-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check 'Host' header for local connections #3714
Conversation
notebook/notebookapp.py
Outdated
@@ -831,6 +833,29 @@ def _token_changed(self, change): | |||
""" | |||
) | |||
|
|||
allow_remote_access = Bool(False, config=True, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
allow_remote_access should be set to True when binding to anything other than localhost, otherwise we're over-complicating hosted notebook servers (e.g. this would break mybinder.org).
I think option 2 is probably the right one. A simple check for
Not strictly (e.g. in docker, it always looks like a public server), but I think it's probably the right thing to do to disable this check if the bind IP is anything other than a very simple |
OK, I've added a dynamic default, using |
notebook/base/handlers.py
Outdated
allow = addr.is_loopback | ||
|
||
if not allow: | ||
self.log.warning("Blocking request with non-local 'Host' %s (%s)", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add a reference to NotebookApp.allow_remote_access
so people who see this message can take the appropriate action if they want to change it (e.g. localhost is proxied through another service)?
I realized this will require changes to the default jupyterhub configuration (I disable this behavior entirely in jupyterhub/jupyterhub#2015), which uses localhost by default for single-user servers, and it got me thinking that maybe the I believe this is available in tornado as |
As I understand it, checking the client IP doesn't give you any protection against DNS rebinding, because the connection is being made from localhost in that case. I believe the only way to check that is to look at the domain name that the browser thinks it's talking to. Do we need any coordination to avoid problems for Jupyterhub? E.g. we could have this feature present but off by default for a while to give people a chance to get on a newer Jupyterhub before the check is used. |
Good point! I forgot that was the point of this whole thing.
It's not a disaster. I think we'll get 0.9.1 out this week, which will have this disabled. Worst case is users on earlier Hub versions with latest notebook can set this flag in their Spawner config. |
OK, great. I think I'm happy with this, except that I don't know if it's reasonable to call |
The getaddrinfo works for me with |
cc @minrk @rgbkrk
I was reading another article about DNS rebinding, and it reminded me that I meant to add another layer of security to protect against such attacks. The default options in this PR will reject any request where the
Host
header isn'tlocalhost
or a loopback IP address.To be clear, I believe that our on-by-default token authentication already protects against DNS rebinding attacks. I want to add an extra layer of protection in case there are flaws in our existing security, or in case people disable token authentication without understanding the implications.
This is probably too stringent to drop on people directly - it would break all servers where remote access is meant to be possible, and require people to update their settings. Possible ways to soften it:
NotebookApp.ip
is configured to anything other thanlocalhost
. Could make it easy to switch off security accidentally, e.g. if you configurelocalhost6
to experiment with IPv6.