From 137edd97922e77bd6e394083029fe23c88f34f0e Mon Sep 17 00:00:00 2001
From: Kai Reinhard <K.Reinhard@micromata.de>
Date: Sun, 16 Dec 2018 09:15:00 +0000
Subject: [PATCH] Paranoi checking: Jetty is binded to localhost, but it will be now additionaly checked that the remote address of the client is also localhost due to security reasons.

---
 borgbutler-server/src/main/java/de/micromata/borgbutler/server/user/UserFilter.java |   17 +++++++++++++++--
 1 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/borgbutler-server/src/main/java/de/micromata/borgbutler/server/user/UserFilter.java b/borgbutler-server/src/main/java/de/micromata/borgbutler/server/user/UserFilter.java
index 36f0583..df4b45c 100644
--- a/borgbutler-server/src/main/java/de/micromata/borgbutler/server/user/UserFilter.java
+++ b/borgbutler-server/src/main/java/de/micromata/borgbutler/server/user/UserFilter.java
@@ -4,12 +4,13 @@
 import org.slf4j.LoggerFactory;
 
 import javax.servlet.*;
-import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 
 /**
  * Ensuring the user data inside request threads. For now, it's only a simple implementation (no login required).
  * Only the user's (client's) locale is used.
+ * <br>
+ * For requests from remote (not localhost) an exception is thrown due to security reasons.
  */
 public class UserFilter implements Filter {
     private Logger log = LoggerFactory.getLogger(UserFilter.class);
@@ -20,7 +21,19 @@
 
     @Override
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
-        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
+        String remoteAddr = request.getRemoteAddr();
+        if (remoteAddr == null || !remoteAddr.equals("127.0.0.1")) {
+            log.warn("****************************************");
+            log.warn("***********                   **********");
+            log.warn("*********** SECURITY WARNING! **********");
+            log.warn("***********                   **********");
+            log.warn("*********** Externa access:   **********");
+            log.warn("*********** " + remoteAddr + " **********");
+            log.warn("***********                   **********");
+            log.warn("****************************************");
+            log.warn("Only access from local host yet supported due to security reasons.");
+            throw new RuntimeException("Server is only available for localhost due to security reasons. A remote access is not yet available.");
+        }
         try {
             UserData userData = UserUtils.getUser();
             if (userData != null) {

--
Gitblit v1.10.0