Security fix for proxying individual X-Forwarded-* headers. #135
Conversation
|
It's been a while since I source-dived into Symfony classes, I'm confused on how this change actually restricts only the (Additionally, don't we WANT It to check the Let me know if it sounds like I'm missing something here! One other bit of info: Symfony classes used to allow you define other headers (which is why the code in this package reflects that). However I believe it now only has options for I appreciate you bringing this to my attention! |
|
Hello @fideloper, the problem stems from the fact that this package isn't behaving how one would expect. In Laravel's You can see that the second argument (
This means that the application can decide to only trust a given set of headers that have been defined, rather than them all. If you know, for example, that you only want to trust the protected $headers = Request::HEADER_X_FORWARDED_FOR;However, as can be seen in the current Some proxies and/or load balancers only provide certain For example, let's take Cloudflare (the largest reverse proxy provider) allows a connecting user to supply Hence, to conclude, this pull request fixes this improper handling of the You can also refer to Symfony's current documentation about
It's almost certainly one of the reasons behind why, beginning with Laravel 7.12, there's also the This pull request ultimately lets the developer decide what they want to trust, rather than making that assumption for them and without informing them. |
|
Great, thanks! I appreciate your explanation, and the time taken to make it (and of course the addition of tests). |
|
Phew, i’m not crazy! Thanks again, I’ll merge this in asap (likely a bit
later tonight)
…On Mon, Jun 22, 2020 at 16:11 Brad ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In tests/TrustedProxyTest.php
<#135 (comment)>
:
> + /**
+ * Test a combination of individual X-Forwarded-* headers are trusted.
+ */
+ public function test_x_forwarded_multiple_individual_headers_trusted()
+ {
+ $trustedProxy = $this->createTrustedProxy(
+ Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST |
+ Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO,
+ '*'
+ );
+
+ $request = $this->createProxiedRequest();
+
+ $trustedProxy->handle($request, function ($request) {
+ $this->assertEquals('173.174.200.38', $request->getClientIp(),
+ 'Assert trusted proxy did not use forwarded header for IP');
You're absolutely right, my apologies! Fixed. 👍
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#135 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADSDU7CO2MDTAY4DWLCYTTRX7CJFANCNFSM4OEMVS3Q>
.
|
There's a security issue wherein proxying a single (or set of) header/s (eg.
X-Forwarded-For) will result in proxying all of theX-Forwarded-*headers. This is incredibly bad practice and opens room for various malicious attacks.For example, if someone were to trust all proxies (which, whilst commonly bad practice, does in fact commonly occur in an environment where you may be using a load balancer. For example, restricting origin access to a load balancer and the load balancer to a reverse proxy provider) then Laravel will begin generating URLs with the user-supplied
X-Forwarded-Hostheader.When you combine this with an email, you're able to trick the system into sending an email using a URL that does not belong to the service. This attack is amplified as Laravel's default password reset system generates URLs that adhere to the host supplied in
X-Fowarded-Hostwhich ultimately can result in a password reset token leak.Further, in general, if people are customising which headers are proxied, they expect it to only proxy those headers and not everything.
I've added tests for all of the individual scenarios as well as a scenario where the headers are combined individually.