ruby-on-rails – Rails：HOST Header Attack漏洞

我非常关心我构建的网络应用程序的安全性,所以我一直在使用各种工具来抓取我的每个应用程序.

虽然在编程方面可以完成的所有工作,以及Active Record等现成课程都没有预见到,但是有一个问题我不断收到警报,我不知道从哪里开始修复它.

我在Nginx和Rails 4.1后面运行Unicorn.我一直得到的提醒是：

    An attacker can manipulate the Host header as seen by the 
web application and cause the application to behave in 
unexpected ways. Developers often resort to the exceedingly 
untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP). 
Even otherwise-secure applications trust this value enough to 
write it to the page without HTML-encoding it with code equivalent to:

<link href="https://_SERVER['HOST']" (Joomla)

...and append secret keys and tokens to links containing it:

(Django, Gallery, others)

....and even directly import scripts from it:

(Various) 

发布以下建议：

The web application should use the SERVER_NAME instead
of the Host header. It should also create a dummy vhost 
that catches all requests with unrecognized Host headers. 
This can also be done under Nginx by specifying a non-wildcard 
SERVER_NAME, and under Apache by using a non-wildcard serverName 
and turning the UseCanonicalName directive on. Consult references 
for detailed information.

当然,无论如何……据我所知,这种易受攻击性通常是无害的,但在各种网络应用程序中可能会有害,具体取决于它们的种类.

我该怎么做才能阻止这种攻击？谢谢你的任何建议.

解决方法:

我找到了绕过行为并停止获取警报的方法.我不知道这是否是最佳方式,因此接受评论,建议和新答案.

开始了.

application_controller.rb

class ApplicationController < ActionController::Base
    before_action :debug_headers

private
    def debug_headers
        if request.env['HTTP_X_FORWARDED_HOST']
            request.env.except!('HTTP_X_FORWARDED_HOST') # just drop the variable
        end
    end # def

end # class

标签：ruby-on-rails,nginx,security,ruby-on-rails-4
来源： https://codeday.me/bug/20190825/1714437.html