Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disallow image proxy for private IPs, add blacklist support #1804

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

paskal
Copy link
Collaborator

@paskal paskal commented Aug 4, 2024

This mitigates the problem where a user might probe machines that are unavailable to the user directly but accessible to the server hosting Remark42.

Scenarios addressed:

  1. A malicious user could learn about the presence of specific software or hardware running on an internal address. For example, the presence of an image at http://192.168.0.1/img/container_bottom_shade_login.png can expose the type of router you have.

  2. A malicious user might receive non-timeout invalid content type responses from internal addresses, enabling them to scan and identify HTTP servers running in the internal IP range without revealing their content but indicating their presence.

The new functionality is breaking, but I assume no one intends to expose only private network images to the outside world. The old behavior can be restored by setting the --image-proxy.allow-private-networks flag.

Additionally, this change adds the --image-proxy.blacklist flag to allow blacklisting private parts of the infrastructure from being accessed by the image proxy. You can blacklist IPs (e.g., 8.8.8.8), CIDR subnets (e.g., 8.8.8.8/31), and domains (e.g., private.example .com). Note that all subdomains of a given domain will also be blacklisted.

127.0.0.0/8 and ::1/128 ranges are not included as they are most commonly used for local testing, and it would be cumbersome to prohibit them. Localhost is considered less of a security threat than probing other hosts in the network. If desired, localhost can be restricted using the blacklist functionality.

This mitigates the problem where a user might probe machines that are
unavailable to the user directly but accessible to the server
hosting Remark42.

Scenarios addressed:

1. A malicious user could learn about the presence of specific software
or hardware running on an internal address. For example, the presence of
an image at `http://192.168.0.1/img/container_bottom_shade_login.png`
can expose the type of router you have.

2. A malicious user might receive non-timeout `invalid content type`
responses from internal addresses, enabling them to scan and identify
HTTP servers running in the internal IP range without revealing their
content but indicating their presence.

The new functionality is breaking, but I assume no one intends to expose
only private network images to the outside world. The old behavior can
be restored by setting the `--image-proxy.allow-private-networks` flag.

Additionally, this change adds the `--image-proxy.blacklist` flag to
allow blacklisting private parts of the infrastructure from being
accessed by the image proxy. You can blacklist IPs (e.g., `8.8.8.8`),
CIDR subnets (e.g., `8.8.8.8/31`), and domains (e.g., `private.example
.com`). Note that all subdomains of a given domain will also be
blacklisted.

`127.0.0.0/8` and `::1/128` ranges are not included as they are most
commonly used for local testing, and it would be cumbersome to prohibit
them. Localhost is considered less of a security threat than probing
other hosts in the network. If desired, localhost can be restricted
using the blacklist functionality.
Copy link

github-actions bot commented Aug 4, 2024

Pull Request Test Coverage Report for Build 10238897249

Details

  • 68 of 68 (100.0%) changed or added relevant lines in 3 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.2%) to 85.013%

Totals Coverage Status
Change from base Build 10172404701: 0.2%
Covered Lines: 6047
Relevant Lines: 7113

💛 - Coveralls

@paskal
Copy link
Collaborator Author

paskal commented Aug 4, 2024

Tested manually, works as I would expect it to work. Responses:

{"code":18,"details":"private network access not allowed","error":"private network access not allowed"}
{"code":18,"details":"URL is blacklisted","error":"blacklisted URL"}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant