New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Option to not trust X-Forwarded-*
headers from clients
#1927
Conversation
3a6d407
to
556c736
Compare
556c736
to
8dcd8df
Compare
There's some more details about common use-cases for this on this commit; 0028cda#commitcomment-10573134 so I expect that changing this could be a breaking change. Do you have more details about the security checks? I'd expect that a security check that depends on headers that can be controlled by the client (in the non-proxy situation a client would also be able to set these) would already be affected by this |
It is common practice to have a "trust proxy" option in the backend server (example). If disabled, the backend server assumes that untrusted clients might connect directly to the server. If enabled, they assume untrusted clients cannot set certain headers; those headers are reserved solely for a trusted reverse proxy. If a client can manipulate those headers then the assumption is violated which an attacker might be able to exploit. |
Gotcha; so I guess in the example mentioned on the commit, there's a chain of proxies, and the first (AWS) proxy would be considered "trusted". Wondering if there should be an option to preserve that use-case (possibly opt-in/opt-out). |
There could be an option, but if so it should default to overwriting the client-supplied values for safety. The only legitimate use case for allowing client-supplied values is if there are multiple layers of trusted reverse proxies, which is rare. I think it would be better to keep the code simple rather than add a potentially dangerous option to support a rare use case. If a user does run multiple layers of reverse proxy then they can replace the template or use the |
8dcd8df
to
692e127
Compare
X-Forwarded-*
headers from clientsX-Forwarded-*
headers from clients
OK. I changed this PR so that the default behavior is unchanged, but added a new option that disables the forwarding of the |
80a6352
to
4b4fb53
Compare
X-Forwarded-*
headers from clientsX-Forwarded-*
headers from clients
Friendly ping @buchdag |
@rhansen I took a glance at the changes, looks good to me, I'll take a closer look and merge by the end of next week at the latest. |
4b4fb53
to
24b2acd
Compare
This is a pretty serious flaw that requires a CVE registration, as it happened in other OpenSource projects: CVE-2020-28483 for go/gin, CVE-2020-35590 for WordPress, CVE-2020-13485 for CraftCMS. Making Also, the application developers usually specify trusted proxy server IP addresses explicitly and frameworks provide properties for this kind of configuration. For example, Symfony – PHP framework, Express – JS framework, Gin – Go framework. I would probably introduce a |
@SilverFire Instead of or in addition to |
I'd say instead.
|
The trouble with this approach is the empty string (and unset) should keep the current behavior for compatibility reasons (at least until the next major release). That means that if someone wants to completely turn it off (don't trust any client headers), they would need to set it to an invalid address like 0.0.0.0/32 or 255.255.255.255/32, which is awkward. Though I guess we could accept a special value like |
@SilverFire What do you think about having |
Damm, this pull-request is about DOWNSTREAM proxies, not UPSTERAM 😕 I'll create a separate issue for upstream proxy trust lists. |
@SilverFire just to check that we're on the same page:
Did I get that right ? |
Absolutely |
24b2acd
to
fd484c8
Compare
Friendly ping @buchdag |
If header values from a malicious client are passed to the backend server unchecked and unchanged, the client may be able to subvert security checks done by the backend server.
fd484c8
to
8aa00fc
Compare
Thanks @rhansen 👍 |
If header values from a malicious client are passed to the backend server unchecked and unchanged, the client may be able to subvert security checks done by the backend server.