Closed dcopestake closed 1 year ago
Thanks for your contribution. We have added your request to our solution backlog items and it will be evaluated in future solution releases.
We just released [v3.2.0] of the solution, and this issue has been fixed.
X-Forwarded-For for this purpose is insecure (as mentioned in pull request https://github.com/aws-solutions/aws-waf-security-automations/pull/123 itself)
So this issue has not been fixed
We fixed the root issue that caused the wrong source ip to be captured when X-Forwarded-For is in the client request. X-Forwarded-For is sent by client request not the solution. Sorry for the confusion, but we didn't choose to inject True-Client-Ip into client request since our goal is not to change client request but to identify and block IP offenders despite X-Forwarded-For.
Yes, I’m not here in support of this pull request, but about the fact that there was a vulnerability that was fixed here: https://github.com/aws-solutions/aws-waf-security-automations/pull/123 , and then rolled back.
So in the end, all issues are closed and vulnerability still exists
Issue #, if available: #136
This resolves the issue reported as in #136 - which was introduced in pull request #123 - by changing instead to relying on a different header
True-Client-Ip
and a CloudFront function to inject the value based on the client IP.Obviously the disadvantage here is that it means there is a further step to getting everything working because when creating the CloudFront distribution cache behaviour you need to specify a function association using the ARN from the new output
InjectTrueClientIPArn
to actually get the header injected, but given that the bad bot protection just doesn't work at all at the moment, and the use ofX-Forwarded-For
for this purpose is insecure (as mentioned in pull request #123 itself), I think it's a good compromise that doesn't introduce a vulnerability.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.