fix Block gateway attacks via websockets (#1828)
Co-authored-by: Carmelo Messina <uazo@users.noreply.github.com>
This commit is contained in:
uazo
Yifeng Wu
parent
5deb1f7a71
commit
1390a0077b
1 changed files with 24 additions and 14 deletions
|
|
@ -4,15 +4,15 @@ Subject: Block gateway attacks via websockets
|
|||
|
||||
---
|
||||
.../renderer/core/loader/base_fetch_context.h | 1 +
|
||||
.../core/loader/frame_fetch_context.cc | 18 +++++++++++++
|
||||
.../core/loader/frame_fetch_context.cc | 20 +++++++++++++
|
||||
.../core/loader/frame_fetch_context.h | 1 +
|
||||
.../core/loader/worker_fetch_context.cc | 19 +++++++++++++
|
||||
.../core/loader/worker_fetch_context.cc | 21 ++++++++++++++
|
||||
.../core/loader/worker_fetch_context.h | 1 +
|
||||
.../background_fetch_manager.cc | 2 --
|
||||
.../background_fetch_manager.cc | 4 +--
|
||||
.../websockets/websocket_channel_impl.cc | 5 ++++
|
||||
.../modules/websockets/websocket_common.cc | 27 +++++++++++++++++++
|
||||
.../modules/websockets/websocket_common.cc | 29 +++++++++++++++++++
|
||||
.../modules/websockets/websocket_common.h | 4 +++
|
||||
9 files changed, 76 insertions(+), 2 deletions(-)
|
||||
9 files changed, 84 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/third_party/blink/renderer/core/loader/base_fetch_context.h b/third_party/blink/renderer/core/loader/base_fetch_context.h
|
||||
--- a/third_party/blink/renderer/core/loader/base_fetch_context.h
|
||||
|
|
@ -28,7 +28,7 @@ diff --git a/third_party/blink/renderer/core/loader/base_fetch_context.h b/third
|
|||
diff --git a/third_party/blink/renderer/core/loader/frame_fetch_context.cc b/third_party/blink/renderer/core/loader/frame_fetch_context.cc
|
||||
--- a/third_party/blink/renderer/core/loader/frame_fetch_context.cc
|
||||
+++ b/third_party/blink/renderer/core/loader/frame_fetch_context.cc
|
||||
@@ -566,6 +566,24 @@ bool FrameFetchContext::ShouldBlockRequestByInspector(const KURL& url) const {
|
||||
@@ -563,6 +563,26 @@ bool FrameFetchContext::ShouldBlockRequestByInspector(const KURL& url) const {
|
||||
return should_block_request;
|
||||
}
|
||||
|
||||
|
|
@ -36,6 +36,8 @@ diff --git a/third_party/blink/renderer/core/loader/frame_fetch_context.cc b/thi
|
|||
+ // TODO(mkwst): This only checks explicit IP addresses. We'll have to move
|
||||
+ // all this up to //net and //content in order to have any real impact on
|
||||
+ // gateway attacks. That turns out to be a TON of work (crbug.com/378566).
|
||||
+ if (requestor_space == network::mojom::IPAddressSpace::kUnknown)
|
||||
+ requestor_space = network::mojom::IPAddressSpace::kPublic;
|
||||
+ network::mojom::IPAddressSpace target_space =
|
||||
+ network::mojom::IPAddressSpace::kPublic;
|
||||
+ if (network_utils::IsReservedIPAddress(request_url.Host()))
|
||||
|
|
@ -56,7 +58,7 @@ diff --git a/third_party/blink/renderer/core/loader/frame_fetch_context.cc b/thi
|
|||
diff --git a/third_party/blink/renderer/core/loader/frame_fetch_context.h b/third_party/blink/renderer/core/loader/frame_fetch_context.h
|
||||
--- a/third_party/blink/renderer/core/loader/frame_fetch_context.h
|
||||
+++ b/third_party/blink/renderer/core/loader/frame_fetch_context.h
|
||||
@@ -166,6 +166,7 @@ class CORE_EXPORT FrameFetchContext final : public BaseFetchContext,
|
||||
@@ -179,6 +179,7 @@ class CORE_EXPORT FrameFetchContext final : public BaseFetchContext,
|
||||
bool ShouldBlockWebSocketByMixedContentCheck(const KURL&) const override;
|
||||
std::unique_ptr<WebSocketHandshakeThrottle> CreateWebSocketHandshakeThrottle()
|
||||
override;
|
||||
|
|
@ -75,7 +77,7 @@ diff --git a/third_party/blink/renderer/core/loader/worker_fetch_context.cc b/th
|
|||
#include "third_party/blink/renderer/platform/runtime_enabled_features.h"
|
||||
#include "third_party/blink/renderer/platform/supplementable.h"
|
||||
#include "third_party/blink/renderer/platform/weborigin/security_policy.h"
|
||||
@@ -90,6 +91,24 @@ bool WorkerFetchContext::ShouldBlockRequestByInspector(const KURL& url) const {
|
||||
@@ -90,6 +91,26 @@ bool WorkerFetchContext::ShouldBlockRequestByInspector(const KURL& url) const {
|
||||
return should_block_request;
|
||||
}
|
||||
|
||||
|
|
@ -83,6 +85,8 @@ diff --git a/third_party/blink/renderer/core/loader/worker_fetch_context.cc b/th
|
|||
+ // TODO(mkwst): This only checks explicit IP addresses. We'll have to move
|
||||
+ // all this up to //net and //content in order to have any real impact on
|
||||
+ // gateway attacks. That turns out to be a TON of work (crbug.com/378566).
