From 389390b82ecfbb48e0486f8f132046ddf8624e00 Mon Sep 17 00:00:00 2001 From: Luke Pulverenti Date: Wed, 2 Jul 2014 00:57:18 -0400 Subject: fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser --- .../Net/AuthenticatedAttribute.cs | 41 ++++++++++++ MediaBrowser.Controller/Net/AuthorizationInfo.cs | 32 ++++++++++ MediaBrowser.Controller/Net/IAuthService.cs | 9 +++ .../Net/IAuthorizationContext.cs | 14 +++++ MediaBrowser.Controller/Net/IHasAuthorization.cs | 12 ++++ MediaBrowser.Controller/Net/IHasResultFactory.cs | 3 +- MediaBrowser.Controller/Net/IHasSession.cs | 12 ++++ MediaBrowser.Controller/Net/IRestfulService.cs | 1 + MediaBrowser.Controller/Net/ISessionContext.cs | 13 ++++ MediaBrowser.Controller/Net/LoggedAttribute.cs | 73 ++++++++++++++++++++++ 10 files changed, 208 insertions(+), 2 deletions(-) create mode 100644 MediaBrowser.Controller/Net/AuthenticatedAttribute.cs create mode 100644 MediaBrowser.Controller/Net/AuthorizationInfo.cs create mode 100644 MediaBrowser.Controller/Net/IAuthService.cs create mode 100644 MediaBrowser.Controller/Net/IAuthorizationContext.cs create mode 100644 MediaBrowser.Controller/Net/IHasAuthorization.cs create mode 100644 MediaBrowser.Controller/Net/IHasSession.cs create mode 100644 MediaBrowser.Controller/Net/ISessionContext.cs create mode 100644 MediaBrowser.Controller/Net/LoggedAttribute.cs (limited to 'MediaBrowser.Controller/Net') diff --git a/MediaBrowser.Controller/Net/AuthenticatedAttribute.cs b/MediaBrowser.Controller/Net/AuthenticatedAttribute.cs new file mode 100644 index 0000000000..567d20f39c --- /dev/null +++ b/MediaBrowser.Controller/Net/AuthenticatedAttribute.cs @@ -0,0 +1,41 @@ +using ServiceStack.Web; +using System; + +namespace MediaBrowser.Controller.Net +{ + public class AuthenticatedAttribute : Attribute, IHasRequestFilter + { + public IAuthService AuthService { get; set; } + + /// + /// The request filter is executed before the service. + /// + /// The http request wrapper + /// The http response wrapper + /// The request DTO + public void RequestFilter(IRequest request, IResponse response, object requestDto) + { + AuthService.Authenticate(request, response, requestDto); + } + + /// + /// A new shallow copy of this filter is used on every request. + /// + /// IHasRequestFilter. + public IHasRequestFilter Copy() + { + return this; + } + + /// + /// Order in which Request Filters are executed. + /// <0 Executed before global request filters + /// >0 Executed after global request filters + /// + /// The priority. + public int Priority + { + get { return 0; } + } + } +} diff --git a/MediaBrowser.Controller/Net/AuthorizationInfo.cs b/MediaBrowser.Controller/Net/AuthorizationInfo.cs new file mode 100644 index 0000000000..e609204d69 --- /dev/null +++ b/MediaBrowser.Controller/Net/AuthorizationInfo.cs @@ -0,0 +1,32 @@ + +namespace MediaBrowser.Controller.Net +{ + public class AuthorizationInfo + { + /// + /// Gets or sets the user identifier. + /// + /// The user identifier. + public string UserId { get; set; } + /// + /// Gets or sets the device identifier. + /// + /// The device identifier. + public string DeviceId { get; set; } + /// + /// Gets or sets the device. + /// + /// The device. + public string Device { get; set; } + /// + /// Gets or sets the client. + /// + /// The client. + public string Client { get; set; } + /// + /// Gets or sets the version. + /// + /// The version. + public string Version { get; set; } + } +} diff --git a/MediaBrowser.Controller/Net/IAuthService.cs b/MediaBrowser.Controller/Net/IAuthService.cs new file mode 100644 index 0000000000..41859395b6 --- /dev/null +++ b/MediaBrowser.Controller/Net/IAuthService.cs @@ -0,0 +1,9 @@ +using ServiceStack.Web; + +namespace MediaBrowser.Controller.Net +{ + public interface IAuthService + { + void Authenticate(IRequest request, IResponse response, object requestDto); + } +} diff --git a/MediaBrowser.Controller/Net/IAuthorizationContext.cs b/MediaBrowser.Controller/Net/IAuthorizationContext.cs new file mode 100644 index 0000000000..9cf5623700 --- /dev/null +++ b/MediaBrowser.Controller/Net/IAuthorizationContext.cs @@ -0,0 +1,14 @@ +using ServiceStack.Web; + +namespace MediaBrowser.Controller.Net +{ + public interface IAuthorizationContext + { + /// + /// Gets the authorization information. + /// + /// The request context. + /// AuthorizationInfo. + AuthorizationInfo GetAuthorizationInfo(IRequest