From 945bab04bf60f1d5fa45cfc527cf9a107f7495d7 Mon Sep 17 00:00:00 2001
From: Miracle575 <longsijie@icode.pku.edu.cn>
Date: Sat, 25 Nov 2023 06:02:43 +0000
Subject: [PATCH 1/8] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=20callbackUrl=20?=
=?UTF-8?q?=E6=9C=AA=E8=BD=AC=E4=B9=89=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
apps/auth/views/login.liquid | 4 ++--
apps/auth/views/otp/bindOtp.liquid | 6 +++---
apps/auth/views/otp/qrcode.liquid | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/apps/auth/views/login.liquid b/apps/auth/views/login.liquid
index 32a6c7e704..8ed26851cd 100644
--- a/apps/auth/views/login.liquid
+++ b/apps/auth/views/login.liquid
@@ -97,7 +97,7 @@
{% endif %}
<input type="hidden" name="token" value="{{ token }}" />
- <input type="hidden" name="callbackUrl" value="{{ callbackUrl }}" />
+ <input type="hidden" name="callbackUrl" value="{{ callbackUrl | escape }}" />
{% if err %}
<p class="my-4 text-center text-red-600">{{ authTexts.login.invalidInput }}</p>
@@ -116,7 +116,7 @@
<button type="submit" name="action" value="bindOtp" class="px text-gray-400">
{{ authTexts.login.bindOtp }}
</button>
- <input type="hidden" name="callbackUrl" value="{{ callbackUrl }}" />
+ <input type="hidden" name="callbackUrl" value="{{ callbackUrl | escape }}" />
</form>
</div>
{% endif %}
diff --git a/apps/auth/views/otp/bindOtp.liquid b/apps/auth/views/otp/bindOtp.liquid
index 2344cc22dc..ed7844be9c 100644
--- a/apps/auth/views/otp/bindOtp.liquid
+++ b/apps/auth/views/otp/bindOtp.liquid
@@ -23,7 +23,7 @@
<button type="submit" name="action" value="backToLoginUI" class="text-x text-gray-500 mr-4">
{{ authTexts.bindOtp.returnLogin }}
</button>
- <input type="hidden" name="callbackUrl" value="{{ callbackUrl }}">
+ <input type="hidden" name="callbackUrl" value="{{ callbackUrl | escape }}">
</form>
</div>
{% unless bindLimitMinutes %}
@@ -53,7 +53,7 @@
{{ authTexts.bindOtp.confirm }}
</button>
</div>
- <input type="hidden" name="callbackUrl" value="{{ callbackUrl }}">
+ <input type="hidden" name="callbackUrl" value="{{ callbackUrl | escape }}">
</form>
{% else %}
@@ -113,7 +113,7 @@
</div>
<input type="hidden" name="otpSessionToken" value="{{ otpSessionToken }}" />
<input type="hidden" name="emailAddress" value="{{ emailAddress }}" />
- <input type="hidden" name="callbackUrl" value="{{ callbackUrl }}">
+ <input type="hidden" name="callbackUrl" value="{{ callbackUrl | escape }}">
</form>
{% endunless %}
</div>
diff --git a/apps/auth/views/otp/qrcode.liquid b/apps/auth/views/otp/qrcode.liquid
index e543e1601c..e84ebb0e76 100644
--- a/apps/auth/views/otp/qrcode.liquid
+++ b/apps/auth/views/otp/qrcode.liquid
@@ -4,5 +4,5 @@
<input
type="hidden"
name="callbackUrl"
- value="{{ callbackUrl }}">
+ value="{{ callbackUrl | escape }}">
</div>
From 85ba9476d80fb35f1c0e7ded6ca825b1ab4a667b Mon Sep 17 00:00:00 2001
From: Miracle575 <longsijie@icode.pku.edu.cn>
Date: Sat, 25 Nov 2023 06:24:30 +0000
Subject: [PATCH 2/8] =?UTF-8?q?feat:=20=E6=B7=BB=E5=8A=A0=20changeset=20?=
=?UTF-8?q?=E6=96=87=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.changeset/perfect-dodos-jam.md | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 .changeset/perfect-dodos-jam.md
diff --git a/.changeset/perfect-dodos-jam.md b/.changeset/perfect-dodos-jam.md
new file mode 100644
index 0000000000..5efdf9a247
--- /dev/null
+++ b/.changeset/perfect-dodos-jam.md
@@ -0,0 +1,5 @@
+---
+"@scow/auth": patch
+---
+
+修复 callbackUrl 未转义的问题
From cb805b1f5287bea7843817379d0f959d8042f437 Mon Sep 17 00:00:00 2001
From: Miracle575 <longsijie@icode.pku.edu.cn>
Date: Sat, 25 Nov 2023 06:54:28 +0000
Subject: [PATCH 3/8] =?UTF-8?q?fix:=20host=20=E5=A4=B4=E6=94=BB=E5=87=BB?=
=?UTF-8?q?=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
apps/cli/assets/install.yaml | 3 +++
apps/cli/src/compose/index.ts | 1 +
apps/cli/src/config/install.ts | 5 +++++
apps/gateway/assets/nginx.conf | 2 ++
apps/gateway/src/env.ts | 2 ++
5 files changed, 13 insertions(+)
diff --git a/apps/cli/assets/install.yaml b/apps/cli/assets/install.yaml
index 88f6e6cff5..606ed39d06 100644
--- a/apps/cli/assets/install.yaml
+++ b/apps/cli/assets/install.yaml
@@ -129,6 +129,9 @@
# include includes/headers;
# include includes/websocket;
# }
+# # 允许访问的域名或 IP,多个域名或 IP 间用空格隔开
+# # 默认接受所有域名和 IP,"_" 即表示接受所有域名和 IP
+# allowedServerName: "_"
# 插件配置
# plugins:
diff --git a/apps/cli/src/compose/index.ts b/apps/cli/src/compose/index.ts
index 26b7e04fbd..3349015cef 100644
--- a/apps/cli/src/compose/index.ts
+++ b/apps/cli/src/compose/index.ts
@@ -126,6 +126,7 @@ export const createComposeSpec = (config: InstallConfigSchema) => {
"PUBLIC_PATH": publicPath,
"PUBLIC_DIR": publicDir,
"EXTRA": config.gateway.extra,
+ "ALLOWED_SERVER_NAME": config.gateway.allowedServerName,
},
ports: { [config.port]: 80 },
volumes: {
diff --git a/apps/cli/src/config/install.ts b/apps/cli/src/config/install.ts
index f215722737..0a22ce6e5e 100644
--- a/apps/cli/src/config/install.ts
+++ b/apps/cli/src/config/install.ts
@@ -45,6 +45,11 @@ export const InstallConfigSchema = Type.Object({
description: "更多nginx配置,可接受的格式为nginx的server可接受的属性配置,可增加在当前系统nginx端口(默认80)的服务等",
default: "",
}),
+
+ allowedServerName: Type.String({
+ description: "允许访问的域名或 IP",
+ default: "_",
+ }),
}, { default: {} }),
portal: Type.Optional(Type.Object({
diff --git a/apps/gateway/assets/nginx.conf b/apps/gateway/assets/nginx.conf
index 0e12dc0804..38ec9aef03 100644
--- a/apps/gateway/assets/nginx.conf
+++ b/apps/gateway/assets/nginx.conf
@@ -1,5 +1,7 @@
server {
+ server_name ${server_name};
+
resolver ${RESOLVER} valid=10s;
resolver_timeout 5s;
diff --git a/apps/gateway/src/env.ts b/apps/gateway/src/env.ts
index 18993d5e82..342b9859d2 100644
--- a/apps/gateway/src/env.ts
+++ b/apps/gateway/src/env.ts
@@ -35,5 +35,7 @@ export const config = envConfig({
PUBLIC_DIR: str({ desc: "静态文件在文件系统中的路径。以/结尾", default: "/app/apps/gateway/public/" }),
PUBLIC_PATH: str({ desc: "静态文件路径前缀。以/开头,以/结尾", default: "/__public__/" }),
+
+ ALLOWED_SERVER_NAME: str({ desc: "允许访问的域名或 IP,多个域名和 IP 间用空格隔开", default: "_" }),
});
From 7b65dcdd4e3102b1f0ecc5bb4c141b9bf9bc600b Mon Sep 17 00:00:00 2001
From: Miracle575 <longsijie@icode.pku.edu.cn>
Date: Sat, 25 Nov 2023 07:15:04 +0000
Subject: [PATCH 4/8] fix: nginx error
---
apps/gateway/assets/nginx.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/apps/gateway/assets/nginx.conf b/apps/gateway/assets/nginx.conf
index 38ec9aef03..1487b60784 100644
--- a/apps/gateway/assets/nginx.conf
+++ b/apps/gateway/assets/nginx.conf
@@ -1,6 +1,6 @@
server {
- server_name ${server_name};
+ server_name ${ALLOWED_SERVER_NAME};
resolver ${RESOLVER} valid=10s;
