Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[stable25] Detect weird local ips #34195

Merged
merged 7 commits into from
Sep 22, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions build/stubs/intl.php
Original file line number Diff line number Diff line change
Expand Up @@ -4622,7 +4622,7 @@ function idn_to_ascii($domain, $options = 0, $variant = INTL_IDNA_VARIANT_2003,
* @param int $variant [optional] <p>
* Either INTL_IDNA_VARIANT_2003 for IDNA 2003 or INTL_IDNA_VARIANT_UTS46 for UTS #46.
* </p>
* @param int &$idna_info [optional] <p>
* @param array &$idna_info [optional] <p>
* This parameter can be used only if INTL_IDNA_VARIANT_UTS46 was used for variant.
* In that case, it will be filled with an array with the keys 'result',
* the possibly illegal result of the transformation, 'isTransitionalDifferent',
Expand All @@ -4634,7 +4634,7 @@ function idn_to_ascii($domain, $options = 0, $variant = INTL_IDNA_VARIANT_2003,
* RFC 3490 4.2 states though "ToUnicode never fails. If any step fails, then the original input
* sequence is returned immediately in that step."
*/
function idn_to_utf8($domain, $options = 0, $variant = INTL_IDNA_VARIANT_2003, array &$idna_info) { }
function idn_to_utf8($domain, $options = 0, $variant = INTL_IDNA_VARIANT_2003, array &$idna_info = null) { }

/**
* (PHP 5 &gt;=5.5.0 PECL intl &gt;= 3.0.0a1)<br/>
Expand Down
2 changes: 1 addition & 1 deletion lib/private/Http/Client/DnsPinMiddleware.php
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ public function addDnsPinning() {
$ports[] = (string)$port;
}

$targetIps = $this->dnsResolve($hostName, 0);
$targetIps = $this->dnsResolve(idn_to_utf8($hostName), 0);

$curlResolves = [];

Expand Down
33 changes: 19 additions & 14 deletions lib/private/Http/Client/LocalAddressChecker.php
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@
*/
namespace OC\Http\Client;

use IPLib\Address\IPv6;
use IPLib\Factory;
use IPLib\ParseStringFlag;
use OCP\Http\Client\LocalServerException;
use Psr\Log\LoggerInterface;
use Symfony\Component\HttpFoundation\IpUtils;
Expand All @@ -37,6 +40,21 @@ public function __construct(LoggerInterface $logger) {
}

public function ThrowIfLocalIp(string $ip) : void {
$parsedIp = Factory::parseAddressString(
$ip,
ParseStringFlag::IPV4_MAYBE_NON_DECIMAL | ParseStringFlag::IPV4ADDRESS_MAYBE_NON_QUAD_DOTTED
);
if ($parsedIp === null) {
/* Not an IP */
return;
}
/* Replace by normalized form */
if ($parsedIp instanceof IPv6) {
$ip = (string)($parsedIp->toIPv4() ?? $parsedIp);
} else {
$ip = (string)$parsedIp;
}

$localRanges = [
'100.64.0.0/10', // See RFC 6598
'192.0.0.0/24', // See RFC 6890
Expand All @@ -50,19 +68,6 @@ public function ThrowIfLocalIp(string $ip) : void {
$this->logger->warning("Host $ip was not connected to because it violates local access rules");
throw new LocalServerException('Host violates local access rules');
}

// Also check for IPv6 IPv4 nesting, because that's not covered by filter_var
if ((bool)filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) && substr_count($ip, '.') > 0) {
$delimiter = strrpos($ip, ':'); // Get last colon
$ipv4Address = substr($ip, $delimiter + 1);

if (
!filter_var($ipv4Address, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) ||
IpUtils::checkIp($ip, $localRanges)) {
$this->logger->warning("Host $ip was not connected to because it violates local access rules");
throw new LocalServerException('Host violates local access rules');
}
}
}

public function ThrowIfLocalAddress(string $uri) : void {
Expand All @@ -72,7 +77,7 @@ public function ThrowIfLocalAddress(string $uri) : void {
throw new LocalServerException('Could not detect any host');
}

$host = strtolower($host);
$host = idn_to_utf8(strtolower(urldecode($host)));
// Remove brackets from IPv6 addresses
if (strpos($host, '[') === 0 && substr($host, -1) === ']') {
$host = substr($host, 1, -1);
Expand Down
1 change: 1 addition & 0 deletions tests/lib/Http/Client/ClientTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ public function dataPreventLocalAddress():array {
['another-host.local'],
['service.localhost'],
['!@#$'], // test invalid url
['normal.host.com'],
];
}

Expand Down
23 changes: 21 additions & 2 deletions tests/lib/Http/Client/LocalAddressCheckerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ public function dataInternalIPs() : array {
return [
['192.168.0.1'],
['fe80::200:5aee:feaa:20a2'],
['0:0:0:0:0:0:10.0.0.1'],
['0:0:0:0:0:ffff:10.0.0.1'],
['0:0:0:0:0:ffff:127.0.0.0'],
['10.0.0.1'],
['::'],
Expand All @@ -112,7 +112,7 @@ public function dataPreventLocalAddress():array {
['172.16.42.1'],
['[fdf8:f53b:82e4::53]/secret.ics'],
['[fe80::200:5aee:feaa:20a2]/secret.ics'],
['[0:0:0:0:0:0:10.0.0.1]/secret.ics'],
['[0:0:0:0:0:ffff:10.0.0.1]/secret.ics'],
['[0:0:0:0:0:ffff:127.0.0.0]/secret.ics'],
['10.0.0.1'],
['another-host.local'],
Expand All @@ -121,6 +121,25 @@ public function dataPreventLocalAddress():array {
['100.100.100.200'],
['192.0.0.1'],
['randomdomain.internal'],
['0177.0.0.9'],
['⑯⑨。②⑤④。⑯⑨。②⑤④'],
['127。②⑤④。⑯⑨.②⑤④'],
['127.0.00000000000000000000000000000000001'],
['127.1'],
['127.000.001'],
['0177.0.0.01'],
['0x7f.0x0.0x0.0x1'],
['0x7f000001'],
['2130706433'],
['00000000000000000000000000000000000000000000000000177.1'],
['0x7f.1'],
['127.0x1'],
['[0000:0000:0000:0000:0000:0000:0000:0001]'],
['[0:0:0:0:0:0:0:1]'],
['[0:0:0:0::0:0:1]'],
['%31%32%37%2E%30%2E%30%2E%31'],
['%31%32%37%2E%30%2E%30.%31'],
['[%3A%3A%31]'],
];
}

Expand Down