fix: Updated settings.py to dynamically populate ALLOWED_HOSTS using domains from the Django sites.

appsembler / edx-platform

Appsembler Tahoe fork of Open edX. Branches: `main` for Juniper and `hawthorn/main` for Hawthorn.

https://appsembler.com/products/tahoe/

GNU Affero General Public License v3.0

13 stars 15 forks source link

fix: Updated settings.py to dynamically populate ALLOWED_HOSTS using domains from the Django sites. #1384

Open amirtds opened 10 months ago

amirtds commented 10 months ago

Change description

We received a security report highlighting a Host Header Injection vulnerability due to the use of a wildcard '*' in our ALLOWED_HOSTS setting. This configuration could lead to open redirects and other security risks.

I have modified settings.py to dynamically construct the ALLOWED_HOSTS list using domain names from our Django sites to ensures that only valid domains are served.

Changes:

Removed the wildcard '*' from ALLOWED_HOSTS.
Populated ALLOWED_HOSTS with domain names fetched from the Site model.
Ensured ENV_TOKENS['LMS_BASE'] and FEATURES['PREVIEW_LMS_BASE'] are included in ALLOWED_HOSTS if they are valid.
Added checks to prevent empty strings in ALLOWED_HOSTS.

Type of change

[x] Bug fix (fixes an issue)
[ ] New feature (adds functionality)

Related issues

Fix [#1]()

Checklists

Development

[ ] Lint rules pass locally
[ ] Application changes have been tested thoroughly
[ ] Automated tests covering modified code pass

Security

[ ] Security impact of change has been considered
[ ] Code follows company security practices and guidelines

Code review

[ ] Pull request has a descriptive title and context useful to a reviewer. Screenshots or screencasts are attached as necessary
[ ] "Ready for review" label attached and reviewers assigned
[ ] Changes have been reviewed by at least one other contributor
[ ] Pull request linked to task tracker where applicable

github-actions[bot] commented 10 months ago

Checking git merge conflicts against https://github.com/edx/edx-platform.git

Comparing with	`open-release/nutmeg.master`
Benchmark conflicts with `main`	299
Current conflicts	301
Summary	Adds 2 new conflicts. How can we do better?

New conflicting files with 'open-release/nutmeg.master'

``` lms/envs/production.py ```

Comparing with	`master`
Benchmark conflicts with `main`	320
Current conflicts	322
Summary	Adds 2 new conflicts. How can we do better?

New conflicting files with 'master'

``` lms/envs/production.py ```

github-actions[bot] commented 10 months ago

Checking git merge conflicts against https://github.com/edx/edx-platform.git

Comparing with	`open-release/nutmeg.master`
Benchmark conflicts with `main`	299
Current conflicts	301
Summary	Adds 2 new conflicts. How can we do better?

New conflicting files with 'open-release/nutmeg.master'

``` lms/envs/production.py ```

Comparing with	`master`
Benchmark conflicts with `main`	320
Current conflicts	322
Summary	Adds 2 new conflicts. How can we do better?

New conflicting files with 'master'

``` lms/envs/production.py ```

github-actions[bot] commented 10 months ago

Checking git merge conflicts against https://github.com/edx/edx-platform.git

Comparing with	`open-release/nutmeg.master`
Benchmark conflicts with `main`	299
Current conflicts	299
Summary	Good work! No added conflicts.

Comparing with	`master`
Benchmark conflicts with `main`	320
Current conflicts	320
Summary	Good work! No added conflicts.

github-actions[bot] commented 10 months ago

Checking git merge conflicts against https://github.com/edx/edx-platform.git

Comparing with	`open-release/nutmeg.master`
Benchmark conflicts with `main`	299
Current conflicts	299
Summary	Good work! No added conflicts.

Comparing with	`master`
Benchmark conflicts with `main`	320
Current conflicts	320
Summary	Good work! No added conflicts.

github-actions[bot] commented 10 months ago

Checking git merge conflicts against https://github.com/edx/edx-platform.git

Comparing with	`open-release/nutmeg.master`
Benchmark conflicts with `main`	299
Current conflicts	299
Summary	Good work! No added conflicts.

Comparing with	`master`
Benchmark conflicts with `main`	320
Current conflicts	320
Summary	Good work! No added conflicts.

github-actions[bot] commented 10 months ago

Checking git merge conflicts against https://github.com/edx/edx-platform.git

Comparing with	`open-release/nutmeg.master`
Benchmark conflicts with `main`	299
Current conflicts	299
Summary	Good work! No added conflicts.

Comparing with	`master`
Benchmark conflicts with `main`	320
Current conflicts	320
Summary	Good work! No added conflicts.

github-actions[bot] commented 10 months ago

Checking git merge conflicts against https://github.com/edx/edx-platform.git

Comparing with	`open-release/nutmeg.master`
Benchmark conflicts with `main`	299
Current conflicts	299
Summary	Good work! No added conflicts.

Comparing with	`master`
Benchmark conflicts with `main`	320
Current conflicts	320
Summary	Good work! No added conflicts.

github-actions[bot] commented 9 months ago

Checking git merge conflicts against https://github.com/edx/edx-platform.git

Comparing with	`open-release/nutmeg.master`
Benchmark conflicts with `main`	299
Current conflicts	299
Summary	Good work! No added conflicts.

Comparing with	`master`
Benchmark conflicts with `main`	319
Current conflicts	319
Summary	Good work! No added conflicts.

github-actions[bot] commented 9 months ago

Checking git merge conflicts against https://github.com/edx/edx-platform.git

Comparing with	`open-release/nutmeg.master`
Benchmark conflicts with `main`	299
Current conflicts	299
Summary	Good work! No added conflicts.

Comparing with	`master`
Benchmark conflicts with `main`	319
Current conflicts	319
Summary	Good work! No added conflicts.

bryanlandia commented 9 months ago

@amirtds

Looks like the Docker build for checks is failing because py2neo is now End of Life and there are no longer any releases in GitHub for https://github.com/technige/py2neo

We'll need to update in another PR first. Maybe been fixed upstream so will check

bryanlandia commented 9 months ago

Yes will cherrypick https://github.com/openedx/edx-platform/commit/1db6867edfdf06856d2576504dede908bee6a893

bryanlandia commented 9 months ago

Waiting on merge to main of https://github.com/appsembler/edx-platform/pull/1387

github-actions[bot] commented 9 months ago

Checking git merge conflicts against https://github.com/edx/edx-platform.git

Comparing with	`open-release/nutmeg.master`
Benchmark conflicts with `main`	299
Current conflicts	299
Summary	Good work! No added conflicts.

Comparing with	`master`
Benchmark conflicts with `main`	318
Current conflicts	318
Summary	Good work! No added conflicts.

amirtds commented 7 months ago

Hi @bryanlandia I added same settings for CMS as well, could you please take a look when you have some time

github-actions[bot] commented 7 months ago

Checking git merge conflicts against https://github.com/edx/edx-platform.git

Comparing with	`open-release/nutmeg.master`
Benchmark conflicts with `main`	299
Current conflicts	299
Summary	Good work! No added conflicts.

Comparing with	`master`
Benchmark conflicts with `main`	318
Current conflicts	318
Summary	Good work! No added conflicts.

github-actions[bot] commented 7 months ago

Checking git merge conflicts against https://github.com/edx/edx-platform.git

Comparing with	`open-release/nutmeg.master`
Benchmark conflicts with `main`	299
Current conflicts	299
Summary	Good work! No added conflicts.

Comparing with	`master`
Benchmark conflicts with `main`	318
Current conflicts	318
Summary	Good work! No added conflicts.