fix: added host header check (to protect against DNS rebinding attacks) #250
Conversation
|
Or @zozs could take a look at this, if you feel like writing a little bit of Rust :) |
|
@ErikBjare Fixed a fairing, will add tests soon. Was very easy to test manually with curl. |
Codecov Report
@@ Coverage Diff @@
## master #250 +/- ##
==========================================
- Coverage 59.18% 58.95% -0.24%
==========================================
Files 44 45 +1
Lines 5123 5216 +93
==========================================
+ Hits 3032 3075 +43
- Misses 2091 2141 +50
Continue to review full report at Codecov.
|
|
Tests are now added as well! |
johan-bjareholt
force-pushed
the
dev/host-header-check
branch
from
6cd79fb
to
d76518d
Compare
| @@ -239,6 +253,7 @@ mod api_tests { | |||
| res = client | |||
| .get("/api/0/buckets/id/events") | |||
| .header(ContentType::JSON) | |||
| .header(Header::new("Host", "127.0.0.1:5600")) | |||
There was a problem hiding this comment.
You needed to add this explicitly? The Host header should be set correctly automatically, and you shouldn't be testing against port 5600, right?
There was a problem hiding this comment.
Tried removing them, which caused the tests to break. Not sure why though, the Host header should definitely be set by the request library itself...
There was a problem hiding this comment.
and you shouldn't be testing against port 5600, right?
The port or address actually doesn't matter. We are never starting an actual server or starting any ports in these unit tests, they are simply injected into Rocket as if they were real requests.
The Host header should be set correctly automatically
Since the testing framework is a very basic I'll assume that they either simply have not seen this issue before (since the requests are internal to rocket, the Host header is technically pointless) or simply because the Rocket developers find it to make more sense for all headers to be explicit rather than implicit.
There was a problem hiding this comment.
Ah, I suspected something like that, but found it a bit weird and couldn't quite explain why it would work that way when the Host header is so well specified and ubiquitous.
or simply because the Rocket developers find it to make more sense for all headers to be explicit rather than implicit.
This would seem odd to me in any other context where you make requests, but perhaps it makes sense for tests like these.
johan-bjareholt
force-pushed
the
dev/host-header-check
branch
from
74218c9
to
554fb0b
Compare
|
@johan-bjareholt According to codecov the tests don't cover the failing request handlers, any idea why? See here: https://app.codecov.io/gh/ActivityWatch/aw-server-rust/compare/250/tree/aw-server/src/endpoints/hostcheck.rs Any chance there's another cause for the BadRequest that you are checking for in the tests? Perhaps check if the returned body of the request actually contains a mention of the failing host-header check? |
Simply adding a panic! in the fairing_error_route makes the unittest fail, so the tests work as they should. |
|
Alright, ready to merge then. Thanks! |
@johan-bjareholt Could you take a look at this and finish it? The Python-implementation is here: ActivityWatch/aw-server@3e8731f
Fixes GHSA-v9fg-6g9j-h4x4