Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Request#trusted_proxy? is easily fooled #508

Closed
postmodern opened this Issue · 8 comments

4 participants

@postmodern

Resquest#trusted_proxy? is easily fooled, since it uses ^ and $.

Maybe it's time to use Mutation testing against rack?

@marcoshack

Hello @postmodern. Sorry by the ignorance, but what's the problem with the ^ and $ operators in that regex? Could you provide an example?

@postmodern
trusted_proxy?("1.2.3.4\n127.0.0.1")
# => 8

^ and $ will match any line within a String. To match the full String, you'd want \A and \z.

@rkh
Owner
rkh commented

Agreed, is this a vector you can use from an HTTP request though?

@postmodern

Could possibly be used to spoof the IP Address in Request#ip.

@rkh
Owner
rkh commented

Yes, I meant, I don't think you can do an HTTP request where that header contains a new line. This is important as it makes all the difference between not 100% correct code and a security issue.

@raggi
Owner

Well if it's a security issue, @postmodern damn well knows better than to post it here right?

@raggi raggi closed this issue from a commit
@raggi raggi Request#trusted_proxy? no longer accepts lines
 * Closes #508
 * Adds some limited coverage. More issues highlighted - incomplete local ips.
5c8a5b7
@raggi raggi closed this in 5c8a5b7
@raggi
Owner

This issue is closed, but this method is sorely incomplete. It's missing a lot of local addresses and so on.

@postmodern

I haven't found an actual use yet. However, it's better to fix potential vulnerabilities before they become exploitable.

@raggi raggi referenced this issue from a commit
@raggi raggi Request#trusted_proxy? no longer accepts lines
 * Closes #508
 * Adds some limited coverage. More issues highlighted - incomplete local ips.
6adb0a5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.