search

tomphttp / bare-server-node

TompHTTP Bare server in the Node runtime
GNU General Public License v3.0
72 stars 122 forks source link

Security leak with LAN addresses #13

Closed ruochenjia closed 1 year ago

ruochenjia commented 1 year ago

Users can access localhost and LAN addresses like 127.0.0.1 and 10.0.0.0/8. This allows them to access server internal without any restrictions.

CountBleck commented 1 year ago

Use an iptables rule lol. That's probably a better and more efficient solution than making the Bare server perform those checks.

ruochenjia commented 1 year ago

iptables blocking loopback 127.0.0.1 is not a good idea, it can cause issues with systemd-resolved and other local services.

CountBleck commented 1 year ago

I think you can filter by user. You could probably run the Bare server as a systemd service using the nobody user along with the CAP_NET_BIND_SERVICE capability?

e9x commented 1 year ago

Users can access localhost and LAN addresses like 127.0.0.1 and 10.0.0.0/8. This allows them to access server internal without any restrictions.

Perhaps we can detect the IP cidr and block requests accordingly. This should be the default behavior for this implementation.

e9x commented 1 year ago

This is possible to implement without any weird dns.lookup hooks. node:net lookupAndConnect:

  const lookup = options.lookup || dns.lookup;
  defaultTriggerAsyncIdScope(self[async_id_symbol], function() {
    lookup(host, dnsopts, function emitLookup(err, ip, addressType) {
      self.emit('lookup', err, ip, addressType, host);

node:http/node:https passes the lookup option and accepts it as an option.

e9x commented 1 year ago

Fixed in v1.2.3.