Add middleware and setting for x-ingress-path interpretation

2023-06-04 15:26:17 +02:00 · 2023-06-04 15:26:17 +02:00 · 1a946a2228
parent 5bc79c2703
commit 1a946a2228
4 changed files with 60 additions and 2 deletions
--- a/babybuddy/middleware.py
+++ b/babybuddy/middleware.py
@ -2,11 +2,12 @@ from os import getenv
 from time import time

 import pytz
+from urllib.parse import urlunsplit, urlsplit

 from django.conf import settings
 from django.utils import timezone, translation
 from django.contrib.auth.middleware import RemoteUserMiddleware
-
+from django.http import HttpRequest

 class UserLanguageMiddleware:
    """
@ -88,3 +89,37 @@ class CustomRemoteUser(RemoteUserMiddleware):
    """

    header = getenv("PROXY_HEADER", "HTTP_REMOTE_USER")
+
+
+class HomeAssistant:
+    def __init__(self, get_response):
+        self.get_response = get_response
+        self.use_x_ingress_path_rewrite = settings.HOME_ASSISTANT_USE_X_INGRESS_PATH
+
+    def __call__(self, request: HttpRequest):
+        def wrap_x_ingress_path(org_func):
+            if request.headers.get("HTTP_X_HASS_SOURCE") != "core.ingress":
+                return org_func
+            x_ingress_path = request.headers.get("HTTP_X_INGRESS_PATH")
+            if x_ingress_path is None:
+                return org_func
+
+            def wrapper(*args, **kwargs):
+                url = org_func(*args, **kwargs)
+
+                url_parts = urlsplit(url)
+                url = urlunsplit(
+                    url_parts._replace(path=x_ingress_path + url_parts.path)
+                )
+
+                return url
+            return wrapper
+
+        if self.use_x_ingress_path_rewrite:
+            request.build_absolute_uri = wrap_x_ingress_path(
+                request.build_absolute_uri
+            )
+
+        return self.get_response(request)
+
+    
--- a/babybuddy/settings/base.py
+++ b/babybuddy/settings/base.py
@ -64,6 +64,7 @@ MIDDLEWARE = [
    "django.contrib.messages.middleware.MessageMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
    "axes.middleware.AxesMiddleware",
+    "babybuddy.middleware.HomeAssistant",
 ]


@ -351,9 +352,13 @@ ROLLING_SESSION_REFRESH = 86400
 DEFAULT_AUTO_FIELD = "django.db.models.AutoField"

 # Baby Buddy configuration
-# See README.md#configuration for details about these settings.
+# See https://docs.baby-buddy.net/ for details about these settings.

 BABY_BUDDY = {
    "ALLOW_UPLOADS": bool(strtobool(os.environ.get("ALLOW_UPLOADS") or "True")),
    "READ_ONLY_GROUP_NAME": "read_only",
 }
+
+# Home assistant specific configuration
+
+HOME_ASSISTANT_USE_X_INGRESS_PATH = False
--- a/docs/configuration/homeassistant.md
+++ b/docs/configuration/homeassistant.md
@ -0,0 +1,17 @@
+# Home Assistant
+
+## `HOME_ASSISTANT_USE_X_INGRESS_PATH`
+
+*Default:* `False`
+
+This setting should be set to `True` if babybuddy is hosted through the [ingress
+service of home assistant](https://developers.home-assistant.io/docs/add-ons/presentation/#ingress).
+
+This setting is necessary so that babybuddy can build correct absolute paths to
+itself when run in home assistant. The ingress routing of home assistant
+otherwise will obfuscate the true host-url and some functions, like the QR-code
+generator for coupling devices might not work correctly.
+
+**Do not enable this feature on other setups.** Attackers might be able to
+use this feature to redirect traffic in unexpected ways by manually adding
+`X-Ingress-Path` to the request URL.
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -19,6 +19,7 @@ nav:
    - 'configuration/email.md'
    - 'configuration/security.md'
    - 'configuration/storage.md'
+    - 'configuration/homeassistant.md'
  - 'User Guide':
    - 'user-guide/getting-started.md'
    - 'user-guide/managing-users.md'