querylog: Add DNS rebinding protection

2020-12-08 18:11:01 +03:00 · 2020-12-08 18:11:01 +03:00 · a9efc39306
parent f924523f6a
commit a9efc39306
8 changed files with 29 additions and 15 deletions
--- a/AGHTechDoc.md
+++ b/AGHTechDoc.md
@ -1558,6 +1558,7 @@ Strict matching can be enabled by enclosing the value in double quotes: e.g. `"a
 * blocked_services     - blocked services
 * blocked_safebrowsing - blocked by safebrowsing
 * blocked_parental     - blocked by parental control
+* blocked_dns_rebinding - blocked by DNS rebinding protection
 * whitelisted          - whitelisted
 * rewritten            - all kinds of rewrites
 * safe_search          - enforced safe search
--- a/client/src/__locales/en.json
+++ b/client/src/__locales/en.json
@ -593,5 +593,6 @@
    "rebinding_protection_enabled": "Enable protection from DNS rebinding attacks",
    "rebinding_protection_enabled_desc": "If enabled, AdGuard Home will block responses containing host on the local network.",
    "rebinding_allowed_hosts_title": "Allowed domains",
-    "rebinding_allowed_hosts_desc": "A list of domains. If configured, AdGuard Home will allow responses containing host on the local network from these domains. Here you can specify the exact domain names, wildcards and urlfilter-rules, e.g. 'example.org', '*.example.org' or '||example.org^'."
+    "rebinding_allowed_hosts_desc": "A list of domains. If configured, AdGuard Home will allow responses containing host on the local network from these domains. Here you can specify the exact domain names, wildcards and urlfilter-rules, e.g. 'example.org', '*.example.org' or '||example.org^'.",
+    "blocked_dns_rebinding": "Blocked DNS rebinding"
 }
--- a/client/src/actions/dnsConfig.js
+++ b/client/src/actions/dnsConfig.js
@ -39,6 +39,7 @@ export const setDnsConfig = (config) => async (dispatch) => {
        }
        if (Object.prototype.hasOwnProperty.call(data, 'rebinding_allowed_hosts')) {
            data.rebinding_allowed_hosts = splitByNewLine(config.rebinding_allowed_hosts);
+            hasDnsSettings = true;
        }

        await apiClient.setDnsConfig(data);
--- a/client/src/components/Settings/Dns/Rebinding/Form.js
+++ b/client/src/components/Settings/Dns/Rebinding/Form.js
@ -2,7 +2,7 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import { Field, reduxForm } from 'redux-form';
 import { Trans, useTranslation } from 'react-i18next';
-import { shallowEqual, useSelector } from 'react-redux';
+import { useSelector } from 'react-redux';
 import { renderTextareaField, CheckboxField } from '../../../../helpers/form';
 import { removeEmptyLines } from '../../../../helpers/helpers';
 import { FORM_NAME } from '../../../../helpers/constants';
@ -20,7 +20,7 @@ const Form = ({
    handleSubmit, submitting, invalid,
 }) => {
    const { t } = useTranslation();
-    const { processingSetConfig } = useSelector((state) => state.dnsConfig, shallowEqual);
+    const processingSetConfig = useSelector((state) => state.dnsConfig.processingSetConfig);

    const renderField = ({
        id, title, subtitle, disabled = processingSetConfig, normalizeOnBlur,
--- a/client/src/helpers/constants.js
+++ b/client/src/helpers/constants.js
@ -341,6 +341,7 @@ export const FILTERED_STATUS = {
    REWRITE_HOSTS: 'RewriteEtcHosts',
    FILTERED_SAFE_SEARCH: 'FilteredSafeSearch',
    FILTERED_SAFE_BROWSING: 'FilteredSafeBrowsing',
+    FILTERED_REBIND: 'FilteredRebind',
    FILTERED_PARENTAL: 'FilteredParental',
 };

