-
-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: added host header check (to protect against DNS rebinding attacks) #250
Conversation
Or @zozs could take a look at this, if you feel like writing a little bit of Rust :) |
@ErikBjare Fixed a fairing, will add tests soon. Was very easy to test manually with curl. |
Codecov Report
@@ Coverage Diff @@
## master #250 +/- ##
==========================================
- Coverage 59.18% 58.95% -0.24%
==========================================
Files 44 45 +1
Lines 5123 5216 +93
==========================================
+ Hits 3032 3075 +43
- Misses 2091 2141 +50
Continue to review full report at Codecov.
|
Tests are now added as well! |
6cd79fb
to
d76518d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think all the client.header(Header::new("Host", "127.0.0.1:5600"))...
should be needed, otherwise looks good!
@@ -239,6 +253,7 @@ mod api_tests { | |||
res = client | |||
.get("/api/0/buckets/id/events") | |||
.header(ContentType::JSON) | |||
.header(Header::new("Host", "127.0.0.1:5600")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You needed to add this explicitly? The Host
header should be set correctly automatically, and you shouldn't be testing against port 5600, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tried removing them, which caused the tests to break. Not sure why though, the Host header should definitely be set by the request library itself...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and you shouldn't be testing against port 5600, right?
The port or address actually doesn't matter. We are never starting an actual server or starting any ports in these unit tests, they are simply injected into Rocket as if they were real requests.
The Host header should be set correctly automatically
Since the testing framework is a very basic I'll assume that they either simply have not seen this issue before (since the requests are internal to rocket, the Host header is technically pointless) or simply because the Rocket developers find it to make more sense for all headers to be explicit rather than implicit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I suspected something like that, but found it a bit weird and couldn't quite explain why it would work that way when the Host
header is so well specified and ubiquitous.
or simply because the Rocket developers find it to make more sense for all headers to be explicit rather than implicit.
This would seem odd to me in any other context where you make requests, but perhaps it makes sense for tests like these.
74218c9
to
554fb0b
Compare
@johan-bjareholt According to codecov the tests don't cover the failing request handlers, any idea why? See here: https://app.codecov.io/gh/ActivityWatch/aw-server-rust/compare/250/tree/aw-server/src/endpoints/hostcheck.rs Any chance there's another cause for the BadRequest that you are checking for in the tests? Perhaps check if the returned body of the request actually contains a mention of the failing host-header check? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some comment nits
Simply adding a panic! in the fairing_error_route makes the unittest fail, so the tests work as they should. |
Alright, ready to merge then. Thanks! |
@johan-bjareholt Could you take a look at this and finish it? The Python-implementation is here: ActivityWatch/aw-server@3e8731f
Fixes GHSA-v9fg-6g9j-h4x4