Skip to content

Fixed an issue where redirects to socket path-based servers from any server was always allowed#259

Merged
artemredkin merged 4 commits into
swift-server:masterfrom
dimitribouniol:redirect-validation
Jun 22, 2020
Merged

Fixed an issue where redirects to socket path-based servers from any server was always allowed#259
artemredkin merged 4 commits into
swift-server:masterfrom
dimitribouniol:redirect-validation

Conversation

@dimitribouniol

@dimitribouniol dimitribouniol commented Jun 15, 2020

Copy link
Copy Markdown
Contributor

Motivation:

An arbitrary HTTP(S) server should not be able to trigger redirects, and thus activity, to a local socket-path based server, though the opposite may be a valid scenario. Currently, requests in either direction are allowed since the checks don't actually check the destination scheme.

Modifications:

  • Added a method to HTTPBin to redirect to the specified target.
  • Added failing tests that perform redirects from a regular server to a socket-based server and vice versa.
  • Refactored hostSchemes/unixSchemes to hostRestrictedSchemes/allSupportedSchemes, which better describes what they do.
  • Refactored Request.supports() to Request.supportsRedirects(to:) since it is only used by Redirects now.
  • Check the destination URL's scheme rather than the current URL's scheme when validating a redirect.

Result:

Closes #230

@swift-server-bot

Copy link
Copy Markdown

Can one of the admins verify this patch?

3 similar comments
@swift-server-bot

Copy link
Copy Markdown

Can one of the admins verify this patch?

@swift-server-bot

Copy link
Copy Markdown

Can one of the admins verify this patch?

@swift-server-bot

Copy link
Copy Markdown

Can one of the admins verify this patch?

@weissi weissi requested a review from artemredkin June 16, 2020 10:25
}

func supports(scheme: String) -> Bool {
func supportsRedirects(to scheme: String?) -> Bool {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why has this become optional?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly to simplify the call site. I can change that to

guard let scheme = url.scheme, self.request.kind.supportsRedirects(to: scheme) {...

if you’d prefer.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nah, this works too, just wanted to be sure I understood it.

@Lukasa Lukasa left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, nice patch!

@dimitribouniol

Copy link
Copy Markdown
Contributor Author

Thanks! Happy to contribute where I can 🙂

@dimitribouniol

Copy link
Copy Markdown
Contributor Author

Rebased to keep up to date with master.

… HTTP server are disallowed.

Motivation:

Currently, redirects to any supported URL scheme will always be allowed, despite code being in place to seemingly prevent it. See swift-server#230.

Modifications:

- Added a method to HTTPBin to redirect to the specified target.
- Added failing tests that perform redirects from a regular server to a socket-based server and vice versa.

Result:

Failing tests that show that the existing redirect checks were inadequate.
…server was always allowed.

Motivation:

An arbitrary HTTP(S) server should not be able to trigger redirects, and thus activity, to a local socket-path based server, though the opposite may be a valid scenario. Currently, requests in either direction are allowed since the checks don't actually check the destination scheme.

Modifications:

- Refactored `hostSchemes`/`unixSchemes` to `hostRestrictedSchemes`/`allSupportedSchemes`, which better describes what they do.
- Refactored `Request.supports()` to `Request.supportsRedirects(to:)` since it is only used by Redirects now.
- Check the destination URL's scheme rather than the current URL's scheme when validating a redirect.

Result:

Closes swift-server#230
@dimitribouniol

Copy link
Copy Markdown
Contributor Author

Rebased to keep up to date with master.

This is failing with:

Test Case 'HTTPClientTests.testRacePoolIdleConnectionsAndGet' started at 2020-06-20 17:20:52.345
Build timed out (after 10 minutes). Marking the build as failed.

... which I don't believe is related to these changes (first time I've run across it)

@artemredkin

Copy link
Copy Markdown
Collaborator

Yep, this is test failure is related to #260

@artemredkin

Copy link
Copy Markdown
Collaborator

@swift-server-bot test this please

@artemredkin

Copy link
Copy Markdown
Collaborator

@swift-server-bot test this please

@artemredkin artemredkin added this to the 1.2.0 milestone Jun 22, 2020
@artemredkin

Copy link
Copy Markdown
Collaborator

Thank you, @dimitribouniol !

@artemredkin artemredkin merged commit 5c7a317 into swift-server:master Jun 22, 2020
@dimitribouniol

Copy link
Copy Markdown
Contributor Author

Thank you! 😁

artemredkin added a commit to artemredkin/async-http-client that referenced this pull request Jun 23, 2020
…server was always allowed (swift-server#259)

* Added tests that ensure redirects to unix socket paths from a regular HTTP server are disallowed.

Motivation:

Currently, redirects to any supported URL scheme will always be allowed, despite code being in place to seemingly prevent it. See swift-server#230.

Modifications:

- Added a method to HTTPBin to redirect to the specified target.
- Added failing tests that perform redirects from a regular server to a socket-based server and vice versa.

Result:

Failing tests that show that the existing redirect checks were inadequate.

* Fixed an issue where redirects to socket path-based servers from any server was always allowed.

Motivation:

An arbitrary HTTP(S) server should not be able to trigger redirects, and thus activity, to a local socket-path based server, though the opposite may be a valid scenario. Currently, requests in either direction are allowed since the checks don't actually check the destination scheme.

Modifications:

- Refactored `hostSchemes`/`unixSchemes` to `hostRestrictedSchemes`/`allSupportedSchemes`, which better describes what they do.
- Refactored `Request.supports()` to `Request.supportsRedirects(to:)` since it is only used by Redirects now.
- Check the destination URL's scheme rather than the current URL's scheme when validating a redirect.

Result:

Closes swift-server#230

Co-authored-by: Artem Redkin <artem@redkin.me>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

It's likely redirects for sockets and regular hosts never behaved as expected

4 participants