resolver_timeout 5s;
From e637809b0bbf17cfa4128ee8f9e8f8569a4d2899 Mon Sep 17 00:00:00 2001
From: Miracle575 <longsijie@icode.pku.edu.cn>
Date: Sat, 25 Nov 2023 08:05:20 +0000
Subject: [PATCH 5/8] =?UTF-8?q?feat:=20=E5=BD=93=20server=5Fname=20?=
=?UTF-8?q?=E4=B8=8D=E4=B8=BA=20=5F=20=E6=B7=BB=E5=8A=A0=E9=BB=98=E8=AE=A4?=
=?UTF-8?q?=20server=20=E5=9D=97?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
apps/cli/src/compose/index.ts | 5 +++++
apps/gateway/assets/nginx.conf | 2 ++
apps/gateway/src/env.ts | 6 +++++-
3 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/apps/cli/src/compose/index.ts b/apps/cli/src/compose/index.ts
index 3349015cef..5ee39cf6a9 100644
--- a/apps/cli/src/compose/index.ts
+++ b/apps/cli/src/compose/index.ts
@@ -113,6 +113,10 @@ export const createComposeSpec = (config: InstallConfigSchema) => {
const publicPath = "/__public__/";
const publicDir = "/app/apps/gateway/public/";
+ const defaultServerBlock = `server {
+ listen 80 default_server;
+ return 444;
+ }`;
// GATEWAY
addService("gateway", {
image: scowImage,
@@ -127,6 +131,7 @@ export const createComposeSpec = (config: InstallConfigSchema) => {
"PUBLIC_DIR": publicDir,
"EXTRA": config.gateway.extra,
"ALLOWED_SERVER_NAME": config.gateway.allowedServerName,
+ "DEFAULT_SERVER_BLOCK": config.gateway.allowedServerName === "_" ? "" : defaultServerBlock,
},
ports: { [config.port]: 80 },
volumes: {
diff --git a/apps/gateway/assets/nginx.conf b/apps/gateway/assets/nginx.conf
index 1487b60784..b823bc0cae 100644
--- a/apps/gateway/assets/nginx.conf
+++ b/apps/gateway/assets/nginx.conf
@@ -62,3 +62,5 @@ server {
${EXTRA}
}
+
+${DEFAULT_SERVER_BLOCK}
diff --git a/apps/gateway/src/env.ts b/apps/gateway/src/env.ts
index 342b9859d2..f340725ec3 100644
--- a/apps/gateway/src/env.ts
+++ b/apps/gateway/src/env.ts
@@ -36,6 +36,10 @@ export const config = envConfig({
PUBLIC_DIR: str({ desc: "静态文件在文件系统中的路径。以/结尾", default: "/app/apps/gateway/public/" }),
PUBLIC_PATH: str({ desc: "静态文件路径前缀。以/开头,以/结尾", default: "/__public__/" }),
- ALLOWED_SERVER_NAME: str({ desc: "允许访问的域名或 IP,多个域名和 IP 间用空格隔开", default: "_" }),
+ ALLOWED_SERVER_NAME: str({ desc: "允许访问的域名或 IP,多个域名和 IP 间用空格隔开", default: "a" }),
+ DEFAULT_SERVER_BLOCK: str({ desc: "当配置了ALLOWED_SERVER_NAME为特定IP或域名时,设置默认服务块拒绝其他访问", default: `server {
+ listen 80 default_server;
+ return 444;
+ }` }),
});
From ce6cea48e56ef4bc9eaf87ada9daf162427eff06 Mon Sep 17 00:00:00 2001
From: Miracle575 <longsijie@icode.pku.edu.cn>
Date: Sat, 25 Nov 2023 08:34:30 +0000
Subject: [PATCH 6/8] fix: test error
---
apps/gateway/src/env.ts | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/apps/gateway/src/env.ts b/apps/gateway/src/env.ts
index f340725ec3..ebc44ad0cd 100644
--- a/apps/gateway/src/env.ts
+++ b/apps/gateway/src/env.ts
@@ -36,10 +36,7 @@ export const config = envConfig({
PUBLIC_DIR: str({ desc: "静态文件在文件系统中的路径。以/结尾", default: "/app/apps/gateway/public/" }),
PUBLIC_PATH: str({ desc: "静态文件路径前缀。以/开头,以/结尾", default: "/__public__/" }),
- ALLOWED_SERVER_NAME: str({ desc: "允许访问的域名或 IP,多个域名和 IP 间用空格隔开", default: "a" }),
- DEFAULT_SERVER_BLOCK: str({ desc: "当配置了ALLOWED_SERVER_NAME为特定IP或域名时,设置默认服务块拒绝其他访问", default: `server {
- listen 80 default_server;
- return 444;
- }` }),
+ ALLOWED_SERVER_NAME: str({ desc: "允许访问的域名或 IP,多个域名和 IP 间用空格隔开", default: "_" }),
