusOK, result)
 		c.Abort()
 		return
 	}
@ -158,38 +158,21 @@ func CheckReadonly(c *gin.Context) {
 func CheckAuth(c *gin.Context) {
 	//logging.LogInfof("check auth for [%s]", c.Request.RequestURI)
 	localhost := util.IsLocalHost(c.Request.RemoteAddr)
 	// 未设置访问授权码
 	if "" == Conf.AccessAuthCode {
-		if origin := c.GetHeader("Origin"); "" != origin {
+		// Authenticate requests with the Origin header other than 127.0.0.1 https://github.com/siyuan-note/siyuan/issues/9180
-			// Authenticate requests with the Origin header other than 127.0.0.1 https://github.com/siyuan-note/siyuan/issues/9180
+		host := c.GetHeader("Host")
-			u, parseErr := url.Parse(origin)
+		origin := c.GetHeader("Origin")
-			if nil != parseErr {
+		forwardedHost := c.GetHeader("X-Forwarded-Host")
-				logging.LogWarnf("parse origin [%s] failed: %s", origin, parseErr)
+		if !localhost ||
-				c.JSON(401, map[string]interface{}{"code": -1, "msg": "Auth failed: parse req header [Origin] failed"})
+			("" != host && !util.IsLocalHost(host)) ||
-				c.Abort()
+			("" != origin && !util.IsLocalOrigin(origin) && !strings.HasPrefix(origin, "chrome-extension://")) ||
-				return
+			("" != forwardedHost && !util.IsLocalHost(forwardedHost)) {
-
+			c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": "Auth failed: for security reasons, please set [Access authorization code] when using non-127.0.0.1 access\n\n为安全起见，使用非 127.0.0.1 访问时请设置 [访问授权码]"})
-			}
+			c.Abort()
-
+			return
 			if "chrome-extension" == strings.ToLower(u.Scheme) {
 				c.Next()
 				return
 			}
 			if !strings.HasPrefix(u.Host, util.LocalHost) && !strings.HasPrefix(u.Host, "[::1]") {
 				c.JSON(401, map[string]interface{}{"code": -1, "msg": "Auth failed: for security reasons, please set [Access authorization code] when using non-127.0.0.1 access\n\n为安全起见，使用非 127.0.0.1 访问时请设置 [访问授权码]"})
 				c.Abort()
 				return
 			}
 		}
 		if !strings.HasPrefix(c.Request.RemoteAddr, util.LocalHost) && !strings.HasPrefix(c.Request.RemoteAddr, "[::1]") {
 			// Authenticate requests of assets other than 127.0.0.1 https://github.com/siyuan-note/siyuan/issues/9388
 			if strings.HasPrefix(c.Request.RequestURI, "/assets/") {
 				c.JSON(401, map[string]interface{}{"code": -1, "msg": "Auth failed: for security reasons, please set [Access authorization code] when using non-127.0.0.1 access\n\n为安全起见，使用非 127.0.0.1 访问时请设置 [访问授权码]"})
 				c.Abort()
 				return
 			}
 		}
 		c.Next()
@ -206,7 +189,7 @@ func CheckAuth(c *gin.Context) {
 	}
 	// 放过来自本机的某些请求
-	if strings.HasPrefix(c.Request.RemoteAddr, util.LocalHost) || strings.HasPrefix(c.Request.RemoteAddr, "[::1]") {
+	if localhost {
 		if strings.HasPrefix(c.Request.RequestURI, "/assets/") {
 			c.Next()
 			return
@ -234,7 +217,7 @@ func CheckAuth(c *gin.Context) {
 				return
 			}
-			c.JSON(401, map[string]interface{}{"code": -1, "msg": "Auth failed"})
+			c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": "Auth failed"})
 			c.Abort()
 			return
 		}
@ -247,7 +230,7 @@ func CheckAuth(c *gin.Context) {
 			return
 		}
-		c.JSON(401, map[string]interface{}{"code": -1, "msg": "Auth failed"})
+		c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": "Auth failed"})
 		c.Abort()
 		return
 	}
@ -261,7 +244,7 @@ func CheckAuth(c *gin.Context) {
 		userAgentHeader := c.GetHeader("User-Agent")
 		if strings.HasPrefix(userAgentHeader, "SiYuan/") || strings.HasPrefix(userAgentHeader, "Mozilla/") {
 			if "GET" != c.Request.Method {
-				c.JSON(401, map[string]interface{}{"code": -1, "msg": Conf.Language(156)})
+				c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": Conf.Language(156)})
 				c.Abort()
 				return
 			}
@ -271,12 +254,13 @@ func CheckAuth(c *gin.Context) {
 			queryParams.Set("to", c.Request.URL.String())
 			location.RawQuery = queryParams.Encode()
 			location.Path = "/check-auth"
-			c.Redirect(302, location.String())
+
 			c.Redirect(http.StatusFound, location.String())
 			c.Abort()
 			return
 		}
-		c.JSON(401, map[string]interface{}{"code": -1, "msg": "Auth failed"})
+		c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": "Auth failed"})
 		c.Abort()
 		return
 	}
@ -316,7 +300,7 @@ func Timing(c *gin.Context) {
 func Recover(c *gin.Context) {
 	defer func() {
 		logging.Recover()
-		c.Status(500)
+		c.Status(http.StatusInternalServerError)
 	}()
 	c.Next()
--- a/kernel/util/net.go
+++ b/kernel/util/net.go
@ -17,6 +17,7 @@
 package util
 import (
 	"net"
 	"net/http"
 	"net/url"
 	"strings"
@ -31,6 +32,58 @@ import (
 	"github.com/siyuan-note/logging"
 )
 func ValidOptionalPort(port string) bool {
 	if port == "" {
 		return true
 	}
 	if port[0] != ':' {
 		return false
 	}
 	for _, b := range port[1:] {
 		if b < '0' || b > '9' {
 			return false
 		}
 	}
 	return true
 }
 func SplitHost(host string) (hostname, port string) {
 	hostname = host
 	colon := strings.LastIndexByte(hostname, ':')
 	if colon != -1 && ValidOptionalPort(hostname[colon:]) {
 		hostname, port = hostname[:colon], hostname[colon+1:]
 	}
 	if strings.HasPrefix(hostname, "[") && strings.HasSuffix(hostname, "]") {
 		hostname = hostname[1 : len(hostname)-1]
 	}
 	return
 }
 func IsLocalHostname(hostname string) bool {
 	if "localhost" == hostname {
 		return true
 	}
 	if ip := net.ParseIP(hostname); nil != ip {
 		return ip.IsLoopback()
 	}
 	return false
 }
 func IsLocalHost(host string) bool {
 	hostname, _ := SplitHost(host)
 	return IsLocalHostname(hostname)
 }
 func IsLocalOrigin(origin string) bool {
 	if url, err := url.Parse(origin); nil == err {
 		return IsLocalHostname(url.Hostname())
 	}
 	return false
 }
 func IsOnline(checkURL string, skipTlsVerify bool) bool {
 	_, err := url.Parse(checkURL)
 	if nil != err {