From 5bf21324190c0ecd0c365a30db1f944dc3d866f9 Mon Sep 17 00:00:00 2001
From: Beth Skurrie <beth@bethesque.com>
Date: Tue, 26 Jan 2021 16:08:17 +1100
Subject: [PATCH] fix: use base URL from rack env in UI

---
 lib/pact_broker/ui/controllers/base_controller.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/pact_broker/ui/controllers/base_controller.rb b/lib/pact_broker/ui/controllers/base_controller.rb
index 2a5b5c91f..5a4597f53 100644
--- a/lib/pact_broker/ui/controllers/base_controller.rb
+++ b/lib/pact_broker/ui/controllers/base_controller.rb
@@ -12,7 +12,11 @@ class Base < Padrino::Application
         set :dump_errors, false # The padrino logger logs these for us. If this is enabled we get duplicate logging.
 
         def base_url
-          PactBroker.configuration.base_url || ''
+          # Using the X-Forwarded headers in the UI can leave the app vulnerable
+          # https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
+          # Either use the explicitly configured base url or an empty string,
+          # rather than request.base_url, which uses the X-Forwarded headers.
+          env["pactbroker.base_url"] || ''
         end
       end
     end