Forbid access to blacklisted routes

2026-06-14 03:30:14 +00:00 · 2015-02-12 16:30:03 +02:00
parent b0108b5ad5
commit bbcf34f020
8 changed files with 76 additions and 1 deletions
@@ -80,6 +80,11 @@ gem 'daemons'
 # (see https://community.openproject.org/work_packages/3029)
 gem 'rack-protection', :git => "https://github.com/finnlabs/rack-protection.git", :ref => '5a7d1bd'

+# Rack::Attack is a rack middleware to protect your web app from bad clients. 
+# It allows whitelisting, blacklisting, throttling, and tracking based on arbitrary properties of the request.
+# https://github.com/kickstarter/rack-attack
+gem 'rack-attack'
+
 gem 'syck', :platforms => [:ruby_20, :mingw_20, :ruby_21, :mingw_21], :require => false

 gem 'gon', '~> 4.0'
@@ -300,6 +300,8 @@ GEM
    rack (1.4.5)
    rack-accept (0.4.5)
      rack (>= 0.4)
+    rack-attack (4.2.0)
+      rack
    rack-cache (1.2)
      rack (>= 0.4)
    rack-mount (0.8.3)
@@ -494,6 +496,7 @@ DEPENDENCIES
  pry-stack_explorer
  quiet_assets
  rabl (= 0.9.3)
+  rack-attack
  rack-protection!
  rack-test (~> 0.6.2)
  rack_session_access
@@ -82,6 +82,8 @@ module OpenProject
                             env['PATH_INFO'] =~ /\/api\/v3/
                           }

+    config.middleware.use Rack::Attack
+
    # Custom directories with classes and modules you want to be autoloadable.
    # config.autoload_paths += %W(#{config.root}/extras)
    config.autoload_paths << Rails.root.join('lib')
@@ -132,6 +132,25 @@
 #       - plugins
 #       - info
 #
+# Also there is a posibility to specify which routes are forbidden,
+# they should be listed as an array in yml format more information
+# regarding yml format you can find here:
+# http://symfony.com/doc/current/components/yaml/yaml_format.html
+# You can also use wildcards (*) in your url
+#
+# production:
+#   blacklisted_routes:
+#     - 'admin/info'
+#     - 'admin/plugins'
+#     - 'export_card_configurations'
+#     - 'project_types'
+#     - 'colors'
+#     - 'settings'
+#     - 'admin/enumerations'
+#     - 'workflows/*'
+#     - 'statuses'
+#     - 'types'
+#     - 'admin/roles'


 # default configuration options for all environments
@@ -0,0 +1,12 @@
+if OpenProject::Configuration.blacklisted_routes.any?
+  # Block logins from a bad user agent
+  Rack::Attack.blacklist('block forbidden routes') do |req|
+    regex = OpenProject::Configuration.blacklisted_routes.map! { |str| Regexp.new(str) }
+    regex.any? { |i| i =~ req.path }
+  end
+
+  Rack::Attack.blacklisted_response = lambda do |_env|
+    # All blacklisted routes would return a 404.
+    [404, {}, ['Not found']]
+  end
+end
@@ -85,6 +85,7 @@ storage config above like this:
 * [`attachments_storage`](#attachments-storage) (default: file)
 * [`hidden_menu_items`](#hidden-menu-items) (default: {})
 * [`disabled_modules`](#disabled-modules) (default: [])
+* [`blacklisted_routes`](#blacklisted-routes) (default: [])

 ### disable password login

@@ -181,6 +182,34 @@ For instance 'Roles' and 'Types' under 'Administration' can be disabled by defin
 OPENPROJECT_HIDDEN__MENU__ITEMS_ADMIN__MENU='roles types'
 ```

+### blacklisted routes
+
+*default: []*
+
+You can blacklist specific routes 
+The following example forbid all routes for above disabled menu:
+
+```
+blacklisted_routes:
+  - 'admin/info'
+  - 'admin/plugins'
+  - 'export_card_configurations'
+  - 'project_types'
+  - 'colors'
+  - 'settings'
+  - 'admin/enumerations'
+  - 'workflows/*'
+  - 'statuses'
+  - 'types'
+  - 'admin/roles'
+```
+
+The configuration can be overridden through environment variables.
+
+```
+OPENPROJECT_BLACKLISTED__ROUTES='admin/info admin/plugins'
+```
+
 ### disabled modules

 *default: []*
@@ -77,7 +77,8 @@ module OpenProject
      'disable_password_choice' => false,

      'disabled_modules' => [], # allow to disable default modules
-      'hidden_menu_items' => {}
+      'hidden_menu_items' => {},
+      'blacklisted_routes' => []
    }

    @config = nil
@@ -82,6 +82,10 @@ module OpenProject
        array self['disabled_modules']
      end

+      def blacklisted_routes
+        array self['blacklisted_routes']
+      end
+
      def available_file_uploaders
        {
          fog: ::FogFileUploader,