search

ncr / rack-proxy

A request/response rewriting HTTP proxy. A Rack app.
MIT License
269 stars 94 forks source link

Set `false` to inherit of const_get #98

Closed ooooooo-q closed 2 years ago

ooooooo-q commented 3 years ago

I set inherit to pass to const_get to false and restricted lookup just in case. If there are no restrictions, you can specify a top-level class, so the client can craft the request to specify the Tempfile orLogger class.

# client
curl -X TEMPFILE http://127.0.0.1:9292/

# server log
2021-05-07 15:36:26 +0900 Rack app ("TEMPFILE /" - (127.0.0.1)): #<NoMethodError: undefined method `initialize_http_header' for #<Tempfile:0x00007fc1c597c8e8>>

Under ruby2.5, command injection is possible with Logger.new("|date"), If specify | at the beginning of the request path, an error will occur, so it does not seem to be RCE.

$ telnet 127.0.0.1 9292
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
LOGGER |date HTTP/1.1
HTTP/1.1 400 Bad Request

Connection closed by foreign host.
ncr commented 2 years ago

Hello @ooooooo-q, thank you for the contibution. Merging it now.