TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 00:47:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request from GHSA-2wmj-46rj-qm2w

Browse Source 
* fix: find instance by original domain

* return instance not found on invalid origin

* test: ensure correct host validation

* test: instance not found is translated
This commit is contained in:
Elio Bischof
2023-11-29 11:57:47 +01:00
committed by GitHub
parent ef11609142
commit 11d7a8ce61
2 changed files with 80 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
internal/api/http/middleware/instance_interceptor.go
View File

@@ -5,6 +5,7 @@ import (
"errors"
"fmt"
"net/http"
"net/url"
"strings"
"github.com/rakyll/statik/fs"
@@ -12,6 +13,7 @@ import (
"golang.org/x/text/language"
"github.com/zitadel/zitadel/internal/api/authz"
zitadel_http "github.com/zitadel/zitadel/internal/api/http"
caos_errors "github.com/zitadel/zitadel/internal/errors"
"github.com/zitadel/zitadel/internal/i18n"
"github.com/zitadel/zitadel/internal/telemetry/tracing"
@@ -73,7 +75,7 @@ func setInstance(r *http.Request, verifier authz.InstanceVerifier, headerName st
host, err := HostFromRequest(r, headerName)
if err != nil {
return nil, err
return nil, caos_errors.ThrowNotFound(err, "INST-zWq7X", "Errors.Instance.NotFound")
}
instance, err := verifier.InstanceByHost(authCtx, host)
@@ -84,17 +86,39 @@ func setInstance(r *http.Request, verifier authz.InstanceVerifier, headerName st
return authz.WithInstance(ctx, instance), nil
}
func HostFromRequest(r *http.Request, headerName string) (string, error) {
host := r.Host
func HostFromRequest(r *http.Request, headerName string) (host string, err error) {
if headerName != "host" {
host = r.Header.Get(headerName)
return hostFromSpecialHeader(r, headerName)
}
return hostFromOrigin(r.Context())
}
func hostFromSpecialHeader(r *http.Request, headerName string) (host string, err error) {
host = r.Header.Get(headerName)
if host == "" {
return "", fmt.Errorf("host header `%s` not found", headerName)
}
return host, nil
}
func hostFromOrigin(ctx context.Context) (host string, err error) {
defer func() {
if err != nil {
err = fmt.Errorf("invalid origin: %w", err)
}
}()
origin := zitadel_http.ComposedOrigin(ctx)
u, err := url.Parse(origin)
if err != nil {
return "", err
}
host = u.Hostname()
if host == "" {
err = errors.New("empty host")
}
return host, err
}
func newZitadelTranslator() *i18n.Translator {
dir, err := fs.NewWithNamespace("zitadel")
logging.WithFields("namespace", "zitadel").OnError(err).Panic("unable to get namespace")