+ DEFAULT_SERVER_BLOCK: str({ desc: "当配置了ALLOWED_SERVER_NAME为特定IP或域名时,设置默认服务块拒绝其他访问", default: "" }),
});
From d13cde3fa33163d5eb1b8b28df7f556b4d970223 Mon Sep 17 00:00:00 2001
From: Miracle575 <longsijie@icode.pku.edu.cn>
Date: Sat, 25 Nov 2023 09:09:50 +0000
Subject: [PATCH 7/8] =?UTF-8?q?feat:=20=E4=BF=AE=E6=94=B9=20changeset=20?=
=?UTF-8?q?=E6=96=87=E4=BB=B6=E5=B9=B6=E6=96=B0=E5=A2=9E=E6=96=87=E6=A1=A3?=
=?UTF-8?q?=E8=AF=B4=E6=98=8E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.changeset/perfect-dodos-jam.md | 5 ----
.changeset/seven-glasses-rest.md | 8 ++++++
.../deploy/config/gateway/config/index.md | 27 ++++++++++++++-----
3 files changed, 28 insertions(+), 12 deletions(-)
delete mode 100644 .changeset/perfect-dodos-jam.md
create mode 100644 .changeset/seven-glasses-rest.md
diff --git a/.changeset/perfect-dodos-jam.md b/.changeset/perfect-dodos-jam.md
deleted file mode 100644
index 5efdf9a247..0000000000
--- a/.changeset/perfect-dodos-jam.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-"@scow/auth": patch
----
-
-修复 callbackUrl 未转义的问题
diff --git a/.changeset/seven-glasses-rest.md b/.changeset/seven-glasses-rest.md
new file mode 100644
index 0000000000..d2b327962b
--- /dev/null
+++ b/.changeset/seven-glasses-rest.md
@@ -0,0 +1,8 @@
+---
+"@scow/gateway": minor
+"@scow/cli": minor
+"@scow/docs": minor
+"@scow/auth": patch
+---
+
+修复 scow 存在的 web 安全漏洞
diff --git a/docs/docs/deploy/config/gateway/config/index.md b/docs/docs/deploy/config/gateway/config/index.md
index 124d7b1be2..0e509021b8 100644
--- a/docs/docs/deploy/config/gateway/config/index.md
+++ b/docs/docs/deploy/config/gateway/config/index.md
@@ -15,15 +15,28 @@ title: 配置
```yaml title="install.yml"
# 网关配置
gateway:
- # 更多nginx配置
- extra: >
- location /extra {
- proxy_pass http://extra-web:3000;
- include includes/headers;
- include includes/websocket;
- }
+ # 更多nginx配置
+ extra: >
+ location /extra {
+ proxy_pass http://extra-web:3000;
+ include includes/headers;
+ include includes/websocket;
+ }
```
您增加`extra`配置后,可以在使用`./cli compose up -d`启动scow后,使用 ` ./cli compose exec gateway sh` 进入gateway服务,在 `/etc/nginx/http.d` 目录下的 `default.conf` 文件最下方查看到您添加的配置。
如果gateway服务启动失败,说明您的配置不符合规范,请保证其正确性。
+## 域名白名单配置
+
+scow 网关默认接收来自所有域名的访问
+为了防止 host 头攻击的发生。所以可以通过设置域名白名单来限制可访问的域名或 IP
+
+```
+gateway:
+ # 更多nginx配置
+ allowedServerName: example.com www.example.com
+```
+
+多个域名或 IP 间用空格间隔即可。
+
From 4fb67f25bbbe8e89669df0ea9c9f8769352633b5 Mon Sep 17 00:00:00 2001
From: Miracle575 <longsijie@icode.pku.edu.cn>
Date: Sun, 26 Nov 2023 10:02:02 +0000
Subject: [PATCH 8/8] =?UTF-8?q?docs:=20=E4=BF=AE=E6=94=B9=E6=96=87?=
=?UTF-8?q?=E6=A1=A3=E8=AF=B4=E6=98=8E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/docs/deploy/config/gateway/config/index.md | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/docs/docs/deploy/config/gateway/config/index.md b/docs/docs/deploy/config/gateway/config/index.md
index 0e509021b8..5319593627 100644
--- a/docs/docs/deploy/config/gateway/config/index.md
+++ b/docs/docs/deploy/config/gateway/config/index.md
@@ -29,12 +29,13 @@ gateway:
## 域名白名单配置
-scow 网关默认接收来自所有域名的访问
-为了防止 host 头攻击的发生。所以可以通过设置域名白名单来限制可访问的域名或 IP
+scow 网关默认不限制 HTTP Host 头
+
+为了防止 host 头攻击的发生,可以通过设置域名白名单来限制 Host 的域名或 IP
```
gateway:
- # 更多nginx配置
+ # 同 nginx server_name 配置
allowedServerName: example.com www.example.com
```