umputun / remark42 / 10238897249

85%

master: 84%

Pull #1804

github

Disallow image proxy for private IPs, add blacklist support

This mitigates the problem where a user might probe machines that are
unavailable to the user directly but accessible to the server
hosting Remark42.

Scenarios addressed:

1. A malicious user could learn about the presence of specific software
or hardware running on an internal address. For example, the presence of
an image at `http://192.168.0.1/img/container_bottom_shade_login.png`
can expose the type of router you have.

2. A malicious user might receive non-timeout `invalid content type`
responses from internal addresses, enabling them to scan and identify
HTTP servers running in the internal IP range without revealing their
content but indicating their presence.

The new functionality is breaking, but I assume no one intends to expose
only private network images to the outside world. The old behavior can
be restored by setting the `--image-proxy.allow-private-networks` flag.

Additionally, this change adds the `--image-proxy.blacklist` flag to
allow blacklisting private parts of the infrastructure from being
accessed by the image proxy. You can blacklist IPs (e.g., `8.8.8.8`),
CIDR subnets (e.g., `8.8.8.8/31`), and domains (e.g., `private.example
.com`). Note that all subdomains of a given domain will also be
blacklisted.

`127.0.0.0/8` and `::1/128` ranges are not included as they are most
commonly used for local testing, and it would be cumbersome to prohibit
them. Localhost is considered less of a security threat than probing
other hosts in the network. If desired, localhost can be restricted
using the blacklist functionality.

68 of 68 new or added lines in 3 files covered. (100.0%)

6047 of 7113 relevant lines covered (85.01%)

32.7 hits per line