-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(gw): Ipfs-Gateway-Mode: path|trustless #495
Conversation
Codecov Report
@@ Coverage Diff @@
## main #495 +/- ##
==========================================
+ Coverage 65.90% 65.94% +0.04%
==========================================
Files 205 206 +1
Lines 25185 25385 +200
==========================================
+ Hits 16598 16740 +142
- Misses 7125 7178 +53
- Partials 1462 1467 +5
|
This is opt-in HTTP header that CLI tools like CURL can send to disable browser-specific redirect to subdomain and/or force trustless mode, which errors instead of returning deserialized data. Context: https://curl.se/mail/lib-2023-10/0038.html An IPIP and gateway conformance tests will follow.
3c40238
to
c28eb8d
Compare
@markg85 I started writing tests for this, but quickly identified catastrophic security problems related to how opt-in The way I see it, this idea is dead on arrival, unless someone smarter proposes a reliable fix that works across HTTP implementations and middlewares and does not gamble with security of end user. |
Oww. I'm glad you understand the implications and how to even test for them @lidel Still, just for my learning experience. Could you elaborate on how the denial of service can happen exactly. The example you posted gives me a hint but it doesn't quite snap into place for me just yet. I'd be curious to know how you can, for example, abuse this to make |
Amount of issues is too high, and workarounds introduce own risks and bugs. I am happy to revisit if someone proposes a comprehensive way of dealing with issues listed above, |
@lidel ahh, now it makes more sense, thank you for elaborating! The redirect logic is in the gateway itself. The service in front of it (nginx, cdn, etc...) that does the caching has no way of knowing that the request is a redirect (subdomain) or path (no redirect) request and thus the issues you mention can pop up.. Ouch. |
Closing for now. If anyone reading this in the future has idea that mitigates the risks, feel free to open a new issue in https://github.com/ipfs/specs |
This PR adds
boxo/gateway
support for an opt-in HTTP header that CLI tools like CURL can send to disable browser-specific redirect to subdomain.As suggested by @markg85 in https://curl.se/mail/lib-2023-10/0038.html
An IPIP and gateway conformance tests will follow.
Concerns
It assumes every HTTP Cache will be aware of user opt-in, and that is not the case.
HTTP caching is complex, there are many implementations, only a small of HTTP caching works reliably across vendors.
What happens when HTTP cache in front of gateway (CDN, nginx, loadbalancer etc) caches response produced for client with
Ipfs-Gateway-Mode
and then returns it for clients that did not request withIpfs-Gateway-Mode
?Suggestions welcome, but unless we resolve below, the
Ipfs-Gateway-Mode
has no future.Denial of Service
Many websites require Origin isolation and URL root to be at
/
and not/ip*s/name/
.A malicious actor could request popular websites over and over again with
Ipfs-Gateway-Mode: path
to force invalid payload to be placed in cache, effectively breaking them for other users.Origin Isolation breakage and reveal of user secrets
A malicious actor could request
/ipfs/cid/malicious-payload.html
and/ipns/wallet.example.com
withIpfs-Gateway-Mode: path
, and both responses are cached by middleware/CDN in front of a gateway.Users who open /ipns/wallet.example.com
would get a cached response that does not redirect them to gateway, allowing
/ipfs/cid/malicious-payload.html` (which is now in the same shared origin) to read all cookies, and private keys from local storage etc.Tricking user into opening
/ipfs/cid/malicious-payload.html
will enable exfiltration of secrets.Explored mitigations
🔴 Force
content-disposition: attachement
on responses whenIpfs-Gateway-Mode
header is set, this way browser will never render such payload.content-disposition: attachement
will NEVER render.🟠 return
Vary
header to indicate which other HTTP headers should be used in caching decisionsVary: Ipfs-Gateway-Mode
but can't assume this works reliably across the stack, which means we would be gambling with security of end user.TODO