-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
We received a vulnerability disclosure due to how we pick a remote IP address. #99
Conversation
… address. Disclosure URL: https://gist.github.com/adam-p/4b777de4bda0027f4c3daa45618adcdc This is an attempt to address the situation. 1. We no longer configure SetIPLookups on default. 2. We address the two different SetIPLookups confusion in two different place by removing both of them. 3. We add a new, explicit way, for user to define how IP address should be picked up. Tests are all updated to use the new method of picking IP address. This will be a backward incompatible change so version number has to be bumped to 7.
Overall I think it's a good approach. Instead of a fixed list of supported headers, I think you should support any arbitrary header. (It's also a little confusing for there to be If you really want to restrict header use to just a few that are supported, I think you should use enum constants rather than strings. It's too easy to think that you can put whatever header you want there. Or make a typo when adding a supported one. (And then it'll silently not rate-limit, which I'll mention below.) I would like there to be more explanation of why I don't think you should have I don't like how it (still) "fails open" (doesn't rate-limit) when there's a failure to get the IP. I worry that if the tollbooth user misconfigures it, tollbooth will silently seem like it's working but not actually do anything. (Yes, the dev should actually test, but...) If you stuck with a fixed set of supported headers, then one thing you could do is panic if the user calls If, as I suggest above, you support arbitrary single-IP headers, it's trickier. My preference would still be to panic, but I can see why that's not super attractive. Instead of happening at server-startup time, it would happen when the first request came in. (tollbooth is configured to look at Another possibility, of course is to "fail closed". Instead of Another possibility is to fall back to checking Somewhat related to the "fail open" stuff is what And somewhat related to that... If the user sets ETA: Regarding configuration failure behaviour, it's also worth mentioning returning an error rather than panicking. You'll still have to decide whether to fail open or close, but at least it won't be silent. (I didn't mention this at first because @didip said in email, "Returning an error is certainly bad from app stability perspective". Which is fair, but it should still be explicitly considered here.) |
@adam-p If we combine multiple of the same headers into 1 list, then when you say: “give me the first ip from the right”, what does it exactly mean precisely? Just do [array1] + [array2] and then pick the last ip? |
Yes. Combining the headers the headers like that is specifically allowed by the HTTP RFC, and I've seen AWS ALB do it. The resulting list of them represents the same order that they were added. So counting in from the right becomes easy and makes sense. |
@didip Can you replace the gist disclosure link in your comment with a link to the actual post: https://adam-p.ca/blog/2022/03/x-forwarded-for/ Because I, uh, accidentally deleted the gist. (I forgot for a moment that it was used here. And the post has superseded it.) |
ok, no problem.
…On Sat, Mar 5, 2022 at 5:59 AM Adam Pritchard ***@***.***> wrote:
@didip <https://github.com/didip> Can you replace the gist disclosure
link in your comment with a link to the actual post:
https://adam-p.ca/blog/2022/03/x-forwarded-for/
Because I, uh, accidentally deleted the gist. (I forgot for a moment that
it was used here. And the post has superseded it.)
—
Reply to this email directly, view it on GitHub
<#99 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAARZVU6F536OA2XHAQHBHDU6NSCRANCNFSM5P4SFZPA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I wrote a library to help with extracting the "real" client IP from a request. I intended that it be useful in cases like this, so please let me know if it's suitable (and if it's not we'll figure out how to make it better). |
Has this issue been resolved otherwise (e.g. different branch etc.) or what is the reason changes didn't get merged? |
This needs to be merged, this isn't functional as a ratelimiting package by default when it can be circumvented this easily: req.Header.Add("X-Forwarded-For", strconv.Itoa(rand.Int())) |
Thank you!! |
Disclosure URL: https://adam-p.ca/blog/2022/03/x-forwarded-for/
This is an attempt to address the situation.
We no longer configure
SetIPLookups
on default.We address the two different
SetIPLookups
confusion in two different place by removing both of them.We add a new, explicit way, for user to define how IP address should be picked up.
Tests are all updated to use the new method of picking IP address.
This will be a backward incompatible change so version number has to be bumped to 8.