IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#saltr
/2023/11/24
dr|z3d looking at httpserver, zzz, I'm still thinking it's not a bad idea to block any attempts to access a localhost address.
dr|z3d this is what I've got so far:
dr|z3d try {
dr|z3d URL parsedURL = new URL(url);
dr|z3d InetAddress address = InetAddress.getByName(parsedURL.getHost());
dr|z3d if (address.equals(InetAddress.getLocalHost()) || address.getHostAddress().equals("127.0.0.1")) {
dr|z3d // Prevent access to localhost addresses
dr|z3d if (_log.shouldWarn())
dr|z3d _log.warn("[HTTPServer] Denying access to localhost address [" + url + "]");
dr|z3d return;
dr|z3d } catch (MalformedURLException e) {
dr|z3d // Handle malformed URL
dr|z3d e.printStackTrace();
dr|z3d return;
dr|z3d } catch (UnknownHostException e) {
dr|z3d // Handle unknown host
dr|z3d e.printStackTrace();
dr|z3d return;
zzz I suggest you test to try to break it before writing code to fix it
zzz you may also be introducing security issues through DNS leaks via getByName()
dr|z3d we've already demonstrated that it can be broken.
dr|z3d for some definition of broken, anyways.
dr|z3d if there's a method that doesn't require a dns lookup, that would be preferable.
dr|z3d that said, I think you're overstating the issue of security. you run an outproxy, let's say, someone attempts to access *any* address, there's a DNS lookup involved.
zzz sure but for the non-outproxy case
dr|z3d so we just make sure the url doesn't contain .i2p before we do the lookup.
zzz where does this code go?
dr|z3d I2PTunnelHTTPServer
zzz specifically where. There's no 'url' in there in canon
dr|z3d I've got it in the run() method right now, haven't determined if that's the right place yet.
dr|z3d url is grabbed via:
dr|z3d // Parse request headers here to extract URL
dr|z3d String[] requestLines = _headers.split("\r\n");
dr|z3d String requestLine = requestLines[0];
dr|z3d String[] requestParts = requestLine.split(" ");
dr|z3d String url = requestParts[1];
zzz there is no full-blown URL. The path is in the GET line and the host is set in the Host: header with the spoofed host
zzz the Host: line from the client is stripped
zzz so again, what's the definition of broken
dr|z3d the definition of broken is fbi.com:{arbitary port} via the outproxy exposing {arbitrary port} on localhost.
dr|z3d I really think we shouldn't let that happen in any context.
zzz pretty sure we tested that before we approved the outproxy.
dr|z3d yeah, we did, and we fixed the issue but I'm not happy with the fix.
zzz that's for you to prevent at the outproxy, external to httpserver
dr|z3d that's what you said, but I'm not happy with that. we should be preventing that from happening regardless of how the proxy server is configured.
zzz but you can't inject security issues for everybody else except the outproxy just because you're not happy
dr|z3d that's not the right way of looking at things. non-issue. we'd just add a toggle to the http server config that enables outproxy mode.
zzz there is no 'outproxy mode'.
dr|z3d right, that's why we'd need to add a toggle :)
dr|z3d either that or add a new tunnel type explicitly for outproxies that allows more fine-grained control.
zzz I know nothing about the outproxy architecture or why you're unhappy, but it sounds like this is better and more securely fixed outside the i2p code
zzz if you do want to add special outproxy shenanigans into the i2p code, I suggest you do it in a fork so you don't add security holes for your other users
dr|z3d not convinced by either of those suggestions, tbh. you're not going to be looking up DNS requests if your server tunnel is hosting an .i2p site, and we can filter those out in any event. and providing a secure method for hosting an outproxy that mitigates possible issues regardless of the proxy software being used seems to me to be something we should be doing, being as we're security focused.
dr|z3d and a toggle in the UI that enables outproxy mode addresses any security issues. if your http server tunnel isn't an outproxy, then any code relating to outproxy functionality doesn't get enabled.
zzz seems like a lot of work if the fbi.gov fix from a year ago is still working, happy or not
dr|z3d maybe, but I think it's worth the effort. we should be able to provide a watertight outproxy tunnel config that doesn't rely on configuring the proxy server where there may be non-obvious issues. prevent gun->foot issues.
dr|z3d block localhost, enable a whitelist/backlist for hosts, enable auto-ban for clients attempting to access prohibited sites, that sort of thing.
dr|z3d custom dns server config, multiple backend server config... I know you'll say that's not the job of i2p, but I think having all these things within i2p would make running an outproxy much more viable.
dr|z3d that's on the server side of things, on the client side, there's various things we could do to improve things.
dr|z3d *poof*
zzz look, it's up to you and StormyCloud to holistically design and maintain a secure outproxy. You don't have to convince me; nobody's running a canon outproxy and so I'm not interested in adding 'outproxy mode' attempting to guess what a non-existent outproxy op might want
dr|z3d ok, fine.
zzz ofc, checking for localhost alone wouldn't allow you to remove external defenses for other outproxy IPv4/v6 IPs or hostnames
dr|z3d nope, but it's a start.