Pull request: 4970-error-415

Updates #4970. Squashed commit of the following: commit 10365d9c8474e9d9735f581fb32b2892b2153cc4 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Sep 30 14:23:06 2022 +0300 all: imp docs, names commit cff1103a0618a6430dc91e7e018febbf313c12ba Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Sep 30 14:02:38 2022 +0300 home: imp content-type check
2024-11-21 20:45:33 +03:00 · 2022-09-30 14:41:25 +03:00 · 2022-09-30 14:41:25 +03:00 · 4d404b887f
commit 4d404b887f
parent 7b48863041
7 changed files with 122 additions and 60 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -15,6 +15,19 @@ and this project adheres to
 ## [v0.108.0] - TBA (APPROX.)
 -->

+### Security
+
+- As an additional CSRF protection measure, AdGuard Home now ensures that
+  requests that change its state but have no body (such as `POST
+  /control/stats_reset` requests) do not have a `Content-Type` header set on
+  them ([#4970]).
+
+### Fixed
+
+- `only application/json is allowed` errors in various APIs ([#4970]).
+
+[#4970]: https://github.com/AdguardTeam/AdGuardHome/issues/4970
+


 <!--
@ -63,8 +76,8 @@ bodies are documented in `openapi/openapi.yaml` and `openapi/CHANGELOG.md`.

 #### Stricter Content-Type Checks (BREAKING API CHANGE)

-All JSON APIs now check if the request actually has the `application/json`
-content-type.
+All JSON APIs that expect a body now check if the request actually has
+`Content-Type` set to `application/json`.

 #### Other Security Changes

--- a/client/src/api/Api.js
+++ b/client/src/api/Api.js
@ -10,11 +10,17 @@ class Api {
    async makeRequest(path, method = 'POST', config) {
        const url = `${this.baseUrl}/${path}`;

+        const axiosConfig = config || {};
+        if (method !== 'GET' && axiosConfig.data) {
+            axiosConfig.headers = axiosConfig.headers || {};
+            axiosConfig.headers['Content-Type'] = axiosConfig.headers['Content-Type'] || 'application/json';
+        }
+
        try {
            const response = await axios({
                url,
                method,
-                ...config,
+                ...axiosConfig,
            });
            return response.data;
        } catch (error) {
@ -55,7 +61,6 @@ class Api {
        const { path, method } = this.GLOBAL_TEST_UPSTREAM_DNS;
        const config = {
            data: servers,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, config);
    }
@ -64,7 +69,6 @@ class Api {
        const { path, method } = this.GLOBAL_VERSION;
        const config = {
            data,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, config);
    }
@ -100,7 +104,6 @@ class Api {
        const { path, method } = this.FILTERING_REFRESH;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };

        return this.makeRequest(path, method, parameters);
@ -110,7 +113,6 @@ class Api {
        const { path, method } = this.FILTERING_ADD_FILTER;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };

        return this.makeRequest(path, method, parameters);
@ -120,7 +122,6 @@ class Api {
        const { path, method } = this.FILTERING_REMOVE_FILTER;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };

        return this.makeRequest(path, method, parameters);
@ -130,7 +131,6 @@ class Api {
        const { path, method } = this.FILTERING_SET_RULES;
        const parameters = {
            data: rules,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -139,7 +139,6 @@ class Api {
        const { path, method } = this.FILTERING_CONFIG;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -148,7 +147,6 @@ class Api {
        const { path, method } = this.FILTERING_SET_URL;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -239,7 +237,6 @@ class Api {
        const { path, method } = this.CHANGE_LANGUAGE;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -275,7 +272,6 @@ class Api {
        const { path, method } = this.DHCP_SET_CONFIG;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -284,7 +280,6 @@ class Api {
        const { path, method } = this.DHCP_FIND_ACTIVE;
        const parameters = {
            data: req,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -293,7 +288,6 @@ class Api {
        const { path, method } = this.DHCP_ADD_STATIC_LEASE;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -302,7 +296,6 @@ class Api {
        const { path, method } = this.DHCP_REMOVE_STATIC_LEASE;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -333,7 +326,6 @@ class Api {
        const { path, method } = this.INSTALL_CONFIGURE;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -342,7 +334,6 @@ class Api {
        const { path, method } = this.INSTALL_CHECK_CONFIG;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -363,7 +354,6 @@ class Api {
        const { path, method } = this.TLS_CONFIG;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -372,7 +362,6 @@ class Api {
        const { path, method } = this.TLS_VALIDATE;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -397,7 +386,6 @@ class Api {
        const { path, method } = this.ADD_CLIENT;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -406,7 +394,6 @@ class Api {
        const { path, method } = this.DELETE_CLIENT;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -415,7 +402,6 @@ class Api {
        const { path, method } = this.UPDATE_CLIENT;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -440,7 +426,6 @@ class Api {
        const { path, method } = this.ACCESS_SET;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -461,7 +446,6 @@ class Api {
        const { path, method } = this.REWRITE_ADD;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -470,7 +454,6 @@ class Api {
        const { path, method } = this.REWRITE_DELETE;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -496,7 +479,6 @@ class Api {
        const { path, method } = this.BLOCKED_SERVICES_SET;
        const parameters = {
            data: config,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, parameters);
    }
@ -524,7 +506,6 @@ class Api {
        const { path, method } = this.STATS_CONFIG;
        const config = {
            data,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, config);
    }
@ -560,7 +541,6 @@ class Api {
        const { path, method } = this.QUERY_LOG_CONFIG;
        const config = {
            data,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, config);
    }
@ -577,7 +557,6 @@ class Api {
        const { path, method } = this.LOGIN;
        const config = {
            data,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, config);
    }
@ -604,7 +583,6 @@ class Api {
        const { path, method } = this.SET_DNS_CONFIG;
        const config = {
            data,
-            headers: { 'Content-Type': 'application/json' },
        };
        return this.makeRequest(path, method, config);
    }
--- a/internal/aghhttp/aghhttp.go
+++ b/internal/aghhttp/aghhttp.go
@ -33,7 +33,7 @@ func OK(w http.ResponseWriter) {
 // Error writes formatted message to w and also logs it.
 func Error(r *http.Request, w http.ResponseWriter, code int, format string, args ...any) {
 	text := fmt.Sprintf(format, args...)
-	log.Error("%s %s: %s", r.Method, r.URL, text)
+	log.Error("%s %s %s: %s", r.Method, r.Host, r.URL, text)
 	http.Error(w, text, code)
 }

