Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow admin triggering of internal endpoints #1030

Merged
merged 2 commits into from Mar 23, 2021
Merged

Disallow admin triggering of internal endpoints #1030

merged 2 commits into from Mar 23, 2021

Conversation

mindhog
Copy link
Member

@mindhog mindhog commented Mar 22, 2021
edited

Stop simply relying on the presence of the X-AppEngine-QueueName as an
indicator that an endpoint has been triggered internally, as this allows
admins to trigger a remote execution vulnerability.

We now supplement this check by ensuring that there is no authenticated user.
Since only an admin user can set these headers, this means that the header
must have been set by an internal request.

Tested:
In addition to the new unit test, verified on Crash that:

  • Internal requests are still getting authenticated via the internal auth
    mechanism.
  • Admin requests with the X-AppEngine-QueueName header are rejected as
    "unauthorized."

This change is Reviewable

@mindhog mindhog requested a review from weiminyu March 22, 2021 19:26
@google-cla google-cla bot added the cla: yes label Mar 22, 2021
weiminyu
weiminyu approved these changes Mar 22, 2021
View reviewed changes
Copy link
Collaborator

@weiminyu weiminyu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 2 of 2 files at r1.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved (waiting on @mindhog)

@mindhog
Disallow admin triggering of internal endpoints
db6049d 
Stop simply relying on the presence of the X-AppEngine-QueueName as an
indicator that an endpoint has been triggered internally, as this allows
admins to trigger a remote execution vulnerability.

We now supplement this check by ensuring that there is no authenticated user.
Since only an admin user can set these headers, this means that the header
must have been set by an internal request.

Tested:
  In addition to the new unit test, verified on Crash that:
  - Internal requests are still getting authenticated via the internal auth
    mechanism.
  - Admin requests with the X-AppEngine-QueueName header are rejected as
    "unauthorized."
@mindhog
Reformatted.
232549e
@mindhog mindhog added the kokoro:force-run Force a Kokoro build. label Mar 23, 2021
@domain-registry-eng domain-registry-eng removed the kokoro:force-run Force a Kokoro build. label Mar 23, 2021
@mindhog mindhog merged commit dc88b48 into google:master Mar 23, 2021
@mindhog mindhog deleted the admin-vuln branch March 23, 2021 12:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weiminyu weiminyu weiminyu approved these changes

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mindhog @weiminyu @googlebot @domain-registry-eng