Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add HostAuthorization rack-protection middleware #2053

Merged
merged 34 commits into from
Nov 18, 2024
Merged

Add HostAuthorization rack-protection middleware #2053

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
fb2d76d
Add `permitted_hosts` setting
dentarg Nov 5, 2024
b5df6e1
Split bad/good cases in `HostAuthorization` specs
dentarg Nov 8, 2024
492589f
Less brittle `HostAuthorization` specs
dentarg Nov 8, 2024
841ee31
Simplify `HostAuthorization` tests for Sinatra
dentarg Nov 8, 2024
d2293d9
Document `HostAuthorization` in rack-protection README
dentarg Nov 8, 2024
c9c2625
Expose all the options for `HostAuthorization`
dentarg Nov 8, 2024
6e3711e
Test with multiple hostnames in headers
dentarg Nov 8, 2024
1701645
Improve test descriptions
dentarg Nov 8, 2024
071358e
Port should not matter for `HostAuthorization`
dentarg Nov 8, 2024
856d8e6
No need for `Rack::Protection::HostAuthorization.forwarded?` now
dentarg Nov 8, 2024
ffaf412
Support for `IPAddr` hosts
dentarg Nov 8, 2024
44dd856
Always look at the `Host` header
dentarg Nov 12, 2024
76e614a
Better grouping of `HostAuthorization` specs
dentarg Nov 12, 2024
e6264be
Test with more exotic header values
dentarg Nov 12, 2024
d179c0c
Support for subdomains
dentarg Nov 12, 2024
4652ad2
Support `Forwarded` header in `#forwarded?`
dentarg Nov 12, 2024
a167d8b
Use the same `require` order as other protections
dentarg Nov 13, 2024
3d5383d
Better `allow_if` example in tests
dentarg Nov 13, 2024
dd73d0e
`HostAuthorization` development settings
dentarg Nov 13, 2024
8466a9e
Test with `nil` `HTTP_HOST`
dentarg Nov 13, 2024
1081bf8
Fix typo in README
dentarg Nov 14, 2024
85d2079
Mention `IPAddr` objects
dentarg Nov 14, 2024
801e821
Add (optional) debug logging in `HostAuthorization`
dentarg Nov 14, 2024
579a2e6
Fix incorrect test description
dentarg Nov 15, 2024
affc961
Use keyword argument for `mock_app` helper
dentarg Nov 15, 2024
543bac2
Better test description
dentarg Nov 15, 2024
b1bf256
Fix typo in test description
dentarg Nov 15, 2024
9f0d130
Reject invalid hostnames
dentarg Nov 17, 2024
5947a6d
Document `host_authorization` defaults
dentarg Nov 17, 2024
b29d698
Lint `HostAuthorization` middleware
dentarg Nov 18, 2024
5ba1250
Lint `HostAuthorization` specs
dentarg Nov 18, 2024
3059727
Avoid `warning: character class has '-' without escape: ...`
dentarg Nov 18, 2024
4dfd160
Silence `Style/SafeNavigationChainLength` cop
dentarg Nov 18, 2024
7697337
No need to silence `SafeNavigationChainLength` cop
dentarg Nov 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Support for IPAddr hosts
  • Loading branch information
@dentarg
dentarg committed Nov 8, 2024
commit ffaf412cfcf740be1e86f39c44b4f38c901ff019
26 changes: 22 additions & 4 deletions rack-protection/lib/rack/protection/host_authorization.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# frozen_string_literal: true

require 'ipaddr'
require 'rack/protection'

module Rack
Expand All @@ -25,17 +26,34 @@ class HostAuthorization < Base

def initialize(*)
super
@permitted_hosts = Array(options[:permitted_hosts]).map(&:downcase)
@all_permitted_hosts = Array(options[:permitted_hosts])
@permitted_hosts = @all_permitted_hosts
.select { |host| host.is_a?(String) }
.map(&:downcase)
@ip_hosts = @all_permitted_hosts.select { |host| host.is_a?(IPAddr) }
end

