[security] Authorization Bypass Through User-Controlled Key

[JamieSlome]

@emicklei - following on from #488 and https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/, we are sharing the details of the report as requested in the SECURITY.md.

Authorization Bypass Through User-Controlled Key in emicklei/go-restful

Reported on Mar 7th 2022

Description

Hello go restful maintainer team, I would like to report a security concerning your CORS Filter feature.

Go restful allows user to specify a CORS Filter with a configurable AllowedDomains param - which is an array of domains allowed in CORS policy.

However, although there's is already another param called allowedOriginPatterns used for matching origin using regular expression, all domains in AllowedDomains is also used as regular expression to check for matching origin in this code in file cors_filter.go:

if len(c.allowedOriginPatterns) == 0 {
// compile allowed domains to allowed origin patterns
allowedOriginRegexps, err := compileRegexps(c.AllowedDomains)
if err != nil {
return false
}
c.allowedOriginPatterns = allowedOriginRegexps
}

    for _, pattern := range c.allowedOriginPatterns {
        if allowed = pattern.MatchString(origin); allowed {
            break
        }
    }

So by this, if the user input example.com to be one of domain in AllowedDomains, all domains starting with example.com would be acceptable.

Proof of Concept

Install go restful and create a file main.go with this content:
package main

import (
restful "github.com/emicklei/go-restful/v3"
"io"
"net/http"
)

func main() {
container := restful.NewContainer()

ws := new(restful.WebService)
ws.Route(ws.GET("hello").To(hello))
container.Add(ws)
server := &http.Server{Addr: ":8000", Handler: container}

//container.Filter(logHeaders)
cors := restful.CrossOriginResourceSharing{
    ExposeHeaders: []string{"X-My-Header"},
    AllowedDomains: []string{"example.com"},
    CookiesAllowed: true,
    Container: container,
}
container.Filter(cors.Filter)
server.ListenAndServe()

}

func hello(req *restful.Request, resp *restful.Response) {
io.WriteString(resp, "world")
}

In the above code, example.com is configured as an allowed domain.

Run the above code and access link /hello with Origin Header = example.com.hacker.domain and see that the request gets through CORS policy and response looks like this:
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: example.com.hacker.domain
Access-Control-Expose-Headers: X-My-Header
Date: Mon, 07 Mar 2022 13:31:08 GMT
Content-Length: 5
Content-Type: text/plain; charset=utf-8
Connection: close

world
Impact
This vulnerability is capable of breaking CORS policy and thus allowing any page to make requests, retrieve data on behalf of other users.

Occurrences

cors_filter.go L135

[sickcodes]

AllowedDomains: []string{"example.com"},

If Allowed Domain is meant to be ^example.com$ this would be 0.

However, if there's no other way to deny domains then this is critical as it defeats the confidentiality (high), integrity (high), with no apparent affect to confidentiality (none) because it allows *example.com* 9.1

[sickcodes]

Given the update in the commit above does fix exact match domains, then this is

[JamieSlome]

@emicklei - can you please confirm whether you agree with the severity rating above? Plus, is there any timeline for getting this commit released?

[emicklei]

@emicklei - can you please confirm whether you agree with the severity rating above? Plus, is there any timeline for getting this commit released?

I do not have the expertise to verify the rating. I hope to merge the PR within days.

[JamieSlome]

@emicklei - no worries at all. Can you at least confirm whether you perceive this to be a vulnerability?

If you could mark it accordingly on our report, that would be appreciated, otherwise, we will do it on your behalf :)

https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/

[emicklei]

I agree that this is a vulnerability ; not sure about the high impact rating.

[emicklei]

merged into 3.8.0

[JamieSlome]

@emicklei - thanks for the work 👍

[othomann]

@emicklei Hi, is it possible to backport to v2.x stream ? I have an indirect dependency to v2.15.0+incompatible that is tagged with this vulnerability.Thanks.