Changes to API (hestiacp#2325)

jaapmarcus · web-flow · commit b02ec862d788 · 2022-01-13T11:38:00.000+01:00
1. Validate hash 2. Remove 127.0.0.1 from default allowed ip adresses @numanturle 3. Restrict 127.0.0.1 to be passed trough spoofed headers @numanturle
diff --git a/bin/v-add-sys-pma-sso b/bin/v-add-sys-pma-sso
@@ -109,6 +109,10 @@ fi
 
 $BIN/v-change-sys-config-value 'PHPMYADMIN_KEY' "$phpmyadminkey"
 
+if [  "$(echo $API_ALLOWED_IP | grep 127.0.0.1)" != "127.0.0.1" ]; then 
+    $BIN/v-add-sys-api-ip "127.0.0.1"
+fi
+
 #----------------------------------------------------------#
 #                       Logging                            #
 #----------------------------------------------------------#
diff --git a/bin/v-revoke-api-key b/bin/v-revoke-api-key
@@ -24,6 +24,10 @@ source_conf "$HESTIA/conf/hestia.conf"
 
 hash=$1
 
+args_usage='HASH'
+check_args '1' "$#" "$args_usage"
+is_format_valid 'hash'
+
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
 
diff --git a/web/api/index.php b/web/api/index.php
@@ -2,36 +2,49 @@
 define('HESTIA_CMD', '/usr/bin/sudo /usr/local/hestia/bin/');
 //die("Error: Disabled");
 
+function check_local_ip($addr){
+    if(in_array($addr, array($_SERVER['SERVER_ADDR'], '127.0.0.1'))){
+        return true;
+    }else{
+        return false;
+    }
+}
+
 function get_real_user_ip(){
     $ip = $_SERVER['REMOTE_ADDR'];
-    if(isset($_SERVER['HTTP_CLIENT_IP'])){
+    if(isset($_SERVER['HTTP_CLIENT_IP']) && !check_local_ip($_SERVER['HTTP_CLIENT_IP'])) {
+        if (filter_var($_SERVER['HTTP_CLIENT_IP'], FILTER_VALIDATE_IP)){
         $ip = $_SERVER['HTTP_CLIENT_IP'];
+        }
     }
-    if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
+    
+    if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !check_local_ip($_SERVER['HTTP_X_FORWARDED_FOR'])) {
         if (filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP)){
             $ip =  $_SERVER['HTTP_X_FORWARDED_FOR'];
         }
     }
-    if(isset($_SERVER['HTTP_FORWARDED_FOR'])){
+    
+    if(isset($_SERVER['HTTP_FORWARDED_FOR']) && !check_local_ip($_SERVER['HTTP_FORWARDED_FOR'])) {
         if (filter_var($_SERVER['HTTP_FORWARDED_FOR'], FILTER_VALIDATE_IP)){
             $ip =  $_SERVER['HTTP_FORWARDED_FOR'];
         }
     }
-    if(isset($_SERVER['HTTP_X_FORWARDED'])){
+    
+    if(isset($_SERVER['HTTP_X_FORWARDED']) && !check_local_ip($_SERVER['HTTP_X_FORWARDED'])) {
         if (filter_var($_SERVER['HTTP_X_FORWARDED'], FILTER_VALIDATE_IP)){
             $ip =  $_SERVER['HTTP_X_FORWARDED'];
         }
     }
-    if(isset($_SERVER['HTTP_FORWARDED'])){
+    
+    if(isset($_SERVER['HTTP_FORWARDED']) && !check_local_ip($_SERVER['HTTP_FORWARDED'])) {
         if (filter_var($_SERVER['HTTP_FORWARDED'], FILTER_VALIDATE_IP)){
             $ip =  $_SERVER['HTTP_FORWARDED'];
         }
     }
-    if(isset($_SERVER['HTTP_CF_CONNECTING_IP'])){
-        if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])){
-            if (filter_var($_SERVER['HTTP_FORWARDED'], FILTER_VALIDATE_IP)){
-                $ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
-            }
+    
+    if(isset($_SERVER['HTTP_CF_CONNECTING_IP']) && !check_local_ip($_SERVER['HTTP_CF_CONNECTING_IP'])) {
+        if (filter_var($_SERVER['HTTP_CF_CONNECTING_IP'], FILTER_VALIDATE_IP)){
+            $ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
         }
     }
     return $ip;
@@ -47,7 +60,7 @@ function api($hst_hash, $hst_user, $hst_password, $hst_returncode, $hst_cmd, $hs
     }
     if ( $settings['config']['API_ALLOWED_IP'] != 'allow-all' ){
         $ip_list = explode(',',$settings['config']['API_ALLOWED_IP']);
-        $ip_list[] = '127.0.0.1';
+        $ip_list[] = '';
         if ( !in_array(get_real_user_ip(), $ip_list)){
            echo 'Error: IP is not allowed to connect with API';
            exit; 