@ -373,6 +374,10 @@ export const RESPONSE_FILTER = {
        QUERY: 'blocked_parental',
        LABEL: 'blocked_adult_websites',
    },
+    BLOCKED_DNS_REBINDING: {
+        QUERY: 'blocked_dns_rebinding',
+        LABEL: 'blocked_dns_rebinding',
+    },
    ALLOWED: {
        QUERY: 'whitelisted',
        LABEL: 'allowed',
@ -414,6 +419,10 @@ export const FILTERED_STATUS_TO_META_MAP = {
        LABEL: 'blocked_service',
        COLOR: QUERY_STATUS_COLORS.RED,
    },
+    [FILTERED_STATUS.FILTERED_REBIND]: {
+        LABEL: RESPONSE_FILTER.BLOCKED_DNS_REBINDING.LABEL,
+        COLOR: QUERY_STATUS_COLORS.RED,
+    },
    [FILTERED_STATUS.FILTERED_SAFE_SEARCH]: {
        LABEL: RESPONSE_FILTER.SAFE_SEARCH.LABEL,
        COLOR: QUERY_STATUS_COLORS.YELLOW,
--- a/client/src/reducers/dnsConfig.js
+++ b/client/src/reducers/dnsConfig.js
@ -25,9 +25,9 @@ const dnsConfig = handleActions(
                ...values,
                blocking_ipv4: blocking_ipv4 || DEFAULT_BLOCKING_IPV4,
                blocking_ipv6: blocking_ipv6 || DEFAULT_BLOCKING_IPV6,
-                upstream_dns: (upstream_dns && upstream_dns.join('\n')) || '',
-                bootstrap_dns: (bootstrap_dns && bootstrap_dns.join('\n')) || '',
-                rebinding_allowed_hosts: (rebinding_allowed_hosts && rebinding_allowed_hosts.join('\n')) || '',
+                upstream_dns: upstream_dns?.join('\n') || '',
+                bootstrap_dns: bootstrap_dns?.join('\n') || '',
+                rebinding_allowed_hosts: rebinding_allowed_hosts?.join('\n') || '',
                processingGetConfig: false,
            };
        },
--- a/internal/querylog/searchcriteria.go
+++ b/internal/querylog/searchcriteria.go
@ -17,14 +17,15 @@ const (
 	filteringStatusAll      = "all"
 	filteringStatusFiltered = "filtered" // all kinds of filtering

-	filteringStatusBlocked             = "blocked"              // blocked or blocked services
-	filteringStatusBlockedService      = "blocked_services"     // blocked
-	filteringStatusBlockedSafebrowsing = "blocked_safebrowsing" // blocked by safebrowsing
-	filteringStatusBlockedParental     = "blocked_parental"     // blocked by parental control
-	filteringStatusWhitelisted         = "whitelisted"          // whitelisted
-	filteringStatusRewritten           = "rewritten"            // all kinds of rewrites
-	filteringStatusSafeSearch          = "safe_search"          // enforced safe search
-	filteringStatusProcessed           = "processed"            // not blocked, not white-listed entries
+	filteringStatusBlocked             = "blocked"               // blocked or blocked services
+	filteringStatusBlockedService      = "blocked_services"      // blocked
+	filteringStatusBlockedSafebrowsing = "blocked_safebrowsing"  // blocked by safebrowsing
+	filteringStatusBlockedParental     = "blocked_parental"      // blocked by parental control
+	filteringStatusBlockedRebind       = "blocked_dns_rebinding" // blocked by DNS rebinding protection
+	filteringStatusWhitelisted         = "whitelisted"           // whitelisted
+	filteringStatusRewritten           = "rewritten"             // all kinds of rewrites
+	filteringStatusSafeSearch          = "safe_search"           // enforced safe search
+	filteringStatusProcessed           = "processed"             // not blocked, not white-listed entries
 )

 // filteringStatusValues -- array with all possible filteringStatus values
@ -32,7 +33,7 @@ var filteringStatusValues = []string{
 	filteringStatusAll, filteringStatusFiltered, filteringStatusBlocked,
 	filteringStatusBlockedService, filteringStatusBlockedSafebrowsing, filteringStatusBlockedParental,
 	filteringStatusWhitelisted, filteringStatusRewritten, filteringStatusSafeSearch,
-	filteringStatusProcessed,
+	filteringStatusProcessed, filteringStatusBlockedRebind,
 }

 // searchCriteria - every search request may contain a list of different search criteria
--- a/openapi/openapi.yaml
+++ b/openapi/openapi.yaml
@ -190,6 +190,7 @@
          - 'blocked'
          - 'blocked_safebrowsing'
          - 'blocked_parental'
+          - 'blocked_dns_rebinding'
          - 'whitelisted'
          - 'rewritten'
          - 'safe_search'