github-actions[bot]
commented
2 months ago Pull Request Test Coverage Report for Build 10238897249
Details
- 68 of 68 (100.0%) changed or added relevant lines in 3 files are covered.
- No unchanged relevant lines lost coverage.
- Overall coverage increased (+0.2%) to 85.013%
| Totals | |
|---|---|
| Change from base Build 10172404701: | 0.2% |
| Covered Lines: | 6047 |
| Relevant Lines: | 7113 |
paskal
This mitigates the problem where a user might probe machines that are unavailable to the user directly but accessible to the server hosting Remark42.
Scenarios addressed:
A malicious user could learn about the presence of specific software or hardware running on an internal address. For example, the presence of an image at
http://192.168.0.1/img/container_bottom_shade_login.pngcan expose the type of router you have.A malicious user might receive non-timeout
invalid content typeresponses from internal addresses, enabling them to scan and identify HTTP servers running in the internal IP range without revealing their content but indicating their presence.The new functionality is breaking, but I assume no one intends to expose only private network images to the outside world. The old behavior can be restored by setting the
--image-proxy.allow-private-networksflag.Additionally, this change adds the
--image-proxy.blacklistflag to allow blacklisting private parts of the infrastructure from being accessed by the image proxy. You can blacklist IPs (e.g.,8.8.8.8), CIDR subnets (e.g.,8.8.8.8/31), and domains (e.g.,private.example .com). Note that all subdomains of a given domain will also be blacklisted.127.0.0.0/8and::1/128ranges are not included as they are most commonly used for local testing, and it would be cumbersome to prohibit them. Localhost is considered less of a security threat than probing other hosts in the network. If desired, localhost can be restricted using the blacklist functionality.