--- a/internal/aghhttp/header.go
+++ b/internal/aghhttp/header.go
@ -8,8 +8,8 @@ package aghhttp
 const (
 	HdrNameAcceptEncoding           = "Accept-Encoding"
 	HdrNameAccessControlAllowOrigin = "Access-Control-Allow-Origin"
-	HdrNameContentType              = "Content-Type"
 	HdrNameContentEncoding          = "Content-Encoding"
+	HdrNameContentType              = "Content-Type"
 	HdrNameServer                   = "Server"
 	HdrNameTrailer                  = "Trailer"
 	HdrNameUserAgent                = "User-Agent"
--- a/internal/home/control.go
+++ b/internal/home/control.go
@ -8,6 +8,7 @@ import (
 	"net/url"
 	"runtime"
 	"strings"
+	"time"

 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
@ -97,16 +98,16 @@ func collectDNSAddresses() (addrs []string, err error) {

 // statusResponse is a response for /control/status endpoint.
 type statusResponse struct {
+	Version             string   `json:"version"`
+	Language            string   `json:"language"`
 	DNSAddrs            []string `json:"dns_addresses"`
 	DNSPort             int      `json:"dns_port"`
 	HTTPPort            int      `json:"http_port"`
 	IsProtectionEnabled bool     `json:"protection_enabled"`
 	// TODO(e.burkov): Inspect if front-end doesn't requires this field as
 	// openapi.yaml declares.
-	IsDHCPAvailable bool   `json:"dhcp_available"`
-	IsRunning       bool   `json:"running"`
-	Version         string `json:"version"`
-	Language        string `json:"language"`
+	IsDHCPAvailable bool `json:"dhcp_available"`
+	IsRunning       bool `json:"running"`
 }

 func handleStatus(w http.ResponseWriter, r *http.Request) {
@ -125,12 +126,12 @@ func handleStatus(w http.ResponseWriter, r *http.Request) {
 		defer config.RUnlock()

 		resp = statusResponse{
+			Version:   version.Version(),
 			DNSAddrs:  dnsAddrs,
 			DNSPort:   config.DNS.Port,
 			HTTPPort:  config.BindPort,
-			IsRunning: isRunning(),
-			Version:   version.Version(),
 			Language:  config.Language,
+			IsRunning: isRunning(),
 		}
 	}()

@ -196,29 +197,26 @@ func httpRegister(method, url string, handler http.HandlerFunc) {
 	Context.mux.Handle(url, postInstallHandler(optionalAuthHandler(gziphandler.GzipHandler(ensureHandler(method, handler)))))
 }

-// ----------------------------------
-// helper functions for HTTP handlers
-// ----------------------------------
-func ensure(method string, handler func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
+// ensure returns a wrapped handler that makes sure that the request has the
+// correct method as well as additional method and header checks.
+func ensure(
+	method string,
+	handler func(http.ResponseWriter, *http.Request),
+) (wrapped func(http.ResponseWriter, *http.Request)) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		log.Debug("%s %v", r.Method, r.URL)
+		start := time.Now()
+		m, u := r.Method, r.URL
+		log.Debug("started %s %s %s", m, r.Host, u)
+		defer func() { log.Debug("finished %s %s %s in %s", m, r.Host, u, time.Since(start)) }()

