# Map proxy enhancement

* adds whitelisting for map proxy hosts
2024-12-23 11:08:41 +01:00 · 2024-12-23 11:08:41 +01:00 · d677ac6b5a
commit d677ac6b5a
parent 9149e4cbd3
3 changed files with 19 additions and 0 deletions
--- a/.env.sample
+++ b/.env.sample
@ -24,6 +24,7 @@ DEFAULT_FROM_EMAIL=service@ksp.de

 # Proxy
 PROXY=CHANGE_ME
+MAP_PROXY_HOST_WHITELIST=CHANGE_ME_1,CHANGE_ME_2
 GEOPORTAL_RLP_USER=CHANGE_ME
 GEOPORTAL_RLP_PASSWORD=CHANGE_ME

--- a/konova/sub_settings/lanis_settings.py
+++ b/konova/sub_settings/lanis_settings.py
@ -5,6 +5,7 @@ Contact: michel.peltriaux@sgdnord.rlp.de
 Created on: 31.01.22

 """
+from konova.sub_settings.django_settings import env

 # MAPS
 DEFAULT_LAT = 50.00
@ -28,3 +29,6 @@ LANIS_ZOOM_LUT = {
    1000: 30,
    500: 31,
 }
+
+MAP_PROXY_HOST_WHITELIST = env.list("MAP_PROXY_HOST_WHITELIST")
+i = 0
--- a/konova/views/map_proxy.py
+++ b/konova/views/map_proxy.py
@ -9,6 +9,7 @@ import json
 from json import JSONDecodeError

 import requests
+import urllib3.util
 from django.contrib.auth.decorators import login_required
 from django.http import JsonResponse, HttpRequest
 from django.utils.decorators import method_decorator
@ -18,6 +19,7 @@ from django.utils.translation import gettext_lazy as _

 from requests.auth import HTTPDigestAuth

+from konova.sub_settings.lanis_settings import MAP_PROXY_HOST_WHITELIST
 from konova.sub_settings.proxy_settings import PROXIES, GEOPORTAL_RLP_USER, GEOPORTAL_RLP_PASSWORD


@ -32,6 +34,13 @@ class BaseClientProxyView(View):
    def dispatch(self, request, *args, **kwargs):
        return super().dispatch(request, *args, **kwargs)

+    def _check_with_whitelist(self, url):
+        parsed_url = urllib3.util.parse_url(url)
+        parsed_url_host = parsed_url.host
+        whitelist = set(MAP_PROXY_HOST_WHITELIST)
+        is_allowed = parsed_url_host in whitelist
+        return is_allowed
+
    def perform_url_call(self, url, headers={}, auth=None):
        """ Generic proxied call

@ -59,6 +68,11 @@ class ClientProxyParcelSearch(BaseClientProxyView):

    def get(self, request: HttpRequest):
        url = request.META.get("QUERY_STRING")
+
+        is_url_allowed = self._check_with_whitelist(url)
+        if not is_url_allowed:
+            raise PermissionError(f"Proxied url '{url}' is not allowed!")
+
        content, response_code = self.perform_url_call(url)
        try:
            body = json.loads(content)