[
https://issues.apache.org/jira/browse/NIFI-4761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16331678#comment-16331678
]
ASF GitHub Bot commented on NIFI-4761:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2415#discussion_r162529074
--- Diff:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
---
@@ -71,14 +87,124 @@ public HostHeaderHandler(String serverName, int
serverPort) {
logger.info("Created " + this.toString());
}
+ /**
+ * Instantiates a handler which accepts incoming requests with a host
header that is empty or contains one of the
+ * valid hosts. See the Apache NiFi Admin Guide for instructions on
how to set valid hostnames and IP addresses.
+ *
+ * @param niFiProperties the NiFiProperties
+ */
+ public HostHeaderHandler(NiFiProperties niFiProperties) {
+ this.serverName =
Objects.requireNonNull(determineServerHostname(niFiProperties));
+ this.serverPort = determineServerPort(niFiProperties);
+
+ // Default values across generic instances
+ List<String> hosts = generateDefaultHostnames(niFiProperties);
+
+ // The value from nifi.web.http|https.host
+ hosts.add(serverName.toLowerCase());
+ hosts.add(serverName.toLowerCase() + ":" + serverPort);
+
+ // The value(s) from nifi.web.proxy.host
+ hosts.addAll(parseCustomHostnames(niFiProperties));
+
+ // Different from customizer -- empty is ok here
+ hosts.add("");
+
+ this.validHosts = uniqueList(hosts);
+ logger.info("Determined {} valid hostnames and IP addresses for
incoming headers: {}", new Object[]{validHosts.size(),
StringUtils.join(validHosts, ", ")});
+
+ logger.debug("Created " + this.toString());
+ }
+
+ /**
+ * Returns the list of parsed custom hostnames from {@code
nifi.web.proxy.host} in {@link NiFiProperties}.
+ * This list is deduplicated (if a host {@code somehost.com:1234} is
provided, it will show twice, as the "portless"
+ * version {@code somehost.com} is also generated). IPv6 addresses are
only modified if they adhere to the strict
+ * formatting using {@code []} around the address as specified in RFC
5952 Section 6 (i.e.
+ * {@code [1234.5678.90AB.CDEF.1234.5678.90AB.CDEF]:1234} will insert
+ * {@code [1234.5678.90AB.CDEF.1234.5678.90AB.CDEF]} as well).
+ *
+ * @param niFiProperties the properties object
+ * @returnj the list of parsed custom hostnames
--- End diff --
Typo in Javadoc.
> Allow whitelisting expected Host values
> ---------------------------------------
>
> Key: NIFI-4761
> URL: https://issues.apache.org/jira/browse/NIFI-4761
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Reporter: Matt Gilman
> Assignee: Andy LoPresto
> Priority: Major
>
> NiFi has been updated to only accept requests where the Host header contains
> an expected value. Currently, the expected values are driven by the .host
> properties in nifi.properties. When running behind a proxy, the value may be
> the proxy host if the headers simply pass through. In this scenario, we
> should offer the ability to whitelist values in case updating the proxy
> configuration isn't possible.
> Also, the proxy documentation in the admin guide should be updated to include
> details regarding the Host name whitelisting. Also, should verify the context
> path whitelisting is documented there.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