requestContext); + } +} diff --git a/MediaBrowser.Controller/Net/IHasAuthorization.cs b/MediaBrowser.Controller/Net/IHasAuthorization.cs new file mode 100644 index 0000000000..6fc70159dd --- /dev/null +++ b/MediaBrowser.Controller/Net/IHasAuthorization.cs @@ -0,0 +1,12 @@ + +namespace MediaBrowser.Controller.Net +{ + public interface IHasAuthorization + { + /// + /// Gets or sets the authorization context. + /// + /// The authorization context. + IAuthorizationContext AuthorizationContext { get; set; } + } +} diff --git a/MediaBrowser.Controller/Net/IHasResultFactory.cs b/MediaBrowser.Controller/Net/IHasResultFactory.cs index a87113d1f4..3988b8d615 100644 --- a/MediaBrowser.Controller/Net/IHasResultFactory.cs +++ b/MediaBrowser.Controller/Net/IHasResultFactory.cs @@ -1,5 +1,4 @@ -using MediaBrowser.Common.Net; -using ServiceStack.Web; +using ServiceStack.Web; namespace MediaBrowser.Controller.Net { diff --git a/MediaBrowser.Controller/Net/IHasSession.cs b/MediaBrowser.Controller/Net/IHasSession.cs new file mode 100644 index 0000000000..e762c1e844 --- /dev/null +++ b/MediaBrowser.Controller/Net/IHasSession.cs @@ -0,0 +1,12 @@ + +namespace MediaBrowser.Controller.Net +{ + public interface IHasSession + { + /// + /// Gets or sets the session context. + /// + /// The session context. + ISessionContext SessionContext { get; set; } + } +} diff --git a/MediaBrowser.Controller/Net/IRestfulService.cs b/MediaBrowser.Controller/Net/IRestfulService.cs index f55012b734..7d07bb0941 100644 --- a/MediaBrowser.Controller/Net/IRestfulService.cs +++ b/MediaBrowser.Controller/Net/IRestfulService.cs @@ -5,6 +5,7 @@ namespace MediaBrowser.Controller.Net /// /// Interface IRestfulService /// + [Logged] public interface IRestfulService : IService { } diff --git a/MediaBrowser.Controller/Net/ISessionContext.cs b/MediaBrowser.Controller/Net/ISessionContext.cs new file mode 100644 index 0000000000..31ccd53731 --- /dev/null +++ b/MediaBrowser.Controller/Net/ISessionContext.cs @@ -0,0 +1,13 @@ +using MediaBrowser.Controller.Entities; +using MediaBrowser.Controller.Session; +using ServiceStack.Web; + +namespace MediaBrowser.Controller.Net +{ + public interface ISessionContext + { + SessionInfo GetSession(IRequest requestContext); + + User GetUser(IRequest requestContext); + } +} diff --git a/MediaBrowser.Controller/Net/LoggedAttribute.cs b/MediaBrowser.Controller/Net/LoggedAttribute.cs new file mode 100644 index 0000000000..6df72f7a7e --- /dev/null +++ b/MediaBrowser.Controller/Net/LoggedAttribute.cs @@ -0,0 +1,73 @@ +using MediaBrowser.Controller.Entities; +using MediaBrowser.Controller.Library; +using MediaBrowser.Controller.Session; +using MediaBrowser.Model.Logging; +using ServiceStack.Web; +using System; + +namespace MediaBrowser.Controller.Net +{ + public class LoggedAttribute : Attribute, IHasRequestFilter + { + public ILogger Logger { get; set; } + public IUserManager UserManager { get; set; } + public ISessionManager SessionManager { get; set; } + public IAuthorizationContext AuthorizationContext { get; set; } + + /// + /// The request filter is executed before the service. + /// + /// The http request wrapper + /// The http response wrapper + /// The request DTO + public void RequestFilter(IRequest request, IResponse response, object requestDto) + { + //This code is executed before the service + var auth = AuthorizationContext.GetAuthorizationInfo(request); + + if (auth != null) + { + User user = null; + + if (!string.IsNullOrWhiteSpace(auth.UserId)) + { + var userId = auth.UserId; + + user = UserManager.GetUserById(new Guid(userId)); + } + + string deviceId = auth.DeviceId; + string device = auth.Device; + string client = auth.Client; + string version = auth.Version; + + if (!string.IsNullOrEmpty(client) && !string.IsNullOrEmpty(deviceId) && !string.IsNullOrEmpty(device) && !string.IsNullOrEmpty(version)) + { + var remoteEndPoint = request.RemoteIp; + + SessionManager.LogSessionActivity(client, version, deviceId, device, remoteEndPoint, user); + } + } + } + + /// + /// A new shallow copy of this filter is used on every request. + /// + /// IHasRequestFilter. + public IHasRequestFilter Copy() + { + return this; + } + + /// + /// Order in which Request Filters are executed. + /// <0 Executed before global request filters + /// >0 Executed after global request filters + /// + /// The priority. + public int Priority + { + get { return 0; } + } + } +} -- cgit v1.2.3