Skip to content

Commit

Permalink
[SQS] Use remote ip and remote addr to check IP matching
Browse files Browse the repository at this point in the history
  • Loading branch information
@ssunday
ssunday committed Nov 5, 2024
1 parent 91a8e86 commit 5f6a4d3
Show file tree
Hide file tree
Showing 2 changed files with 245 additions and 142 deletions.
15 changes: 12 additions & 3 deletions lib/aws/rails/middleware/ebs_sqs_active_job_middleware.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ def call(env)

# Only accept requests from this user agent if it is from localhost or a docker host in case of forgery.
unless request.local? || sent_from_docker_host?(request)
@logger.warn("SQSD request detected from untrusted address #{request.ip}; returning 403 forbidden.")
@logger.warn('SQSD request detected from untrusted address; returning 403 forbidden.')
return FORBIDDEN_RESPONSE
end

Expand Down Expand Up @@ -81,7 +81,7 @@ def periodic_task?(request)
end

def sent_from_docker_host?(request)
app_runs_in_docker_container? && default_gw_ips.include?(request.ip)
app_runs_in_docker_container? && ip_originates_from_docker_host?(request)
end

def app_runs_in_docker_container?
Expand All @@ -96,7 +96,16 @@ def in_docker_container_with_cgroup2?
File.exist?('/proc/self/mountinfo') && File.read('/proc/self/mountinfo') =~ %r{/docker/containers/}
end

def default_gw_ips
def ip_originates_from_docker_host?(request)
default_docker_ips.include?(request.remote_ip) ||
default_docker_ips.include?(request.remote_addr)
end

def default_docker_ips
@default_docker_ips ||= build_default_docker_ips
end

def build_default_docker_ips
default_gw_ips = ['172.17.0.1']

if File.exist?('/proc/net/route')
Expand Down
Loading

0 comments on commit 5f6a4d3

Please sign in to comment.