Open irfanasyraf opened 5 days ago
Thanks for your observation.
I will ask for someone to review this.
Can you clarify what you mean?
Redirect here should/is handled by webserver in front, not Rocket.Chat itself.
Hi team,
My Rocketchat Application is fronted by a AWS ALB so I might redirect it using WAF rules before it reaches the instance where my server is hosted.
I was just wondering if there is any such feature where I can just 'whitelist' my rocketchat domain from rocketchat settings itself when a host header injection is being done.
Thank you and appreciate the help!
For reference this was your post on forums:
https://forums.rocket.chat/t/edit-content-security-policy/20212
From this post I note that your server is air gapped as well?
https://forums.rocket.chat/t/disable-concurrent-login/20208
This sort of information is really important.
My Rocketchat Application is fronted by a AWS ALB so I might redirect it using WAF rules before it reaches the instance where my server is hosted.
I'm wondering if this is more to do with your own setup than it is to do with Rocket.
Description:
Make a request directly to the following host via HTTP (Port 80) with an arbitrary domain in the "Host" header.
e.g. curl -v -k "Host: test123.com" https://"rocketchat domain"
Observe the redirect to the inserted domain.
Expected behavior:
The redirect should not happen based on the "Host" header value and it should be rejected.
The web application profile is specifically bound to the correct host name to ensure that arbitrary host names sent to the web server will not reach the application. When validating the host headers, a whitelist approach where only allowed domains are declared should be preferred over a blacklist.
Actual behavior:
It was observed that the user is redirected based on the "Host" header value
Server Setup Information: