flo/nsupdate.info
1
0
Fork 0
Code Issues 1 Pull Requests 2 Packages Releases Activity

Merge pull request #429 from ThomasWaldmann/bad-hosts

Browse Source 
add BAD_HOSTS setting for nasty clients
This commit is contained in:
TW 2019-04-15 19:07:56 +02:00 committed by GitHub
commit abeefaedb9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/nsupdate/api/views.py
View File

@ -27,14 +27,14 @@ from ..main.dnstools import (FQDN, update, delete, check_ip, put_ip_into_session
from ..main.iptools import normalize_ip from ..main.iptools import normalize_ip
def Response(content): def Response(content, status=200):
""" """
shortcut for text/plain HttpResponse shortcut for text/plain HttpResponse
:param content: plain text content for the response :param content: plain text content for the response
:return: HttpResonse object :return: HttpResponse object
""" """
return HttpResponse(content, content_type='text/plain') return HttpResponse(content, status=status, content_type='text/plain')
@log.logger(__name__) @log.logger(__name__)
@ -210,6 +210,8 @@ class NicUpdateView(View):
:return: HttpResponse object :return: HttpResponse object
""" """
hostname = request.GET.get('hostname') hostname = request.GET.get('hostname')
if hostname in settings.BAD_HOSTS:
return Response('abuse', status=403)
auth = request.META.get('HTTP_AUTHORIZATION') auth = request.META.get('HTTP_AUTHORIZATION')
if auth is None: if auth is None:
# logging this at debug level because otherwise it fills our logs... # logging this at debug level because otherwise it fills our logs...
@ -219,6 +221,8 @@ class NicUpdateView(View):
if '.' not in username: # username MUST be the fqdn if '.' not in username: # username MUST be the fqdn
# specifically point to configuration errors on client side # specifically point to configuration errors on client side
return Response('notfqdn') return Response('notfqdn')
if username in settings.BAD_HOSTS:
return Response('abuse', status=403)
host = check_api_auth(username, password) host = check_api_auth(username, password)
if host is None: if host is None:
return basic_challenge("authenticate to update DNS", 'badauth') return basic_challenge("authenticate to update DNS", 'badauth')

6
src/nsupdate/settings/base.py
View File

@ -51,6 +51,12 @@ BAD_AGENTS = set([]) # list can have str elements
from netaddr import IPSet, IPAddress, IPNetwork from netaddr import IPSet, IPAddress, IPNetwork
BAD_IPS_HOST = IPSet([]) # inner list can have IPAddress and IPNetwork elements BAD_IPS_HOST = IPSet([]) # inner list can have IPAddress and IPNetwork elements
# when encountering these hostnames (fqdn), block them early/silently from
# api usage. avoid any database access, so if someone tries to update
# every 5s, the database won't be locked all the time and we can at least
# delete the host from django admin.
BAD_HOSTS = set([])
# nameservers used e.g. for MX lookups in the registration email validation. # nameservers used e.g. for MX lookups in the registration email validation.
# google / cloudflare DNS IPs are only given as example / fallback - # google / cloudflare DNS IPs are only given as example / fallback -
# please configure your own nameservers in your local settings file. # please configure your own nameservers in your local settings file.