def accepts?(env)
return true if options[:allow_if]&.call(env)
return true if @permitted_hosts.empty?
return true if @all_permitted_hosts.empty?
dentarg marked this conversation as resolved.
Show resolved Hide resolved

request = Request.new(env)
origin_host = request.host

@permitted_hosts.include?(origin_host.downcase)
host_permitted?(request.host.downcase)
end

private

def host_permitted?(origin_host)
return true if @permitted_hosts.include?(origin_host)

ip_match?(origin_host)
end

def ip_match?(origin_host)
@ip_hosts.any? { |ip_host| ip_host.include?(origin_host) }
rescue IPAddr::InvalidAddressError
false
end
end
end
Expand Down
87 changes: 75 additions & 12 deletions rack-protection/spec/lib/rack/protection/host_authorization_spec.rb
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure where to put the suggestion, so it will be file-wide. I saw two tests for the corresponding Rails middleware that may be of interest here:

Copy link
Member Author

@dentarg dentarg Nov 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will just copy the tests here for easier discussion (no need to open the link every time you visit this convo)

https://github.com/rails/rails/blob/6230bd334ab47f9efc6d97c6627abe76c80d8058/actionpack/test/dispatch/host_authorization_test.rb#L108

  test "does not allow domain name notation in the HOST header itself" do
    @app = build_app(".example.com")

    get "/", env: {
      "HOST" => ".example.com",
      "action_dispatch.show_detailed_exceptions" => true
    }

    assert_response :forbidden
    assert_match "Blocked hosts: .example.com", response.body
  end

https://github.com/rails/rails/blob/6230bd334ab47f9efc6d97c6627abe76c80d8058/actionpack/test/dispatch/host_authorization_test.rb#L449

  test "blocks requests with invalid hostnames" do
    @app = build_app(".example.com")

    get "/", env: {
      "HOST" => "attacker.com#x.example.com",
      "action_dispatch.show_detailed_exceptions" => true
    }

    assert_response :forbidden
    assert_match "Blocked hosts: attacker.com#x.example.com", response.body
  end

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both of these are not blocked currently.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder of they can be taken advantage of 🤔 They are not valid hostnames (Wikipedia, see "LDH rule")

$ host example.com#example.org
Host example.com#example.org not found: 3(NXDOMAIN)

$ host .example.org
host: '.example.org' is not a legal name (empty label)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I handled them both in 9f0d130, no longer allowed.

I think there's one difference between Sinatra and Rails now: with .example.com in the list of permitted hosts, Rails will allow bar.example.com but not foo.bar.example.com. Sinatra will allow both. This is intentional, I think it makes sense. WDYT @walro?

Copy link
Contributor

@walro walro Nov 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both ways seem acceptable to me. I guess for Rails one would need to add .bar.example.com in addition to .example.com to allow for foo.bar.example.com?

In the Sinatra case, to only allow foo.bar.example.com (and its siblings) but not baz.example.com, one could setup .bar.example.com?

Copy link
Member Author

@dentarg dentarg Nov 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noticed an interesting comment in rack/rack#1604

Given RFC 2181 relaxes all restrictions on DNS names (except segment and total length), it seems unnecessarily risky to use anything but a wildcard match in that position.

Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,69 @@ def assert_response(outcome:, headers:, last_response:)
end
end

describe "when permitted hosts include IPAddr instance for 0.0.0.0/0" do
good_requests = lambda do
[
{ "HTTP_HOST" => "127.0.0.1" },
{ "HTTP_HOST" => "127.0.0.1:3000" },
{ "HTTP_X_FORWARDED_HOST" => "127.0.0.1" },
{ "HTTP_X_FORWARDED_HOST" => "127.0.0.1:3000" },
{ "HTTP_X_FORWARDED_HOST" => "example.com, 127.0.0.1" },
{ "HTTP_X_FORWARDED_HOST" => "example.com, 127.0.0.1:3000" },
{ "HTTP_FORWARDED" => "host=127.0.0.1" },
{ "HTTP_FORWARDED" => "host=example.com; host=127.0.0.1" },
{ "HTTP_FORWARDED" => "host=example.com; host=127.0.0.1:3000" },
]
end

