Dashboard with internal / external detection via ui_control safe?

stefan24 · 7 May 2020 10:49

Hi!

I made a flow to detect whether a client comes from internal net or from the internet via port forwarding and switch on/off the desired groups.

[{"id":"9dc0c3cc.e12318","type":"ui_ui_control","z":"90b5fc30.4ddc6","name":"","events":"all","x":300,"y":140,"wires":[["782ec1ee.d9dbc8"]]},{"id":"d4a07d23.61b47","type":"inject","z":"90b5fc30.4ddc6","name":"Init UI","topic":"","payload":"","payloadType":"date","repeat":"","crontab":"","once":true,"onceDelay":0.1,"x":130,"y":140,"wires":[["9dc0c3cc.e12318"]]},{"id":"2f35f118.4b0b9e","type":"file","z":"90b5fc30.4ddc6","name":"Protocol website access","filename":"dashboard.txt","appendNewline":true,"createDir":false,"overwriteFile":"false","encoding":"none","x":1250,"y":120,"wires":[[]]},{"id":"29ebdfe8.b6ad08","type":"function","z":"90b5fc30.4ddc6","name":"Protocol","func":"zeit = new Date().toLocaleString();\n\nmsg.payload = zeit+\": call from \"+msg.socketip+\" ID:\"+msg.socketid;\n\n\nreturn msg;","outputs":1,"noerr":0,"x":900,"y":120,"wires":[["2f35f118.4b0b9e"]]},{"id":"782ec1ee.d9dbc8","type":"switch","z":"90b5fc30.4ddc6","name":"","property":"socketip","propertyType":"msg","rules":[{"t":"eq","v":"192.168.2.2","vt":"str"},{"t":"cont","v":"192.168.2","vt":"str"},{"t":"else"}],"checkall":"false","repair":false,"outputs":3,"x":490,"y":140,"wires":[["72b1c083.cf6c88","29ebdfe8.b6ad08"],["2bd9a816.82db4"],["29ebdfe8.b6ad08","7a8cc4d2.d39ddc"]],"outputLabels":["","Intern","Extern"]},{"id":"59c447f7.1e166","type":"ui_ui_control","z":"90b5fc30.4ddc6","name":"","events":"all","x":920,"y":200,"wires":[["4718f512.23e66c"]]},{"id":"2bd9a816.82db4","type":"change","z":"90b5fc30.4ddc6","name":"Internal","rules":[{"t":"set","p":"payload","pt":"msg","to":"{\"group\":{\"hide\":[\"Tab_External\",\"Tab_User1\"],\"show\":[\"Tab_Internal\"]}}","tot":"jsonata"}],"action":"","property":"","from":"","to":"","reg":false,"x":660,"y":160,"wires":[["59c447f7.1e166"]]},{"id":"7a8cc4d2.d39ddc","type":"change","z":"90b5fc30.4ddc6","name":"External","rules":[{"t":"set","p":"payload","pt":"msg","to":"{\"group\":{\"show\":[\"Tab_External\"],\"hide\":[\"Tab_Internal\",\"Tab_User1\"]}}","tot":"jsonata"}],"action":"","property":"","from":"","to":"","reg":false,"x":660,"y":200,"wires":[["59c447f7.1e166"]]},{"id":"4718f512.23e66c","type":"debug","z":"90b5fc30.4ddc6","name":"","active":false,"tosidebar":true,"console":false,"tostatus":false,"complete":"false","x":1150,"y":200,"wires":[]},{"id":"72b1c083.cf6c88","type":"change","z":"90b5fc30.4ddc6","name":"User1","rules":[{"t":"set","p":"payload","pt":"msg","to":"{\"group\":{\"show\":[\"Tab_User1\"],\"hide\":[\"Tab_Internal\",\"Tab_External\"]}}","tot":"json"}],"action":"","property":"","from":"","to":"","reg":false,"x":650,"y":100,"wires":[["59c447f7.1e166"]]}]

So the client with IP address 192.168.2.2 gets the group Tab_User1, all other local users (192.168.2.x) get Tab_Internal and users from the internet get the group Tab_External.
User1 and external users will be logged in a ASCII file.

The internal group can switch on/off light or heaters, however the external group can only see the state of a switch.

Is that safe or is it possible for the client to "show" groups, which have been "hidden" by ui_control?

TotallyInformation · 7 May 2020 19:34

No, I don't believe it to be safe. Open your developer tools and look at the full contents of the page. I think that you will find all the other data is there and can be exposed very easily.

Dashboard is a "Single Page App" (SPA).

IP Address checks can never be entirely safe since IP addresses can be spoofed (recognising the difference between an Internet routable address and an internally routable address (192.168.x.x, 10.x.x.x, etc) is a little more safe if you have your edge firewalls correctly configured.

But you still have all the info in the single page app so you would also need to only deliver the hidden part of the UI dynamically once the user and their location had been verified. Not sure if that is possible with Dashboard.

stefan24 · 8 May 2020 12:43

I did a wget of the dashboard site and did not find any string from the External or User1 groups, but also not from the groups, which are displayed.

The firefox inspector showed only those groups which are displayed and not hidden:

<ui-card-panel ng-repeat="group in main.selectedTab.items" id="TAB_internal" ...

So it seems to be safe, but I have disabled all port forwarding and will use my VPN instead.

dceejay · 8 May 2020 14:27

I would double-check that - if you "know" the url of the hidden tab eg ... /ui/#!/1 or /2 etc then you may well be able to get to the data. Not hard to guess what may come after /1 etc...

stefan24 · 8 May 2020 17:53

But I do NOT have a second tab, only Groups, which I enable / disable via

{"group":{"show":["Tab_Group1"],"hide":["Tab_group2","Tab_group3"]}}

I do not get another view, if I change the /ui/#!/1 to /ui/#!/2 or /ui/#!/3.

system · 7 June 2020 17:53

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Identify data from device using dashboard Dashboard node-red-dashboard , security	11	456	21 January 2022
Trigger an event by calling the dashboard Dashboard	5	2431	22 October 2020
UI switch behaviour Dashboard	5	675	4 February 2021
Detect automatically user enter UI Dashboard	8	1002	12 May 2021
Dashboard - Query if someone is viewing only Dashboard	3	443	15 November 2020

Dashboard with internal / external detection via ui_control safe?

Related topics