은승우 / LINEBOT

Go to a project
Toggle navigation Toggle navigation pinning
Switch branch/tag
https-middleware.js 4.81 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 
"use strict";

var SanitizeHost = module.exports;
var HttpMiddleware = require("./http-middleware.js");

SanitizeHost.create = function(gl, app) {
    return function(req, res, next) {
        function realNext() {
            if ("function" === typeof app) {
                app(req, res);
            } else if ("function" === typeof next) {
                next();
            } else {
                res.statusCode = 500;
                res.end("Error: no middleware assigned");
            }
        }

        var hostname = HttpMiddleware.getHostname(req);
        // Replace the hostname, and get the safe version
        var safehost = HttpMiddleware.sanitizeHostname(req);

        // if no hostname, move along
        if (!hostname) {
            realNext();
            return;
        }

        // if there were unallowed characters, complain
        if (safehost.length !== hostname.length) {
            res.statusCode = 400;
            res.end("Malformed HTTP Header: 'Host: " + hostname + "'");
            return;
        }

        // Note: This sanitize function is also called on plain sockets, which don't need Domain Fronting checks
        if (req.socket.encrypted) {
            if (req.socket && "string" === typeof req.socket.servername) {
                // Workaround for https://github.com/nodejs/node/issues/22389
                if (!SanitizeHost._checkServername(safehost, req.socket)) {
                    res.statusCode = 400;
                    res.setHeader("Content-Type", "text/html; charset=utf-8");
                    res.end(
                        "<h1>Domain Fronting Error</h1>" +
                            "<p>This connection was secured using TLS/SSL for '" +
                            (req.socket.servername || "").toLowerCase() +
                            "'</p>" +
                            "<p>The HTTP request specified 'Host: " +
                            safehost +
                            "', which is (obviously) different.</p>" +
                            "<p>Because this looks like a domain fronting attack, the connection has been terminated.</p>"
                    );
                    return;
                }
            }
            /*
      else if (safehost && !gl._skip_fronting_check) {

				// We used to print a log message here, but it turns out that it's
				// really common for IoT devices to not use SNI (as well as many bots
				// and such).
				// It was common for the log message to pop up as the first request
				// to the server, and that was confusing. So instead now we do nothing.

				//console.warn("no string for req.socket.servername," + " skipping fronting check for '" + safehost + "'");
				//gl._skip_fronting_check = true;
			}
      */
        }

        // carry on
        realNext();
    };
};

var warnDomainFronting = true;
var warnUnexpectedError = true;
SanitizeHost._checkServername = function(safeHost, tlsSocket) {
    var servername = (tlsSocket.servername || "").toLowerCase();

    // acceptable: older IoT devices may lack SNI support
    if (!servername) {
        return true;
    }
    // acceptable: odd... but acceptable
    if (!safeHost) {
        return true;
    }
    if (safeHost === servername) {
        return true;
    }

    if ("function" !== typeof tlsSocket.getCertificate) {
        // domain fronting attacks allowed
        if (warnDomainFronting) {
            // https://github.com/nodejs/node/issues/24095
            console.warn(
                "Warning: node " +
                    process.version +
                    " is vulnerable to domain fronting attacks. Please use node v11.2.0 or greater."
            );
            warnDomainFronting = false;
        }
        return true;
    }

    // connection established with servername and session is re-used for allowed name
    // See https://github.com/nodejs/node/issues/24095
    var cert = tlsSocket.getCertificate();
    try {
        // TODO optimize / cache?
        // *should* always have a string, right?
        // *should* always be lowercase already, right?
        //console.log(safeHost, cert.subject.CN, cert.subjectaltname);
        var isSubject = (cert.subject.CN || "").toLowerCase() === safeHost;
        if (isSubject) {
            return true;
        }

        var dnsnames = (cert.subjectaltname || "").split(/,\s+/);
        var inSanList = dnsnames.some(function(name) {
            // always prefixed with "DNS:"
            return safeHost === name.slice(4).toLowerCase();
        });

        if (inSanList) {
            return true;
        }
    } catch (e) {
        // not sure what else to do in this situation...
        if (warnUnexpectedError) {
            console.warn("Warning: encoutered error while performing domain fronting check: " + e.message);
            warnUnexpectedError = false;
        }
        return true;
    }

    return false;
};