Skip to content

Commit

Permalink
Fix wildcard check_origin vulnerability.
Browse files Browse the repository at this point in the history 
Previously, our documentation points to a wilcard example of:

    check_origin: [
      "//*.other.com"
    ]

Which should allow any subdomain of "other.com", but our comparison
for `"//*.other.com"` would allow `api.any-other.com`, which would
allow an attacker to register a domain with a custom prefix of a target
domain and pass origin checks. This patch ensures the `String.ends_with?`
check includes the subdomain dot prefix.

Who is affected?

Only those using a wildcard check origin are affected, and potential
exploits are limited to allowing unauthenticated channel connections
from a bad host. Because LiveView adds its own csrf token to the
connection by default, LiveView applications with wildcard check origin
would refuse connection under this scenario. Additionally, channel
applications utilizing token based authentication would require the
attacker to also have a valid token to connection from a bad host.
Phoenix channels does not allow access to cookies, so an attacker would
also not be able to pass their own cookies from a bad host.
  • Loading branch information
@chrismccord
chrismccord committed Oct 10, 2022
1 parent 6234b57 commit b2fc631
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/phoenix/socket/transport.ex
View file
Expand Up @@ -624,7 +624,7 @@ defmodule Phoenix.Socket.Transport do
defp compare_host?(_request_host, nil),
do: true
defp compare_host?(request_host, "*." <> allowed_host),
do: String.ends_with?(request_host, allowed_host)
do: request_host == allowed_host or String.ends_with?(request_host, "." <> allowed_host)
defp compare_host?(request_host, allowed_host),
do: request_host == allowed_host

Expand Down
15 changes: 15 additions & 0 deletions test/phoenix/socket/transport_test.exs
View file
Expand Up @@ -87,6 +87,12 @@ defmodule Phoenix.Socket.TransportTest do
refute conn.halted
conn = check_origin("https://org1.ex.com", check_origin: origins)
refute conn.halted

conn = check_origin("https://ex.com", check_origin: origins)
refute conn.halted

conn = check_origin("https://org1.prefix-ex.com", check_origin: origins)
assert conn.halted
end

test "nested wildcard subdomains" do
Expand All @@ -95,6 +101,15 @@ defmodule Phoenix.Socket.TransportTest do
conn = check_origin("http://org1.foo.example.com", check_origin: origins)
refute conn.halted

conn = check_origin("http://foo.example.com", check_origin: origins)
refute conn.halted

conn = check_origin("http://bad.example.com", check_origin: origins)
assert conn.halted

conn = check_origin("http://org1.prefix-foo.example.com", check_origin: origins)
assert conn.halted

conn = check_origin("http://org1.bar.example.com", check_origin: origins)
assert conn.halted
assert conn.status == 403
Expand Down

0 comments on commit b2fc631

Please sign in to comment.