Skip to content

Add check for Host Authorization middleware#1633

Open
p8 wants to merge 1 commit intopresidentbeef:mainfrom
p8:add-check-for-config-hosts-clear
Open

Add check for Host Authorization middleware#1633
p8 wants to merge 1 commit intopresidentbeef:mainfrom
p8:add-check-for-config-hosts-clear

Conversation

@p8
Copy link
Copy Markdown

@p8 p8 commented Aug 23, 2021

The Host Authorization middleware protects against DNS rebinding.
This middleware is primarily targeted at the development environment:

It is included in the development environment by default ... In other
environments Rails.application.config.hosts is empty and no Host header
checks will be done.
rails/rails#33145

If someone decides to call config.hosts.clear because it's "only
development", we should warn them they are vulnerable to DNS rebinding.

@p8
Add check for Host Authorization middleware
95f66bb 
The Host Authorization middleware protects against DNS rebinding.
This middleware is primarily targeted at the development environment:

> It is included in the development environment by default ... In other
environments Rails.application.config.hosts is empty and no Host header
checks will be done.
rails/rails#33145

If someone decides to call `config.hosts.clear` because it's "only
development", we should warn them they are vulnerable to DNS rebinding.
@p8 p8 force-pushed the add-check-for-config-hosts-clear branch from b9d6803 to 95f66bb Compare August 23, 2021 11:18
@presidentbeef
Copy link
Copy Markdown
Owner

presidentbeef commented Sep 18, 2021

Hi @p8, thank you for putting this together!

I am pretty sure Brakeman doesn't even look at config/development.rb, though. Only config/production.rb. 🤔

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@p8 @presidentbeef