|
||||
+ if (requestor_space == network::mojom::IPAddressSpace::kUnknown)
|
||||
+ requestor_space = network::mojom::IPAddressSpace::kPublic;
|
||||
+ network::mojom::IPAddressSpace target_space =
|
||||
+ network::mojom::IPAddressSpace::kPublic;
|
||||
+ if (network_utils::IsReservedIPAddress(request_url.Host()))
|
||||
|
|
@ -114,15 +118,19 @@ diff --git a/third_party/blink/renderer/core/loader/worker_fetch_context.h b/thi
|
|||
diff --git a/third_party/blink/renderer/modules/background_fetch/background_fetch_manager.cc b/third_party/blink/renderer/modules/background_fetch/background_fetch_manager.cc
|
||||
--- a/third_party/blink/renderer/modules/background_fetch/background_fetch_manager.cc
|
||||
+++ b/third_party/blink/renderer/modules/background_fetch/background_fetch_manager.cc
|
||||
@@ -103,7 +103,6 @@ bool ShouldBlockDanglingMarkup(const KURL& request_url) {
|
||||
@@ -104,9 +104,10 @@ bool ShouldBlockDanglingMarkup(const KURL& request_url) {
|
||||
|
||||
bool ShouldBlockGateWayAttacks(ExecutionContext* execution_context,
|
||||
const KURL& request_url) {
|
||||
- if (RuntimeEnabledFeatures::CorsRFC1918Enabled()) {
|
||||
network::mojom::IPAddressSpace requestor_space =
|
||||
execution_context->AddressSpace();
|
||||
+ if (requestor_space == network::mojom::IPAddressSpace::kUnknown)
|
||||
+ requestor_space = network::mojom::IPAddressSpace::kPublic;
|
||||
|
||||
@@ -120,7 +119,6 @@ bool ShouldBlockGateWayAttacks(ExecutionContext* execution_context,
|
||||
// TODO(mkwst): This only checks explicit IP addresses. We'll have to move
|
||||
// all this up to //net and //content in order to have any real impact on
|
||||
@@ -121,7 +122,6 @@ bool ShouldBlockGateWayAttacks(ExecutionContext* execution_context,
|
||||
bool is_external_request = requestor_space > target_space;
|
||||
if (is_external_request)
|
||||
return true;
|
||||
|
|
@ -148,7 +156,7 @@ diff --git a/third_party/blink/renderer/modules/websockets/websocket_channel_imp
|
|||
diff --git a/third_party/blink/renderer/modules/websockets/websocket_common.cc b/third_party/blink/renderer/modules/websockets/websocket_common.cc
|
||||
--- a/third_party/blink/renderer/modules/websockets/websocket_common.cc
|
||||
+++ b/third_party/blink/renderer/modules/websockets/websocket_common.cc
|
||||
@@ -124,9 +124,36 @@ WebSocketCommon::ConnectResult WebSocketCommon::Connect(
|
||||
@@ -124,9 +124,38 @@ WebSocketCommon::ConnectResult WebSocketCommon::Connect(
|
||||
return ConnectResult::kException;
|
||||
}
|
||||
|
||||
|
|
@ -168,6 +176,8 @@ diff --git a/third_party/blink/renderer/modules/websockets/websocket_common.cc b
|
|||
+ // TODO(mkwst): This only checks explicit IP addresses. We'll have to move
|
||||
+ // all this up to //net and //content in order to have any real impact on
|
||||
+ // gateway attacks. That turns out to be a TON of work (crbug.com/378566).
|
||||
+ if (requestor_space == network::mojom::IPAddressSpace::kUnknown)
|
||||
+ requestor_space = network::mojom::IPAddressSpace::kPublic;
|
||||
+ network::mojom::IPAddressSpace target_space =
|
||||
+ network::mojom::IPAddressSpace::kPublic;
|
||||
+ if (network_utils::IsReservedIPAddress(request_url.Host()))
|
||||
|
|
@ -188,16 +198,16 @@ diff --git a/third_party/blink/renderer/modules/websockets/websocket_common.cc b
|
|||
diff --git a/third_party/blink/renderer/modules/websockets/websocket_common.h b/third_party/blink/renderer/modules/websockets/websocket_common.h
|
||||
--- a/third_party/blink/renderer/modules/websockets/websocket_common.h
|
||||
+++ b/third_party/blink/renderer/modules/websockets/websocket_common.h
|
||||
@@ -8,6 +8,8 @@
|
||||
@@ -7,6 +7,8 @@
|
||||
#ifndef THIRD_PARTY_BLINK_RENDERER_MODULES_WEBSOCKETS_WEBSOCKET_COMMON_H_
|
||||
#define THIRD_PARTY_BLINK_RENDERER_MODULES_WEBSOCKETS_WEBSOCKET_COMMON_H_
|
||||
|
||||
#include "base/macros.h"
|
||||
+#include "services/network/public/mojom/ip_address_space.mojom.h"
|
||||
+#include "third_party/blink/renderer/platform/network/network_utils.h"
|
||||
#include "third_party/blink/renderer/modules/modules_export.h"
|
||||
#include "third_party/blink/renderer/platform/weborigin/kurl.h"
|
||||
#include "third_party/blink/renderer/platform/wtf/allocator/allocator.h"
|
||||
@@ -55,6 +57,8 @@ class MODULES_EXPORT WebSocketCommon {
|
||||
@@ -54,6 +56,8 @@ class MODULES_EXPORT WebSocketCommon {
|
||||
void SetState(State state) { state_ = state; }
|
||||
const KURL& Url() const { return url_; }
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue