fix: enforce https in webhook urls#1362
Conversation
Signed-off-by: AngeloDanducci <angelo.danducci.ii@ibm.com>
| _SSRF_BLOCKS = ( | ||
| ipaddress.ip_network("169.254.0.0/16"), # link-local / AWS IMDS | ||
| ipaddress.ip_network("127.0.0.0/8"), # loopback | ||
| ipaddress.ip_network("10.0.0.0/8"), # RFC-1918 | ||
| ipaddress.ip_network("172.16.0.0/12"), # RFC-1918 | ||
| ipaddress.ip_network("192.168.0.0/16"), # RFC-1918 | ||
| ipaddress.ip_network("::1/128"), # IPv6 loopback | ||
| ipaddress.ip_network("fe80::/10"), # IPv6 link-local | ||
| ) |
There was a problem hiding this comment.
we could also use something like this:
import ipaddress
addr = ipaddress.ip_address(hostname)
if addr.is_loopback or addr.is_link_local or addr.is_private or addr.is_unspecified or addr.is_reserved:
# blockexplicit list is nice in that it's easier to audit, but then we have to keep it up to date (for example, should we include 0.0.0.0 and/or ::). don't have a strong opinion on which way is better (that's why just a comment rather than an explicit suggestion), wdyt?
There was a problem hiding this comment.
Valid question and definitely easier to maintain - though I think is_private is a superset of the others.
I think this would be fine but this also brings up one other question which is do we think this is sufficient or do we also need to guard against dns rebinding @psschwei ?
psschwei
left a comment
There was a problem hiding this comment.
Fixing the docstrings is good and we should keep that.
Enforcing https for forwarding logs is probably fine to keep too.
But I don't think we need the denylist. The threat it's protecting against requires the attacker to already have control of the environment, which would mean we have much bigger problems. So I would drop that part completely.
Signed-off-by: AngeloDanducci <angelo.danducci.ii@ibm.com>
|
Actually now that I think about it, i'm a little torn. If we require https, and someone wants to test things out locally, then they have to hit an HTTPS endpoint on their machine. I don't know if that's the right behavior or not (might be good for someone who uses this functionality more to weigh in too) |
|
I agree. The security risk seems minor.
|
Signed-off-by: AngeloDanducci <angelo.danducci.ii@ibm.com>
|
Edited PR title, added flag to allow http when desired. |
psschwei
left a comment
There was a problem hiding this comment.
one nit and one question:
do the changes we introduce here need an update in docs/docs/observability/logging.md ?
otherwise LGTM
Co-authored-by: Paul Schweigert <paul@paulschweigert.com> Signed-off-by: Angelo Danducci <angelo.danducci.ii@ibm.com>
Signed-off-by: AngeloDanducci <angelo.danducci.ii@ibm.com>
Pull Request
Issue
Fixes # - Partial for #1246
Description
Security hardening to enforce https and block ssrf targets
Also updated the formatting in utils.py to match our contributing guidelines - I assume I will continue to find some RST for the foreseeable future.
Testing
Attribution
Adding a new component, requirement, sampling strategy, or tool?
If your PR adds or modifies one of the types below, check the matching box. A checklist of type-specific review items will be posted as a comment.
NOTE: Please ensure you have an issue that has been acknowledged by a core contributor and routed you to open a pull request against this repository. Otherwise, please open an issue before continuing with this pull request.