[backend/middleware] Validate X-Forwarded-For headers & remove legacy AppContext switch

meowing.zip / iceshrimp.net

fork

a fork of iceshrimp.net but a tweaked frontend to my personal liking. waow

fediverse social-media social iceshrimp fedi

fork

+16 -5

2 changed files

expand all

Iceshrimp.Backend

Core

Middleware

RequestVerificationMiddleware.cs

Startup.cs

Iceshrimp.Backend/Core/Middleware/RequestVerificationMiddleware.cs

··· 24 24 25 25 public bool IsValid(HttpRequest rq) 26 26 { 27 + // Mitigate malicious X-Forwarded-Proto values (https://github.com/greenpau/caddy-security/issues/270) 28 + if (!rq.Scheme.EqualsIgnoreCase("http") && !rq.Scheme.EqualsIgnoreCase("https")) 29 + { 30 + logger.LogWarning("Received request with invalid scheme: '{scheme}', please check your reverse proxy configuration", 31 + rq.Scheme); 32 + return false; 33 + } 34 + 27 35 if (rq.Host.Host == config.Value.WebDomain) return true; 28 36 if (config.Value.AdditionalDomainsArray.Contains(rq.Host.Host)) return true; 29 37 if (rq.Host.Host == config.Value.AccountDomain && rq.Path.StartsWithSegments("/.well-known"))

+8 -5

Iceshrimp.Backend/Startup.cs

··· 1 1 using System.Diagnostics; 2 + using System.Net; 2 3 using Iceshrimp.Backend.Core.Extensions; 3 4 using Iceshrimp.Backend.Core.Helpers; 4 5 using Iceshrimp.Backend.Pages.Shared; 5 6 using Iceshrimp.Backend.SignalR; 6 7 using Iceshrimp.Backend.SignalR.Authentication; 7 8 using Microsoft.AspNetCore.HttpOverrides; 8 - 9 - // Remove below line when the known proxy / known networks configuration has been implemented 10 - // See https://github.com/aspnet/Announcements/issues/517 for more information 11 - AppContext.SetSwitch("Microsoft.AspNetCore.HttpOverrides.IgnoreUnknownProxiesWithoutFor", true); 9 + using IPNetwork = System.Net.IPNetwork; 12 10 13 11 var options = StartupHelpers.ParseCliArguments(args); 14 12 var builder = WebApplication.CreateBuilder(options); ··· 64 62 app.UseResponseCompression(); 65 63 #endif 66 64 67 - app.UseForwardedHeaders(new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedProto }); 65 + app.UseForwardedHeaders(new ForwardedHeadersOptions 66 + { 67 + // The X-Forwarded-Proto value gets validated in RequestVerificationMiddleware so we can trust any proxy 68 + ForwardedHeaders = ForwardedHeaders.XForwardedProto, 69 + KnownIPNetworks = { new IPNetwork(IPAddress.Any, 0), new IPNetwork(IPAddress.IPv6Any, 0) } 70 + }); 68 71 app.UseRouting(); 69 72 app.UseOpenApiWithOptions(); 70 73 app.UseCors();

Configure Feed

Configure Feed