Skip to content

Commit

Permalink
Pull request: 4970-error-415
Browse files Browse the repository at this point in the history 
Updates AdguardTeam#4970.

Squashed commit of the following:

commit 10365d9
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Fri Sep 30 14:23:06 2022 +0300

    all: imp docs, names

commit cff1103
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Fri Sep 30 14:02:38 2022 +0300

    home: imp content-type check
  • Loading branch information
@ainar-g @heyxkhoa
ainar-g authored and heyxkhoa committed Mar 17, 2023
1 parent fa3869f commit 0da0932
Show file tree
Hide file tree
Showing 7 changed files with 122 additions and 60 deletions.
17 changes: 15 additions & 2 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,19 @@ and this project adheres to
## [v0.108.0] - TBA (APPROX.)
-->

### Security

- As an additional CSRF protection measure, AdGuard Home now ensures that
requests that change its state but have no body (such as `POST
/control/stats_reset` requests) do not have a `Content-Type` header set on
them ([#4970]).

### Fixed

- `only application/json is allowed` errors in various APIs ([#4970]).

[#4970]: https://github.com/AdguardTeam/AdGuardHome/issues/4970



<!--
Expand Down Expand Up @@ -63,8 +76,8 @@ bodies are documented in `openapi/openapi.yaml` and `openapi/CHANGELOG.md`.

#### Stricter Content-Type Checks (BREAKING API CHANGE)

All JSON APIs now check if the request actually has the `application/json`
content-type.
All JSON APIs that expect a body now check if the request actually has
`Content-Type` set to `application/json`.

#### Other Security Changes

Expand Down
36 changes: 7 additions & 29 deletions client/src/api/Api.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,17 @@ class Api {
async makeRequest(path, method = 'POST', config) {
const url = `${this.baseUrl}/${path}`;

const axiosConfig = config || {};
if (method !== 'GET' && axiosConfig.data) {
axiosConfig.headers = axiosConfig.headers || {};
axiosConfig.headers['Content-Type'] = axiosConfig.headers['Content-Type'] || 'application/json';
}

try {
const response = await axios({
url,
method,
...config,
...axiosConfig,
});
return response.data;
} catch (error) {
Expand Down Expand Up @@ -55,7 +61,6 @@ class Api {
const { path, method } = this.GLOBAL_TEST_UPSTREAM_DNS;
const config = {
data: servers,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, config);
}
Expand All @@ -64,7 +69,6 @@ class Api {
const { path, method } = this.GLOBAL_VERSION;
const config = {
data,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, config);
}
Expand Down Expand Up @@ -100,7 +104,6 @@ class Api {
const { path, method } = this.FILTERING_REFRESH;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};

return this.makeRequest(path, method, parameters);
Expand All @@ -110,7 +113,6 @@ class Api {
const { path, method } = this.FILTERING_ADD_FILTER;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};

return this.makeRequest(path, method, parameters);
Expand All @@ -120,7 +122,6 @@ class Api {
const { path, method } = this.FILTERING_REMOVE_FILTER;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};

return this.makeRequest(path, method, parameters);
Expand All @@ -130,7 +131,6 @@ class Api {
const { path, method } = this.FILTERING_SET_RULES;
const parameters = {
data: rules,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -139,7 +139,6 @@ class Api {
const { path, method } = this.FILTERING_CONFIG;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -148,7 +147,6 @@ class Api {
const { path, method } = this.FILTERING_SET_URL;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand Down Expand Up @@ -239,7 +237,6 @@ class Api {
const { path, method } = this.CHANGE_LANGUAGE;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand Down Expand Up @@ -275,7 +272,6 @@ class Api {
const { path, method } = this.DHCP_SET_CONFIG;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -284,7 +280,6 @@ class Api {
const { path, method } = this.DHCP_FIND_ACTIVE;
const parameters = {
data: req,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -293,7 +288,6 @@ class Api {
const { path, method } = this.DHCP_ADD_STATIC_LEASE;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -302,7 +296,6 @@ class Api {
const { path, method } = this.DHCP_REMOVE_STATIC_LEASE;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand Down Expand Up @@ -333,7 +326,6 @@ class Api {
const { path, method } = this.INSTALL_CONFIGURE;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -342,7 +334,6 @@ class Api {
const { path, method } = this.INSTALL_CHECK_CONFIG;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -363,7 +354,6 @@ class Api {
const { path, method } = this.TLS_CONFIG;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -372,7 +362,6 @@ class Api {
const { path, method } = this.TLS_VALIDATE;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -397,7 +386,6 @@ class Api {
const { path, method } = this.ADD_CLIENT;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -406,7 +394,6 @@ class Api {
const { path, method } = this.DELETE_CLIENT;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -415,7 +402,6 @@ class Api {
const { path, method } = this.UPDATE_CLIENT;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -440,7 +426,6 @@ class Api {
const { path, method } = this.ACCESS_SET;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -461,7 +446,6 @@ class Api {
const { path, method } = this.REWRITE_ADD;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -470,7 +454,6 @@ class Api {
const { path, method } = this.REWRITE_DELETE;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand All @@ -496,7 +479,6 @@ class Api {
const { path, method } = this.BLOCKED_SERVICES_SET;
const parameters = {
data: config,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, parameters);
}
Expand Down Expand Up @@ -524,7 +506,6 @@ class Api {
const { path, method } = this.STATS_CONFIG;
const config = {
data,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, config);
}
Expand Down Expand Up @@ -560,7 +541,6 @@ class Api {
const { path, method } = this.QUERY_LOG_CONFIG;
const config = {
data,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, config);
}
Expand All @@ -577,7 +557,6 @@ class Api {
const { path, method } = this.LOGIN;
const config = {
data,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, config);
}
Expand All @@ -604,7 +583,6 @@ class Api {
const { path, method } = this.SET_DNS_CONFIG;
const config = {
data,
headers: { 'Content-Type': 'application/json' },
};
return this.makeRequest(path, method, config);
}
Expand Down
2 changes: 1 addition & 1 deletion internal/aghhttp/aghhttp.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ func OK(w http.ResponseWriter) {
// Error writes formatted message to w and also logs it.
func Error(r *http.Request, w http.ResponseWriter, code int, format string, args ...any) {
text := fmt.Sprintf(format, args...)
log.Error("%s %s: %s", r.Method, r.URL, text)
log.Error("%s %s %s: %s", r.Method, r.Host, r.URL, text)
http.Error(w, text, code)
}

Expand Down
2 changes: 1 addition & 1 deletion internal/aghhttp/header.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ package aghhttp
const (
HdrNameAcceptEncoding = "Accept-Encoding"
HdrNameAccessControlAllowOrigin = "Access-Control-Allow-Origin"
HdrNameContentType = "Content-Type"
HdrNameContentEncoding = "Content-Encoding"
HdrNameContentType = "Content-Type"
HdrNameServer = "Server"
HdrNameTrailer = "Trailer"
HdrNameUserAgent = "User-Agent"
Expand Down
Loading

0 comments on commit 0da0932

Please sign in to comment.