security: fix CVE-2023-36456

Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # website/sidebars.js
2023-07-04 13:48:04 +02:00
parent 2739376a2a
commit 15026748d1
8 changed files with 94 additions and 13 deletions
--- a/internal/utils/web/http_forwarded.go
+++ b/internal/utils/web/http_forwarded.go
@ -0,0 +1,44 @@
+package web
+
+import (
+	"net"
+	"net/http"
+
+	"github.com/gorilla/handlers"
+	log "github.com/sirupsen/logrus"
+	"goauthentik.io/internal/config"
+)
+
+// ProxyHeaders Set proxy headers like X-Forwarded-For and such, but only if the direct connection
+// comes from a client that's in a list of trusted CIDRs
+func ProxyHeaders() func(http.Handler) http.Handler {
+	nets := []*net.IPNet{}
+	for _, rn := range config.Get().Listen.TrustedProxyCIDRs {
+		_, cidr, err := net.ParseCIDR(rn)
+		if err != nil {
+			continue
+		}
+		nets = append(nets, cidr)
+	}
+	ph := handlers.ProxyHeaders
+	return func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			host, _, err := net.SplitHostPort(r.RemoteAddr)
+			if err == nil {
+				// remoteAddr will be nil if the IP cannot be parsed
+				remoteAddr := net.ParseIP(host)
+				for _, allowedCidr := range nets {
+					if remoteAddr != nil && allowedCidr.Contains(remoteAddr) {
+						log.WithField("remoteAddr", remoteAddr).WithField("cidr", allowedCidr.String()).Trace("Setting proxy headers")
+						ph(h).ServeHTTP(w, r)
+						return
+					}
+				}
+			}
+			// Request is not directly coming from a CIDR we "trust"
+			// so set XFF to the direct host IP
+			r.Header.Set("X-Forwarded-For", host)
+			h.ServeHTTP(w, r)
+		})
+	}
+}