Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: allow calling internal IP range 100.64.0.0/10 with relevant ResilientClient options #806

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

David-Wobrock
Copy link

The ResilientClient options ResilientClientDisallowInternalIPs and ResilientClientAllowInternalIPRequestsTo were not allowing to call certain IP ranges, like 100.64.0.0/10 properly.

Related Issue or Design Document

Fixes: #805

And relates to Kratos issue: ory/kratos#4049

Checklist

  • I have read the contributing guidelines and signed the CLA.
  • I have referenced an issue containing the design document if my change introduces a new feature.
  • I have read the security policy.
  • I confirm that this pull request does not address a security vulnerability.
    If this pull request addresses a security vulnerability,
    I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
  • I have added tests that prove my fix is effective or that my feature works.
  • I have added the necessary documentation within the code base (if appropriate).

Further comments

@David-Wobrock David-Wobrock changed the title fix: allow calling internal IP ranges with relevant option fix: allow calling internal IP ranges with relevant ResilientClient options Aug 21, 2024
@David-Wobrock David-Wobrock force-pushed the fix/resilient-client-private-ips branch from 0ca4115 to e39baf3 Compare August 21, 2024 16:34
@David-Wobrock David-Wobrock marked this pull request as ready for review August 22, 2024 08:35
httpx/ssrf.go Outdated Show resolved Hide resolved
httpx/resilient_client_test.go Outdated Show resolved Hide resolved
httpx/resilient_client_test.go Outdated Show resolved Hide resolved
@David-Wobrock David-Wobrock force-pushed the fix/resilient-client-private-ips branch 3 times, most recently from 978dabb to f5b7cd2 Compare August 23, 2024 15:52
@David-Wobrock
Copy link
Author

Thanks for the review @alnr 🙏

I pushed some edits around the suggestion about the tests.

Let me know what you think :)

@David-Wobrock David-Wobrock force-pushed the fix/resilient-client-private-ips branch from f5b7cd2 to 0b46d7d Compare August 26, 2024 08:53
@aeneasr
Copy link
Member

aeneasr commented Aug 27, 2024

Thank you for the PR - I just want to note that we have pretty strict security requirements in our internal systems, and generally do not allow merging a weakening of those guarantees. Whatever ends up in the final code must deny/allow the same IP ranges as before.

@David-Wobrock
Copy link
Author

Thank you for the PR - I just want to note that we have pretty strict security requirements in our internal systems, and generally do not allow merging a weakening of those guarantees. Whatever ends up in the final code must deny/allow the same IP ranges as before.

Thanks for the details, however I am unsure how to interpret them 🤔

Would you consider adding 100.64.0.0/10 as "deny/allow the same IP ranges as before"? :)

diff --git a/httpx/ssrf.go b/httpx/ssrf.go
index 99b16e9..ae3b817 100644
--- a/httpx/ssrf.go
+++ b/httpx/ssrf.go
@@ -89,6 +89,7 @@ func init() {
                ssrf.WithNetworks("tcp4", "tcp6"),
                ssrf.WithAllowedV4Prefixes(
                        netip.MustParsePrefix("10.0.0.0/8"),     // Private-Use (RFC 1918)
+                       netip.MustParsePrefix("100.64.0.0/10"),  // Shared Address Space (RFC 6598)
                        netip.MustParsePrefix("127.0.0.0/8"),    // Loopback (RFC 1122, Section 3.2.1.3))
                        netip.MustParsePrefix("169.254.0.0/16"), // Link Local (RFC 3927)
                        netip.MustParsePrefix("172.16.0.0/12"),  // Private-Use (RFC 1918)

By default, we would deny the same IP ranges (the ones in ssrf), however we would allow adding an exception for 100.64.0.0/10 IPs (which can never be called today).

@David-Wobrock David-Wobrock force-pushed the fix/resilient-client-private-ips branch from 0b46d7d to 13f1993 Compare August 28, 2024 12:31
@David-Wobrock
Copy link
Author

Hello @alnr @aeneasr

Thanks for your input.

Since we don't seem to be on a path to make the option to call internal IPs work properly for all IP ranges, I've opted for the minimal approach now to make only 100.64.0.0/10 work for now (which is an IP range used in our Kube cluster).

@David-Wobrock David-Wobrock requested a review from alnr September 9, 2024 15:29
@David-Wobrock David-Wobrock changed the title fix: allow calling internal IP ranges with relevant ResilientClient options fix: allow calling internal IP range 100.64.0.0/10 with relevant ResilientClient options Sep 20, 2024
@David-Wobrock David-Wobrock force-pushed the fix/resilient-client-private-ips branch from 13f1993 to f949dbf Compare September 20, 2024 12:27
@David-Wobrock David-Wobrock force-pushed the fix/resilient-client-private-ips branch from f949dbf to 5eaf97d Compare October 1, 2024 14:47
@David-Wobrock David-Wobrock force-pushed the fix/resilient-client-private-ips branch from 5eaf97d to 66d6f05 Compare October 9, 2024 12:44
@David-Wobrock David-Wobrock force-pushed the fix/resilient-client-private-ips branch from 66d6f05 to 57a2754 Compare October 28, 2024 08:44
@David-Wobrock
Copy link
Author

David-Wobrock commented Oct 28, 2024

Hello @alnr @aeneasr 👋

Let me know if you think we should adapt the patch 😇

The `ResilientClient` options `ResilientClientDisallowInternalIPs`
and `ResilientClientAllowInternalIPRequestsTo` were not allowing to call
the IP range, like 100.64.0.0/10, properly.

Some IP ranges are still not possible to bypass.
@David-Wobrock David-Wobrock force-pushed the fix/resilient-client-private-ips branch from 57a2754 to 1750395 Compare November 11, 2024 12:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ResilientClient allowed to call internal IPs cannot call 100.64.0.0/10 IP range.
3 participants