From 90ad5247a9ce0185246199055af812a23a81f835 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 17 Jan 2024 23:23:06 +0100 Subject: [PATCH 1/6] add bind_public_ip check --- package_linter.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/package_linter.py b/package_linter.py index 6adcd37..9f73713 100755 --- a/package_linter.py +++ b/package_linter.py @@ -1531,6 +1531,31 @@ class Configurations(TestSuite): % location ) + @test() + def bind_public_ip(self): + app = self.app + for filename in ( + os.listdir(app.path + "/conf") if os.path.exists(app.path + "/conf") else [] + ): + try: + content = open(app.path + "/conf/" + filename).read() + except Exception as e: + yield Warning("Can't open/read %s: %s" % (filename, e)) + return + + for line in content.split("\n"): + comment = ["#", "//", ";"] + if ( + "0.0.0.0" in line + or "::" in line + and not line.strip().startswith(comment) + ): + yield Info( + "%s: Binding to '0.0.0.0' or '::' can result in a security issue as " + "the SSO can be bypassed by knowing a public IP (typically an IPv6) " + "and the app port. Please be sure that this behavior is intentional.\n" + "Maybe use '127.0.0.1' or '::1' instead." % filename + ) ############################################# # __ __ _ __ _ # From 832dc3d55b05e8a37782c68d9547e655e17cb107 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 17 Jan 2024 23:37:25 +0100 Subject: [PATCH 2/6] add line numer and fix a trigger on commented lines --- package_linter.py | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/package_linter.py b/package_linter.py index 9f73713..8d5ace1 100755 --- a/package_linter.py +++ b/package_linter.py @@ -1543,18 +1543,17 @@ class Configurations(TestSuite): yield Warning("Can't open/read %s: %s" % (filename, e)) return - for line in content.split("\n"): - comment = ["#", "//", ";"] + for number, line in enumerate(content.split("\n"), 1): + comment = ("#", "//", ";") if ( - "0.0.0.0" in line - or "::" in line + ( "0.0.0.0" in line or "::" in line ) and not line.strip().startswith(comment) ): yield Info( - "%s: Binding to '0.0.0.0' or '::' can result in a security issue as " - "the SSO can be bypassed by knowing a public IP (typically an IPv6) " - "and the app port. Please be sure that this behavior is intentional.\n" - "Maybe use '127.0.0.1' or '::1' instead." % filename + f"{filename}:{number}: Binding to '0.0.0.0' or '::' can result in " + "a security issue as the SSO can be bypassed by knowing a public " + "IP (typically an IPv6) and the app port. Please be sure that this " + "behavior is intentional. Maybe use '127.0.0.1' or '::1' instead." ) ############################################# From 8b38cf0924f402a157ebcda46be6a1308bebc2e4 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 17 Jan 2024 23:51:38 +0100 Subject: [PATCH 3/6] mention the reverse proxy bypass --- package_linter.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/package_linter.py b/package_linter.py index 8d5ace1..865f0aa 100755 --- a/package_linter.py +++ b/package_linter.py @@ -1550,10 +1550,11 @@ class Configurations(TestSuite): and not line.strip().startswith(comment) ): yield Info( - f"{filename}:{number}: Binding to '0.0.0.0' or '::' can result in " - "a security issue as the SSO can be bypassed by knowing a public " - "IP (typically an IPv6) and the app port. Please be sure that this " - "behavior is intentional. Maybe use '127.0.0.1' or '::1' instead." + f"{filename}:{number}: Binding to '0.0.0.0' or '::' can result " + "in a security issue as the reverse proxy and the SSO can be " + "bypassed by knowing a public IP (typically an IPv6) and the " + "app port. lease be sure that this behavior is intentional. " + "Maybe use '127.0.0.1' or '::1' instead." ) ############################################# From 23b2f7d6bb6532d4af1df79ffe0590df69c5974e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 18 Jan 2024 03:06:27 +0100 Subject: [PATCH 4/6] better ip discrimination --- package_linter.py | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/package_linter.py b/package_linter.py index 865f0aa..e6d2baf 100755 --- a/package_linter.py +++ b/package_linter.py @@ -1549,13 +1549,15 @@ class Configurations(TestSuite): ( "0.0.0.0" in line or "::" in line ) and not line.strip().startswith(comment) ): - yield Info( - f"{filename}:{number}: Binding to '0.0.0.0' or '::' can result " - "in a security issue as the reverse proxy and the SSO can be " - "bypassed by knowing a public IP (typically an IPv6) and the " - "app port. lease be sure that this behavior is intentional. " - "Maybe use '127.0.0.1' or '::1' instead." - ) + for ip in re.split("[ \t,='\"(){}\[\]]", line): + if ip == "::" or "0.0.0.0" in ip: + yield Info( + f"{filename}:{number}: Binding to '0.0.0.0' or '::' can result " + "in a security issue as the reverse proxy and the SSO can be " + "bypassed by knowing a public IP (typically an IPv6) and the " + "app port. lease be sure that this behavior is intentional. " + "Maybe use '127.0.0.1' or '::1' instead." + ) ############################################# # __ __ _ __ _ # From 051053d4fd0f0b32cfe7edf13ea3cd1c57d15c83 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 18 Jan 2024 03:46:37 +0100 Subject: [PATCH 5/6] tweak to ignore IPs like "10.0.0.0" --- package_linter.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package_linter.py b/package_linter.py index e6d2baf..b6fb9c1 100755 --- a/package_linter.py +++ b/package_linter.py @@ -1550,7 +1550,7 @@ class Configurations(TestSuite): and not line.strip().startswith(comment) ): for ip in re.split("[ \t,='\"(){}\[\]]", line): - if ip == "::" or "0.0.0.0" in ip: + if ip == "::" or ( "0.0.0.0" in ip and ip.startswith("0.0.0.0") ): yield Info( f"{filename}:{number}: Binding to '0.0.0.0' or '::' can result " "in a security issue as the reverse proxy and the SSO can be " From f3bf1b237b63c8bcfec71053f07d5ab1590e3f5f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 18 Jan 2024 20:57:04 +0100 Subject: [PATCH 6/6] small refactor --- package_linter.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package_linter.py b/package_linter.py index b6fb9c1..6cb3195 100755 --- a/package_linter.py +++ b/package_linter.py @@ -1550,7 +1550,7 @@ class Configurations(TestSuite): and not line.strip().startswith(comment) ): for ip in re.split("[ \t,='\"(){}\[\]]", line): - if ip == "::" or ( "0.0.0.0" in ip and ip.startswith("0.0.0.0") ): + if ip == "::" or ip.startswith("0.0.0.0"): yield Info( f"{filename}:{number}: Binding to '0.0.0.0' or '::' can result " "in a security issue as the reverse proxy and the SSO can be "