Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add allow/deny feature for forward URLs #79

Open
UiP9AV6Y opened this issue Nov 3, 2022 · 4 comments
Open

Add allow/deny feature for forward URLs #79

UiP9AV6Y opened this issue Nov 3, 2022 · 4 comments
Labels
enhancement Requested feature help wanted

Comments

@UiP9AV6Y
Copy link

UiP9AV6Y commented Nov 3, 2022

we operate the application in kubernetes and want to avoid access to internal ressources via request-baskets, as it can be turned into an open proxy. the most flexible use is probably to provide the ability to allow/deny domains and ip ranges.

example use cases:

  • request-baskets --allow-domain example.com --deny-domain dev.example.com
    baskets can only be configured with URLs with example.com
    as domain (e.g. https://api.prod.example.com),
    except URLs pointing to dev.example.com
    (e.g. https://api.dev.example.com)

  • request-baskets --deny-domain cluster.local
    baskets can forward any URL except to URLS under the
    cluster.local domain

  • request-baskets --deny-address 127.0.0.0/8
    baskets can not forward URLs pointing to the loopback
    interface

  • request-baskets --deny-private-address
    shortcut for denying forwards to all addresses designated
    for private use (192.168.0.0/16, 172.16.0.0/12,
    10.0.0.0/8) by the IANA

  • request-baskets --allow-address 192.168.1.0/24 --deny-address 192.168.1.1/32 --deny-address 192.168.1.254/32
    only URLs resolving to a class B private net are allowed,
    except 192.168.1.1 and 192.168.1.254

by default, everything is allowed and nothing is denied (just as
before). denials are applied after allowances, so that you
can allow on a broad scale and deny granular.

given that the validation only has to be performed on basket
creation/updates, the resource overhead for domain resolution
should be relatively low.
@eliliam
Copy link

eliliam commented Jun 9, 2023

Any update on this? This would be a great feature to add

@darklynx
Copy link
Owner

PRs are welcome

@darklynx darklynx added enhancement Requested feature help wanted labels Jun 11, 2023
@darklynx
Copy link
Owner

we operate the application in kubernetes and want to avoid access to internal ressources via request-baskets, as it can be turned into an open proxy.

That is a very valid concern 👍

The easiest solution is an option to disable forwarding in general.

The proposed solution sounds like a reasonable amount of development with additional testing of corner cases like resolving a domain into IP and sub-network. Maybe there are already libraries in Go that solves that problem and they can be easily applied here. But I'm not aware of them, and not that familiar with such kind of libraries. Also I have a limited free time at the moment.

Hence, PRs for improvements are welcome and very much appreciated.

Thank you! 🙏

@darklynx
Copy link
Owner

darklynx commented Aug 16, 2023
edited

I think that the unrestricted forwarding feature made the Request Baskets "famous" and got us to the CVE database 😅:
https://nvd.nist.gov/vuln/detail/CVE-2023-27163

And some samples of Request Baskets misuse, when running the service non-isolated from the rest of your network 😰:
https://cyb3rc4t.hashnode.dev/htb-writeupsau

@darklynx darklynx mentioned this issue Mar 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Requested feature help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@darklynx @eliliam @UiP9AV6Y