Skip to content

Commit

Permalink
feat(security): add option to disallow private IP ranges in webhooks
Browse files Browse the repository at this point in the history
Closes #2152
  • Loading branch information
aeneasr committed Jan 20, 2022
1 parent a570607 commit 5bea750
Show file tree
Hide file tree
Showing 12 changed files with 532 additions and 411 deletions.
15 changes: 15 additions & 0 deletions docs/docs/guides/production.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,21 @@ CockroachDB. Do not use SQLite in production!
When preparing for production it is paramount to omit the `--dev` flag from
`kratos serve`.

### HTTP Clients

In some scenarios you might want to disallow HTTP calls to private IP ranges.
To configure this feature, set the following configuration:

```yaml
clients:
http:
disallow_private_ip_ranges: true
```
If enabled, all outgoing HTTP calls done by Ory Kratos will be checked whether
they are against a private IP range. If that is the case, the request
will fail with an error.
### Admin API
Never expose the Ory Kratos Admin API to the internet unsecured. Always require
Expand Down
5 changes: 5 additions & 0 deletions driver/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ const (
ViperKeyWebAuthnRPID = "selfservice.methods.webauthn.config.rp.id"
ViperKeyWebAuthnRPOrigin = "selfservice.methods.webauthn.config.rp.origin"
ViperKeyWebAuthnRPIcon = "selfservice.methods.webauthn.config.rp.issuer"
ViperKeyClientHTTPNoPrivateIPRanges = "clients.http.disallow_private_ip_ranges"
ViperKeyVersion = "version"
)

Expand Down Expand Up @@ -514,6 +515,10 @@ func (p *Config) DisableAPIFlowEnforcement() bool {
return false
}

func (p *Config) ClientHTTPNoPrivateIPRanges() bool {
return p.p.Bool(ViperKeyClientHTTPNoPrivateIPRanges)
}

func (p *Config) SelfServiceFlowRegistrationEnabled() bool {
return p.p.Bool(ViperKeySelfServiceRegistrationEnabled)
}
Expand Down
6 changes: 6 additions & 0 deletions driver/config/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,12 @@ func TestViperProvider(t *testing.T) {
p := config.MustNew(t, logrusx.New("", ""), os.Stderr,
configx.WithConfigFiles("stub/.kratos.yaml"))

t.Run("gourp=client config", func(t *testing.T) {
assert.False(t, p.ClientHTTPNoPrivateIPRanges(), "Should not have private IP ranges disabled per default")
p.MustSet(config.ViperKeyClientHTTPNoPrivateIPRanges, true)
assert.True(t, p.ClientHTTPNoPrivateIPRanges(), "Should disallow private IP ranges if set")
})

t.Run("group=urls", func(t *testing.T) {
assert.Equal(t, "http://test.kratos.ory.sh/login", p.SelfServiceFlowLoginUI().String())
assert.Equal(t, "http://test.kratos.ory.sh/settings", p.SelfServiceFlowSettingsUI().String())
Expand Down
17 changes: 17 additions & 0 deletions driver/registry_default.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ import (
"sync"
"time"

"github.com/hashicorp/go-retryablehttp"

"github.com/ory/x/httpx"

"github.com/gobuffalo/pop/v6"

"github.com/ory/nosurf"
Expand Down Expand Up @@ -679,3 +683,16 @@ func (m *RegistryDefault) PrometheusManager() *prometheus.MetricsManager {
}
return m.pmm
}

func (m *RegistryDefault) HTTPClient(ctx context.Context) *retryablehttp.Client {
opts := []httpx.ResilientOptions{
httpx.ResilientClientWithLogger(m.Logger()),
httpx.ResilientClientWithMaxRetry(2),
httpx.ResilientClientWithConnectionTimeout(30 * time.Second),
}
if m.Config(ctx).ClientHTTPNoPrivateIPRanges() {
opts = append(opts, httpx.ResilientClientDisallowInternalIPs())

}
return httpx.NewResilientClient(opts...)
}
20 changes: 20 additions & 0 deletions embedx/config.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -2113,6 +2113,26 @@
"type": "string"
},
"description": "This is a CLI flag and environment variable and can not be set using the config file."
},
"clients": {
"title": "Global outgoing network settings",
"description": "Configure how outgoing network calls behave.",
"type": "object",
"properties": {
"http": {
"title": "Global HTTP client configuration",
"description": "Configure how outgoing HTTP calls behave.",
"type": "object",
"properties": {
"disallow_private_ip_ranges": {
"title": "Disallow private IP ranges",
"description": "Disallow all outgoing HTTP calls to private IP ranges. This feature can help protect against SSRF attacks.",
"type": "boolean",
"default": false
}
}
}
}
}
},
"allOf": [
Expand Down
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ require (
github.com/inhies/go-bytesize v0.0.0-20210819104631-275770b98743
github.com/jteeuwen/go-bindata v3.0.7+incompatible
github.com/julienschmidt/httprouter v1.3.0
github.com/knadh/koanf v1.3.3
github.com/knadh/koanf v1.4.0
github.com/luna-duclos/instrumentedsql v1.1.3
github.com/luna-duclos/instrumentedsql/opentracing v0.0.0-20201103091713-40d03108b6f4
github.com/mattn/goveralls v0.0.7
Expand All @@ -77,7 +77,7 @@ require (
github.com/ory/kratos-client-go v0.6.3-alpha.1
github.com/ory/mail/v3 v3.0.0
github.com/ory/nosurf v1.2.7
github.com/ory/x v0.0.330
github.com/ory/x v0.0.334
github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2
github.com/pkg/errors v0.9.1
github.com/pquerna/otp v1.3.0
Expand Down
8 changes: 2 additions & 6 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,6 @@ github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugX
github.com/Microsoft/go-winio v0.4.17-0.20210211115548-6eac466e5fa3/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
github.com/Microsoft/go-winio v0.4.17-0.20210324224401-5516f17a5958/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
github.com/Microsoft/go-winio v0.4.17/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
github.com/Microsoft/go-winio v0.5.1 h1:aPJp2QD7OOrhO5tQXqQoGSJc+DjDtWTGLOmNyAm6FgY=
github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
Expand Down Expand Up @@ -399,8 +398,6 @@ github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczC
github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
github.com/docker/cli v20.10.8+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/cli v20.10.9+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/cli v20.10.11+incompatible h1:tXU1ezXcruZQRrMP8RN2z9N91h+6egZTS1gsPsKantc=
github.com/docker/cli v20.10.11+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY=
Expand Down Expand Up @@ -1544,7 +1541,6 @@ github.com/ory/dockertest v3.3.5+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnh
github.com/ory/dockertest/v3 v3.5.4/go.mod h1:J8ZUbNB2FOhm1cFZW9xBpDsODqsSWcyYgtJYVPcnF70=
github.com/ory/dockertest/v3 v3.6.3/go.mod h1:EFLcVUOl8qCwp9NyDAcCDtq/QviLtYswW/VbWzUnTNE=
github.com/ory/dockertest/v3 v3.6.5/go.mod h1:iYKQSRlYrt/2s5fJWYdB98kCQG6g/LjBMvzEYii63vg=
github.com/ory/dockertest/v3 v3.8.0/go.mod h1:9zPATATlWQru+ynXP+DytBQrsXV7Tmlx7K86H6fQaDo=
github.com/ory/dockertest/v3 v3.8.1 h1:vU/8d1We4qIad2YM0kOwRVtnyue7ExvacPiw1yDm17g=
github.com/ory/dockertest/v3 v3.8.1/go.mod h1:wSRQ3wmkz+uSARYMk7kVJFDBGm8x5gSxIhI7NDc+BAQ=
github.com/ory/fosite v0.29.0/go.mod h1:0atSZmXO7CAcs6NPMI/Qtot8tmZYj04Nddoold4S2h0=
Expand Down Expand Up @@ -1593,8 +1589,8 @@ github.com/ory/x v0.0.205/go.mod h1:A1s4iwmFIppRXZLF3J9GGWeY/HpREVm0Dk5z/787iek=
github.com/ory/x v0.0.250/go.mod h1:jUJaVptu+geeqlb9SyQCogTKj5ztSDIF6APkhbKtwLc=
github.com/ory/x v0.0.272/go.mod h1:1TTPgJGQutrhI2OnwdrTIHE9ITSf4MpzXFzA/ncTGRc=
github.com/ory/x v0.0.288/go.mod h1:APpShLyJcVzKw1kTgrHI+j/L9YM+8BRjHlcYObc7C1U=
github.com/ory/x v0.0.330 h1:h+JhZb2DFBUbW5zebXmfdfZVPod+qyxm09ku5eFLciE=
github.com/ory/x v0.0.330/go.mod h1:VtcrHHCiLrKhxKUdtCNxQ9q/MILRnQmETNdH/jl9gKw=
github.com/ory/x v0.0.334 h1:ZtxDKRjrRYadZGYIg7kFI4wuEpRX7n5eMBQnxRU07lw=
github.com/ory/x v0.0.334/go.mod h1:vRr+//Cmpcu4HwkYwstv4mzie65ss+r76+iXU9fqQiA=
github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM=
github.com/parnurzeal/gorequest v0.2.15/go.mod h1:3Kh2QUMJoqw3icWAecsyzkpY7UzRfDhbRdTjtNwNiUE=
github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
Expand Down
4 changes: 3 additions & 1 deletion persistence/sql/testhelpers/network.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,13 @@ package testhelpers

import (
"context"
"testing"

db "github.com/gofrs/uuid"

courier "github.com/ory/kratos/courier/test"
"github.com/ory/kratos/internal/testhelpers"
"github.com/ory/kratos/persistence"
"testing"
)

func DefaultNetworkWrapper(t *testing.T, ctx context.Context, p persistence.Persister) (courier.NetworkWrapper, courier.NetworkWrapper) {
Expand Down
Loading

0 comments on commit 5bea750

Please sign in to comment.