-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spoofable extractors are used with the knowledge of the risks #2998
Comments
Perhaps something along the lines of: /// Wrap spoofable extractor
pub struct Spoofable<E>(pub E);
/// Allow `Spoofable` to be used with spoofable extractors in handlers
impl <S, E> FromRequestParts<S> for Spoofable<E> where E: FromSpoofableRequestParts<S> {
}
/// axum private trait
trait FromSpoofableRequestParts<S>: Sized {
type Rejection: IntoResponse;
async fn from_request_parts(
parts: &mut Parts,
state: &S
) -> impl Future<Output = Result<Self, Self::Rejection>> + Send;
}
/// Mark `Host` as a spoofable extractor
impl <S> FromSpoofableRequestParts<S> for Host { ... }
/// Use spoofable extractor
async fn handler(Spoofable(Host(host)): Spoofable<Host>) -> String {
println("{host}");
} |
PoC to check which solution to pick for #2998
I've made one PoC so that we can better imagine how the API would be: #3000 @bengsparks could you also make one for the approach you're suggesting. It seems very interesting! |
Is it possible to add on either of the extractors something like I don't think host can be extracted from anything that cannot be spoofed and scheme could theoretically be extracted from connect info, but the way it is implemented now, it prefers the scheme the client used originally if the server is behind a proxy, i.e. it tries to extract from the proxy headers first which might be what the user is interested in. If we can only return values extracted from spoofable sources, I feel like the destructuring is the nicer syntax from the current two options, but that's just my opinion. Getting rid of the For completeness, would you be opposed to just having |
How about |
I personal like having to change the usage site. |
I would see that as another dimension because both the proxy headers and the host header can be spoofed. |
@yanns I personally see it as the extractor doing the "unsafe" operation. You ask for the This should also be easier to migrate to (which might be bad since people won't have to think about every usage site of But if you really think it would be better to have users call the |
I personally like my solution for the fact that migration is simple and that the use-site is clearly visible. I'd argue that outside of creating different extractors for reading different headers, there is no fool-proof way to achieve the desired goal. With my way, there is a handler-specific marker that calls for further inspection during code review instead of potentially being buried inside of the handler at any given position. Suggestions and adjustments to the naming of |
My only fear is about:
But I don't have strong opinion here. I guess I'm very (too) sensitive to developers not being careful about security... |
I have the feeling that the community consensus is tending towards |
My other comment is that the current |
One thing to note is that while this does raise awareness, there is no way for the user to act on that knowledge. The user can choose to not use the extractor at all, but a far more valuable ability would be to selectively choose only the non-spoofable part, which is not possible, as far as I can tell. Most notably, I don't see any way that the extractors could be used to implement things like the common |
@sclu1034 I agree with you.
|
Ideally, it would be a solution where the logic whether a connection can be trusted has to be implemented only once, rather than again for every extractor or handler. So I think some kind of middleware that can dynamically strip headers would be best. At that point, the extractors could stay as they are, and simply act as if that header was never sent. And a centralized solution like that would also ensure that manual access to these headers can be trusted likewise. |
+1 to the middleware suggestion by @sclu1034; the best solution would be such headers simply never arrive. |
FWIW after reading up on the discussion here, I'm not a huge fan of the spoofable proposal 🫣 if the goal is to make users aware of the spoofing risks of the if we introduce |
The ticket follows the discussion in #2507 (comment)
Some extractors, like
Host
orScheme
, can use the values of some HTTP headers that could be spoofed by malicious users.We should find a way to make users aware of the risks of using those extractors.
Some ideas:
unsafe
. This is not the idea ofunsafe
and we would be mis-using it. I think that this can be discarded.SpoofableValue
so that users have to call some function to get the value. The name and the documentation of the function should make the user aware of the risk. Example:The text was updated successfully, but these errors were encountered: