search

rajnandan1 / kener

Kener is a Modern Self hosted Status Page, batteries included
https://kener.ing/
MIT License
2.5k stars 104 forks source link

Security with header X-Forwarded-For and API_TOKEN #90

Open thib3113 opened 6 months ago

thib3113 commented 6 months ago

Please add some security points to this project .

First this part https://github.com/rajnandan1/kener/blob/3264e864263cccdd5ec42c06d9ec30b3d5ebc6a7/src/lib/server/webhook.js#L47-L50

allow a user to fake ip .

Creating the query on curl, you can add your custom X-Forwarded-For, and so fake the sender ip .

You need to trust headers x-forwarded-for or x-real-ip only if remoteAddress is a trusted reverse proxy . So you need to add an env to set the list of trusted reverse proxies, and check .

Second, please doesn't use API_TOKEN in clear . It's really better to set a hash on the env variable, and in your script you can check if the hash match the sent Bearer .

you can easly use bcrypt . and you can easily find a bcrypt generator online to get an hash

this is not the best solution, but better than setting the password in clear in env ... also, you can use docker files environment var, it allow to use a secret - example on mongodb image

rajnandan1 commented 3 months ago

Hi @thib3113 can you raise a PR with the desired fixes