Fix wildcard check_origin vulnerability.

chrismccord · chrismccord · commit 6e7185b33a59 · 2022-10-10T11:13:01.000-04:00
Previously, our documentation points to a wilcard example of:

    check_origin: [
      "//*.other.com"
    ]

Which should allow any subdomain of "other.com", but our comparison
for `"//*.other.com"` would allow `api.any-other.com`, which would
allow an attacker to register a domain with a custom prefix of a target
domain and pass origin checks. This patch ensures the `String.ends_with?`
check includes the subdomain dot prefix.

Who is affected?

Only those using a wildcard check origin are affected, and potential
exploits are limited to allowing unauthenticated channel connections
from a bad host. Because LiveView adds its own csrf token to the
connection by default, LiveView applications with wildcard check origin
would refuse connection under this scenario. Additionally, channel
applications utilizing token based authentication would require the
attacker to also have a valid token to connection from a bad host.
Phoenix channels does not allow access to cookies, so an attacker would
also not be able to pass their own cookies from a bad host.
diff --git a/lib/phoenix/socket/transport.ex b/lib/phoenix/socket/transport.ex
@@ -624,7 +624,7 @@ defmodule Phoenix.Socket.Transport do
   defp compare_host?(_request_host, nil),
     do: true
   defp compare_host?(request_host, "*." <> allowed_host),
-    do: String.ends_with?(request_host, allowed_host)
+    do: request_host == allowed_host or String.ends_with?(request_host, "." <> allowed_host)
   defp compare_host?(request_host, allowed_host),
     do: request_host == allowed_host
 
diff --git a/test/phoenix/socket/transport_test.exs b/test/phoenix/socket/transport_test.exs
@@ -85,6 +85,12 @@ defmodule Phoenix.Socket.TransportTest do
       refute conn.halted
       conn = check_origin("https://org1.ex.com", check_origin: origins)
       refute conn.halted
+
+      conn = check_origin("https://ex.com", check_origin: origins)
+      refute conn.halted
+
+      conn = check_origin("https://org1.prefix-ex.com", check_origin: origins)
+      assert conn.halted
     end
 
     test "nested wildcard subdomains" do
@@ -93,6 +99,15 @@ defmodule Phoenix.Socket.TransportTest do
       conn = check_origin("http://org1.foo.example.com", check_origin: origins)
       refute conn.halted
 
+      conn = check_origin("http://foo.example.com", check_origin: origins)
+      refute conn.halted
+
+      conn = check_origin("http://bad.example.com", check_origin: origins)
+      assert conn.halted
+
+      conn = check_origin("http://org1.prefix-foo.example.com", check_origin: origins)
+      assert conn.halted
+
       conn = check_origin("http://org1.bar.example.com", check_origin: origins)
       assert conn.halted
       assert conn.status == 403