-		if r.Method != method {
-			aghhttp.Error(r, w, http.StatusMethodNotAllowed, "only %s is allowed", method)
+		if m != method {
+			aghhttp.Error(r, w, http.StatusMethodNotAllowed, "only method %s is allowed", method)

 			return
 		}

-		if method == http.MethodPost || method == http.MethodPut || method == http.MethodDelete {
-			if r.Header.Get(aghhttp.HdrNameContentType) != aghhttp.HdrValApplicationJSON {
-				aghhttp.Error(
-					r,
-					w,
-					http.StatusUnsupportedMediaType,
-					"only %s is allowed",
-					aghhttp.HdrValApplicationJSON,
-				)
-
+		if modifiesData(m) {
+			if !ensureContentType(w, r) {
 				return
 			}

@ -230,6 +228,42 @@ func ensure(method string, handler func(http.ResponseWriter, *http.Request)) fun
 	}
 }

+// modifiesData returns true if m is an HTTP method that can modify data.
+func modifiesData(m string) (ok bool) {
+	return m == http.MethodPost || m == http.MethodPut || m == http.MethodDelete
+}
+
+// ensureContentType makes sure that the content type of a data-modifying
+// request is set correctly.  If it is not, ensureContentType writes a response
+// to w, and ok is false.
+func ensureContentType(w http.ResponseWriter, r *http.Request) (ok bool) {
+	const statusUnsup = http.StatusUnsupportedMediaType
+
+	cType := r.Header.Get(aghhttp.HdrNameContentType)
+	if r.ContentLength == 0 {
+		if cType == "" {
+			return true
+		}
+
+		// Assume that browsers always send a content type when submitting HTML
+		// forms and require no content type for requests with no body to make
+		// sure that the request comes from JavaScript.
+		aghhttp.Error(r, w, statusUnsup, "empty body with content-type %q not allowed", cType)
+
+		return false
+
+	}
+
+	const wantCType = aghhttp.HdrValApplicationJSON
+	if cType == wantCType {
+		return true
+	}
+
+	aghhttp.Error(r, w, statusUnsup, "only content-type %s is allowed", wantCType)
+
+	return false
+}
+
 func ensurePOST(handler func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
 	return ensure(http.MethodPost, handler)
 }
--- a/openapi/CHANGELOG.md
+++ b/openapi/CHANGELOG.md
@ -6,6 +6,28 @@



+## v0.107.15: `POST` Requests Without Bodies
+
+As an additional CSRF protection measure, AdGuard Home now ensures that requests
+that change its state but have no body do not have a `Content-Type` header set
+on them.
+
+This concerns the following APIs:
+
+* `POST /control/dhcp/reset_leases`;
+* `POST /control/dhcp/reset`;
+* `POST /control/parental/disable`;
+* `POST /control/parental/enable`;
+* `POST /control/querylog_clear`;
+* `POST /control/safebrowsing/disable`;
+* `POST /control/safebrowsing/enable`;
+* `POST /control/safesearch/disable`;
+* `POST /control/safesearch/enable`;
+* `POST /control/stats_reset`;
+* `POST /control/update`.
+
+
+
 ## v0.107.14: BREAKING API CHANGES

 A Cross-Site Request Forgery (CSRF) vulnerability has been discovered.  We have
@ -13,6 +35,9 @@ implemented several measures to prevent such vulnerabilities in the future, but
 some of these measures break backwards compatibility for the sake of better
 protection.

+All JSON APIs that expect a body now check if the request actually has
+`Content-Type` set to `application/json`.
+
 All new formats for the request and response bodies are documented in
 `openapi.yaml`.

--- a/openapi/openapi.yaml
+++ b/openapi/openapi.yaml
@ -601,11 +601,10 @@
      'summary': 'Set user-defined filter rules'
      'requestBody':
        'content':
-          'text/plain':
+          'application/json':
            'schema':
-              'type': 'string'
-              'example': '@@||yandex.ru^|'
-        'description': 'All filtering rules, one line per rule'
+              '$ref': '#/components/schemas/SetRulesRequest'
+        'description': 'Custom filtering rules.'
      'responses':
        '200':
          'description': 'OK.'
@ -1538,6 +1537,19 @@
      'properties':
        'updated':
          'type': 'integer'
+    'SetRulesRequest':
+      'description': 'Custom filtering rules setting request.'
+      'example':
+        'rules':
+        - '||example.com^'
+        - '# comment'
+        - '@@||www.example.com^'
+      'properties':
+        'rules':
+          'items':
+            'type': 'string'
+          'type': 'array'
+      'type': 'object'
    'GetVersionRequest':
      'type': 'object'
      'description': '/version.json request data'