Skip to content

Commit

Permalink
fix: add local hostnames allowlist
Browse files Browse the repository at this point in the history
  • Loading branch information
J0 committed Oct 21, 2024
1 parent 8350090 commit 427823d
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 7 deletions.
18 changes: 14 additions & 4 deletions internal/conf/configuration.go
Original file line number Diff line number Diff line change
Expand Up @@ -569,6 +569,7 @@ func loadEnvironment(filename string) error {

// Moving away from the existing HookConfig so we can get a fresh start.
type HookConfiguration struct {
AllowedLocalHostNames []string `json:"allowed_local_names" split_words:"true"`
MFAVerificationAttempt ExtensibilityPointConfiguration `json:"mfa_verification_attempt" split_words:"true"`
PasswordVerificationAttempt ExtensibilityPointConfiguration `json:"password_verification_attempt" split_words:"true"`
CustomAccessToken ExtensibilityPointConfiguration `json:"custom_access_token" split_words:"true"`
Expand Down Expand Up @@ -607,14 +608,23 @@ func (h *HookConfiguration) Validate() error {
h.SendEmail,
}
for _, point := range points {
if err := point.ValidateExtensibilityPoint(); err != nil {
if err := point.ValidateExtensibilityPoint(h.AllowedLocalHostNames); err != nil {
return err
}
}
return nil
}

func (e *ExtensibilityPointConfiguration) ValidateExtensibilityPoint() error {
func isStringInSlice(checkValue string, list []string) bool {
for _, val := range list {
if val == checkValue {
return true
}
}
return false
}

func (e *ExtensibilityPointConfiguration) ValidateExtensibilityPoint(allowedHTTPHostNames []string) error {
if e.URI == "" {
return nil
}
Expand All @@ -627,10 +637,10 @@ func (e *ExtensibilityPointConfiguration) ValidateExtensibilityPoint() error {
return validatePostgresPath(u)
case "http":
hostname := u.Hostname()
if hostname == "localhost" || hostname == "127.0.0.1" || hostname == "::1" || hostname == "host.docker.internal" || hostname == "kong" || hostname == "edge_runtime" {
if isStringInSlice(hostname, allowedHTTPHostNames) {
return validateHTTPHookSecrets(e.HTTPHookSecrets)
}
return fmt.Errorf("only localhost, 127.0.0.1, and ::1 are supported with http")
return fmt.Errorf("hostname is %q: only %s are supported with http", hostname, strings.Join(allowedHTTPHostNames, ", "))
case "https":
return validateHTTPHookSecrets(e.HTTPHookSecrets)
default:
Expand Down
15 changes: 12 additions & 3 deletions internal/conf/configuration_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,14 @@ func TestHTTPHookSecretsDecode(t *testing.T) {
}

func TestValidateExtensibilityPointURI(t *testing.T) {
allowedLocalHostNames := []string{
"localhost",
"127.0.0.1",
"::1",
"host.docker.internal",
"kong",
"edge_runtime",
}
cases := []struct {
desc string
uri string
Expand All @@ -168,7 +176,7 @@ func TestValidateExtensibilityPointURI(t *testing.T) {
{desc: "Another Valid URI", uri: "pg-functions://postgres/MySpeCial/FUNCTION_THAT_YELLS_AT_YOU", expectError: false},
{desc: "Valid HTTP URI", uri: "http://localhost/functions/v1/custom-sms-sender", expectError: false},
{desc: "Valid localhost URI with kong alias", uri: "http://kong:8000/functions/v1/custom-sms-sender", expectError: false},
{desc: "Valid localhost URI with edge_runtime", uri: "http://edge_runtime:8000/functions/v1/custom-sms-sender", expectError: false},
{desc: "Valid localhost URI with edge_runtime", uri: "http://edge_runtime:54321/functions/v1/custom-sms-sender", expectError: false},

// Negative test cases
{desc: "Invalid HTTP URI", uri: "http://asdfgggg.website.co/functions/v1/custom-sms-sender", expectError: true},
Expand All @@ -180,7 +188,7 @@ func TestValidateExtensibilityPointURI(t *testing.T) {

for _, tc := range cases {
ep := ExtensibilityPointConfiguration{URI: tc.uri}
err := ep.ValidateExtensibilityPoint()
err := ep.ValidateExtensibilityPoint(allowedLocalHostNames)
if tc.expectError {
require.Error(t, err)
} else {
Expand All @@ -206,8 +214,9 @@ func TestValidateExtensibilityPointSecrets(t *testing.T) {
{desc: "Invalid Symmetric Secret", secret: []string{"tommy"}, expectError: true},
}
for _, tc := range cases {
allowedLocalHostNames := []string{}
ep := ExtensibilityPointConfiguration{URI: validHTTPSURI, HTTPHookSecrets: tc.secret}
err := ep.ValidateExtensibilityPoint()
err := ep.ValidateExtensibilityPoint(allowedLocalHostNames)
if tc.expectError {
require.Error(t, err)
} else {
Expand Down

0 comments on commit 427823d

Please sign in to comment.