From 624c3ab637ce807b4b88402686a93b10bd325056 Mon Sep 17 00:00:00 2001
From: Pierre Mauduit <pierre.mauduit@camptocamp.com>
Date: Tue, 31 Mar 2026 09:25:11 +0200
Subject: [PATCH] fix: improve security for SP's XHR proxy default
 configuration

Deny requests via the XHR proxy by default.

Tests:

The XHR proxy is already tested in several ways via the testsuite, see:
https://github.com/georchestra/security-proxy/blob/main/src/test/java/org/georchestra/security/PermissionsTest.java

But the new configuration suggested in the PR has been tested with the
following test case:

```
    @Test
    public void testDefaultDatadirConfig() throws IOException {
        Permissions perm = this.load("test-permissions-default-datadir.xml");

        assertTrue(perm.isDenied(new URL("http://www.google.fr/test.html")));
        assertTrue(perm.isDenied(new URL("http://127.0.0.1:8080/console/private/internal/users.json")));
        assertTrue(perm.isDenied(new URL("http://console-svc:8080/console/")));
        assertTrue(perm.isDenied(new URL("https://sdi.georchestra.org/console/")));
        assertTrue(perm.isDenied(new URL("https://demo.georchestra.org/geoserver/wms")));
    }
```

e.g. with a mix of internal IP addresses, internal host names, and
external resources.
---
 security-proxy/proxy-permissions.xml | 32 +++++++++++++++++++++++-----
 1 file changed, 27 insertions(+), 5 deletions(-)

diff --git a/security-proxy/proxy-permissions.xml b/security-proxy/proxy-permissions.xml
index c501c2a0..fdd6a963 100644
--- a/security-proxy/proxy-permissions.xml
+++ b/security-proxy/proxy-permissions.xml
@@ -36,7 +36,7 @@
 
      path: case insensitive regexp to match the 'path' part of the requested URL.
 
-     network: IP address with a network mask to specify a range of IP addresses. 
+     network: IP address with a network mask to specify a range of IP addresses.
             Both IPv4 and IPv6 are supported.
 
 
@@ -72,14 +72,36 @@
 
      The last urimatcher denies access to all IPv4 addresses which start with 10.42
 
+     By default, the configuration will deny access to the XHR proxy. If you need
+     to activate it, make sure it cannot reach the internal network. An example
+     of "Allowing requests to the outside world but denying local/internal access"
+     could be the following:
+
+     <permissions>
+        <allowByDefault>true</allowByDefault>
+        <denied>
+            <urimatcher>
+                <network>127.0.0.0/8</network>
+            </urimatcher>
+            <urimatcher>
+                <network>10.0.0.0/8</network>
+            </urimatcher>
+            <urimatcher>
+                <network>172.16.0.0/12</network>
+            </urimatcher>
+            <urimatcher>
+                <network>192.168.0.0/16</network>
+            </urimatcher>
+        </denied>
+    </permissions>
+
+
 -->
 <permissions>
-    <allowByDefault>true</allowByDefault>
+    <allowByDefault>false</allowByDefault>
     <denied>
         <urimatcher>
-            <!-- Note that, with the following setting,
-            all ips for local host irregardless of name will be checked -->
-            <host>localhost</host>
+            <host>.*</host>
         </urimatcher>
     </denied>
 </permissions>