Skip to content
This repository

Request#trusted_proxy? is easily fooled #508

Closed
postmodern opened this Issue · 8 comments

4 participants

Postmodern Marcos Hack Konstantin Haase James Tucker
Postmodern

Resquest#trusted_proxy? is easily fooled, since it uses ^ and $.

Maybe it's time to use Mutation testing against rack?

Marcos Hack

Hello @postmodern. Sorry by the ignorance, but what's the problem with the ^ and $ operators in that regex? Could you provide an example?

Postmodern
trusted_proxy?("1.2.3.4\n127.0.0.1")
# => 8

^ and $ will match any line within a String. To match the full String, you'd want \A and \z.

Konstantin Haase
Collaborator

Agreed, is this a vector you can use from an HTTP request though?

Postmodern

Could possibly be used to spoof the IP Address in Request#ip.

Konstantin Haase
Collaborator

Yes, I meant, I don't think you can do an HTTP request where that header contains a new line. This is important as it makes all the difference between not 100% correct code and a security issue.

James Tucker
Owner

Well if it's a security issue, @postmodern damn well knows better than to post it here right?

James Tucker raggi closed this issue from a commit
James Tucker raggi Request#trusted_proxy? no longer accepts lines
 * Closes #508
 * Adds some limited coverage. More issues highlighted - incomplete local ips.
5c8a5b7
James Tucker
Owner

This issue is closed, but this method is sorely incomplete. It's missing a lot of local addresses and so on.

Postmodern

I haven't found an actual use yet. However, it's better to fix potential vulnerabilities before they become exploitable.

James Tucker raggi referenced this issue from a commit
James Tucker raggi Request#trusted_proxy? no longer accepts lines
 * Closes #508
 * Adds some limited coverage. More issues highlighted - incomplete local ips.
6adb0a5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.