search

geonetwork / core-geonetwork

GeoNetwork is a catalog application to manage spatially referenced resources. It provides powerful metadata editing and search functions as well as an interactive web map viewer. It is currently used in numerous Spatial Data Infrastructure initiatives across the world.
http://geonetwork-opensource.org/
GNU General Public License v2.0
423 stars 489 forks source link

Out-of-band resource load (HTTP) #2001

Open lfrz opened 7 years ago

lfrz commented 7 years ago

software component: GeoNetwork (opensource) version: 3.2.1.0 test date: 21.04.2017

concerned parameter:  /./proxy?url=http%3a%2f%2fn3r2z6ef1olo1igqbhvhqimbj2psdi19ozco.vie01.local%2fat.lfrz.discoveryservices%2fsrv%2fde%2fcsw202%3fservice%3dCSW%26request%3dGetCapabilities%26version%3d2.0.2  /./proxy?url=http://www.xxxx.at%2fat.xxxx.discoveryservices%2fsrv%2fde%2fcsw202%3fservice%3dCSW%26request%3dGetCapabilities%26version%3d2.0.2 Proof-of-concept: During proxy request, an URL is attached, which is dissolved via DNS by the system. Additionally, it is possible to request any URLS. oob1 oob2

josegar74 commented 7 years ago

In latest version the proxy servlet was replaced by https://github.com/mitre/HTTP-Proxy-Servlet.

Previous code allowed to restrict a list hosts allowed, but this one seem having only a targetUri, no much configurable.

I guess an option could be to disable it in https://github.com/geonetwork/core-geonetwork/blob/develop/web/src/main/webResources/WEB-INF/web.xml#L342-L358 and rely in CORS, but needs testing. Maybe other developers can confirm if this would be feasible.

The proxy afaik it's used mainly from Ajax code to retrieve GetCapabilities documents in the map viewer and OGC/CSW harvesters.

fxprunayre commented 7 years ago

See example on how to restrict to specific host/requests https://github.com/geonetwork/core-geonetwork/blob/develop/web/src/main/webapp/WEB-INF/config-security/config-security-mapping.xml#L41

pvgenuchten commented 7 years ago

@josegar74 although the use of CORS would be strongly advisable to all data providers, it is in my opinion too early to remove a proxy-option.

@fxprunayre thank you for posting that option to secure the proxy, personally i'd say this option is quite hidden. Personally i'd suggest to add it as a parameter 'allowed-hosts' on admin>settings. And by default close it for all hosts.

Delawen commented 7 years ago

Maybe we can add dynamically a value: https://stackoverflow.com/a/31875117/469932

pvgenuchten commented 6 years ago

I updated the documentation a bit to explain the option to limit the accessible domains. https://github.com/geonetwork/doc/blob/develop/source/administrator-guide/configuring-the-catalog/system-configuration.rst However personally I would: