From a0a602d18ca1480bfa1eaf7e90614c14f9dbb860 Mon Sep 17 00:00:00 2001
From: Jonathan Cobb <jonathan@kyuss.org>
Date: Sat, 25 Jan 2020 14:06:43 -0500
Subject: [PATCH] require all filter requests to come from mitm

---
 .../resources/stream/FilterHttpResource.java     | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/bubble-server/src/main/java/bubble/resources/stream/FilterHttpResource.java b/bubble-server/src/main/java/bubble/resources/stream/FilterHttpResource.java
index ce594fae..01723072 100644
--- a/bubble-server/src/main/java/bubble/resources/stream/FilterHttpResource.java
+++ b/bubble-server/src/main/java/bubble/resources/stream/FilterHttpResource.java
@@ -246,12 +246,13 @@ public class FilterHttpResource {
 
     @GET @Path(EP_DATA+"/{requestId}/{matcherId}"+EP_READ)
     @Produces(APPLICATION_JSON)
-    public Response readData(@Context ContainerRequest ctx,
+    public Response readData(@Context Request req,
+                             @Context ContainerRequest ctx,
                              @PathParam("requestId") String requestId,
                              @PathParam("matcherId") String matcherId,
                              @QueryParam("format") AppDataFormat format) {
 
-        final FilterDataContext fdc = new FilterDataContext(requestId, matcherId);
+        final FilterDataContext fdc = new FilterDataContext(req, requestId, matcherId);
         final List<AppData> data = dataDAO.findEnabledByAccountAndAppAndSite
                 (fdc.request.getAccount().getUuid(), fdc.matcher.getApp(), fdc.matcher.getSite());
 
@@ -275,14 +276,15 @@ public class FilterHttpResource {
     @POST @Path(EP_DATA+"/{requestId}/{matcherId}"+EP_WRITE)
     @Consumes(APPLICATION_JSON)
     @Produces(APPLICATION_JSON)
-    public Response writeData(@Context ContainerRequest ctx,
+    public Response writeData(@Context Request req,
+                              @Context ContainerRequest ctx,
                               @PathParam("requestId") String requestId,
                               @PathParam("matcherId") String matcherId,
                               AppData data) {
 
         if (data == null || !data.hasKey()) throw invalidEx("err.key.required");
         if (log.isDebugEnabled()) log.debug("writeData: received data="+json(data, COMPACT_MAPPER));
-        final FilterDataContext fdc = new FilterDataContext(requestId, matcherId);
+        final FilterDataContext fdc = new FilterDataContext(req, requestId, matcherId);
 
         data.setAccount(fdc.request.getAccount().getUuid());
         data.setApp(fdc.matcher.getApp());
@@ -297,7 +299,11 @@ public class FilterHttpResource {
         public FilterHttpRequest request;
         public AppMatcher matcher;
 
-        public FilterDataContext(String requestId, String matcherId) {
+        public FilterDataContext(Request req, String requestId, String matcherId) {
+            // only mitmproxy is allowed to call us, and this should always be a local address
+            final String mitmAddr = req.getRemoteAddr();
+            if (!isLocalIpv4(mitmAddr)) throw forbiddenEx();
+
             if (empty(requestId) || empty(matcherId)) throw notFoundEx();
 
             request = getActiveRequest(requestId);