gateway: harden path prefix #1988
Conversation
| log.Debugf("X-Ipfs-Gateway-Prefix: %s", prefixHdr[0]) | ||
| prefix = prefixHdr[0] | ||
| prfx := prefixHdr[0] | ||
| if strings.HasPrefix(prfx, "/") { |
There was a problem hiding this comment.
Clean("http://foobar.com/") = "http:/foobar.com" :(
I think starts-with-slash should be good enough, and is also simpler to specify (as in api spec) than the specifics of a golang stdlib function.
There was a problem hiding this comment.
what about paths like:
//foo.com/bar/baz
valid http path that might point elsewhere
There was a problem hiding this comment.
doing this in a header is particularly dangerous because this could come from a client, so malicious request could cause links to be served back to a user that point to some evil place. maybe this should be a config? not sure what the right + secure way to do this is.
There was a problem hiding this comment.
//foo.com/bar/baz
shit I didn't think about that :/
maybe this should be a config
A whitelist of allowed prefixes would work. Setting only one fixed prefix defeats the purpose, since the basic idea behind all this is to have the daemon exposed at multiple arbitrary URIs: ipfs.io/, ipfs.io/refs, etc.
|
@lgierth update here? |
|
No update but let's keep it open so that I don't forget. It's important (see labels) but I keep postponing it... |
|
@lgierth if you come to seattle i'm not going to let you leave until you merge this one :P |
ghost
force-pushed
the
ipfs-prefix-hardening
branch
from
dd7cddc
to
714b391
Compare
|
Updated to use a configurable allowlist of path prefixes: gateway: enforce allowlist for path prefixes The gateway accepts an X-Ipfs-Path-Prefix header, We don't want a potential attacker to be able to Previously, we'd accept any X-Ipfs-Path-Prefix header. Example: We mount blog.ipfs.io (a dnslink page) at ipfs.io/blog. nginx_ipfs.conf: .ipfs/config: dnslink: |
|
Okay it does work as expected, I tested it the wrong manual way the other day.
|
The gateway accepts an X-Ipfs-Path-Prefix header,
and assumes that it is mounted in a reverse proxy
like nginx, at this path. Links in directory listings,
as well as trailing-slash redirects need to be rewritten
with that prefix in mind.
We don't want a potential attacker to be able to
pass in arbitrary path prefixes, which would end up
in redirects and directory listings, which is why
every prefix has to be explicitly allowed in the config.
Previously, we'd accept *any* X-Ipfs-Path-Prefix header.
Example:
We mount blog.ipfs.io (a dnslink page) at ipfs.io/blog.
nginx_ipfs.conf:
location /blog/ {
rewrite "^/blog(/.*)$" $1 break;
proxy_set_header Host blog.ipfs.io;
proxy_set_header X-Ipfs-Gateway-Prefix /blog;
proxy_pass http://127.0.0.1:8080;
}
.ipfs/config:
"Gateway": {
"PathPrefixes": ["/blog"],
// ...
},
dnslink:
> dig TXT _dnslink.blog.ipfs.io
dnslink=/ipfs/QmWcBjXPAEdhXDATV4ghUpkAonNBbiyFx1VmmHcQe9HEGd
License: MIT
Signed-off-by: Lars Gierth <larsg@systemli.org>
ghost
force-pushed
the
ipfs-prefix-hardening
branch
from
714b391
to
09937f8
Compare
Fixed the tests -- filed #2528 about the CircleCI failure |
|
Yay circleci is green |
|
Looks good to me, nice to finally merge this :) |
ghost
mentioned this pull request
gateway: harden path prefix This commit was moved from ipfs/kubo@c6e6bb0
See #1971 (comment) ff.
Only allow paths, so we stay local to this gateway,
and don't get tricked into linking to a different host,
or even redirecting to one.
I can't come up with a concrete attack right off the bat,
but who knows how things are going to change.
Not restricting it would be silly.
Edit: