Disallow image proxy for private IPs, add blacklist support #1804
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This mitigates the problem where a user might probe machines that are unavailable to the user directly but accessible to the server hosting Remark42.
Scenarios addressed:
A malicious user could learn about the presence of specific software or hardware running on an internal address. For example, the presence of an image at
http://192.168.0.1/img/container_bottom_shade_login.png
can expose the type of router you have.A malicious user might receive non-timeout
invalid content type
responses from internal addresses, enabling them to scan and identify HTTP servers running in the internal IP range without revealing their content but indicating their presence.The new functionality is breaking, but I assume no one intends to expose only private network images to the outside world. The old behavior can be restored by setting the
--image-proxy.allow-private-networks
flag.Additionally, this change adds the
--image-proxy.blacklist
flag to allow blacklisting private parts of the infrastructure from being accessed by the image proxy. You can blacklist IPs (e.g.,8.8.8.8
), CIDR subnets (e.g.,8.8.8.8/31
), and domains (e.g.,private.example .com
). Note that all subdomains of a given domain will also be blacklisted.127.0.0.0/8
and::1/128
ranges are not included as they are most commonly used for local testing, and it would be cumbersome to prohibit them. Localhost is considered less of a security threat than probing other hosts in the network. If desired, localhost can be restricted using the blacklist functionality.