good_requests.call.each do |headers|
it "allows the request with headers '#{headers}'" do
permitted = IPAddr.new("0.0.0.0/0")
mock_app do
use Rack::Protection::HostAuthorization, permitted_hosts: [permitted]
run DummyApp
end

get("/", {}, headers)

assert_response(outcome: :allowed, headers: headers, last_response: last_response)
end
end
end

describe "when permitted hosts include IPAddr instance for 192.168.0.1/32" do
bad_requests = lambda do
[
{ "HTTP_HOST" => "127.0.0.1" },
{ "HTTP_HOST" => "127.0.0.1:3000" },
{ "HTTP_HOST" => "example.com" },
{ "HTTP_X_FORWARDED_HOST" => "127.0.0.1" },
{ "HTTP_X_FORWARDED_HOST" => "127.0.0.1:3000" },
{ "HTTP_X_FORWARDED_HOST" => "example.com" },
{ "HTTP_X_FORWARDED_HOST" => "example.com, 127.0.0.1" },
{ "HTTP_X_FORWARDED_HOST" => "example.com, 127.0.0.1:3000" },
{ "HTTP_FORWARDED" => "host=127.0.0.1" },
{ "HTTP_FORWARDED" => "host=example.com" },
{ "HTTP_FORWARDED" => "host=example.com; host=127.0.0.1" },
{ "HTTP_FORWARDED" => "host=example.com; host=127.0.0.1:3000" },
]
end

bad_requests.call.each do |headers|
it "stops the request with headers '#{headers}'" do
permitted = IPAddr.new("192.168.0.1")
mock_app do
use Rack::Protection::HostAuthorization, permitted_hosts: [permitted]
run DummyApp
end

get("/", {}, headers)

assert_response(outcome: :stopped, headers: headers, last_response: last_response)
end
end
end

good_requests = lambda do |allowed_host|
[
{ "HTTP_HOST" => allowed_host },
Expand All @@ -27,18 +90,6 @@ def assert_response(outcome:, headers:, last_response:)
]
end

bad_requests = lambda do |allowed_host, bad_host|
[
{ "HTTP_HOST" => bad_host },
{ "HTTP_X_FORWARDED_HOST" => bad_host },
{ "HTTP_X_FORWARDED_HOST" => "#{allowed_host}, #{bad_host}" },
{ "HTTP_FORWARDED" => "host=#{bad_host}" },
{ "HTTP_FORWARDED" => "host=#{allowed_host}; host=#{bad_host}" },
{ "HTTP_HOST" => allowed_host, "HTTP_X_FORWARDED_HOST" => bad_host },
{ "HTTP_HOST" => allowed_host, "HTTP_FORWARDED" => "host=#{bad_host}" },
]
end

good_requests.call("allowed.org").each do |headers|
it "allows the request with headers '#{headers}'" do
mock_app do
Expand All @@ -52,6 +103,18 @@ def assert_response(outcome:, headers:, last_response:)
end
end

bad_requests = lambda do |allowed_host, bad_host|
[
{ "HTTP_HOST" => bad_host },
{ "HTTP_X_FORWARDED_HOST" => bad_host },
{ "HTTP_X_FORWARDED_HOST" => "#{allowed_host}, #{bad_host}" },
{ "HTTP_FORWARDED" => "host=#{bad_host}" },
{ "HTTP_FORWARDED" => "host=#{allowed_host}; host=#{bad_host}" },
{ "HTTP_HOST" => allowed_host, "HTTP_X_FORWARDED_HOST" => bad_host },
{ "HTTP_HOST" => allowed_host, "HTTP_FORWARDED" => "host=#{bad_host}" },
]
end

bad_requests.call("allowed.org", "bad.org").each do |headers|
it "stops the request with headers '#{headers}'" do
mock_app do
Expand Down