annex.security.allowed-ip-addresses ports syntax
Extended annex.security.allowed-ip-addresses to let specific ports of an IP address to be used, while denying use of other ports.
This commit is contained in:
parent
4316d92b48
commit
9659f1c30f
6 changed files with 43 additions and 7 deletions
19
Annex/Url.hs
19
Annex/Url.hs
|
@ -41,6 +41,7 @@ import qualified BuildInfo
|
||||||
import Network.Socket
|
import Network.Socket
|
||||||
import Network.HTTP.Client
|
import Network.HTTP.Client
|
||||||
import Network.HTTP.Client.TLS
|
import Network.HTTP.Client.TLS
|
||||||
|
import Text.Read
|
||||||
|
|
||||||
defaultUserAgent :: U.UserAgent
|
defaultUserAgent :: U.UserAgent
|
||||||
defaultUserAgent = "git-annex/" ++ BuildInfo.packageversion
|
defaultUserAgent = "git-annex/" ++ BuildInfo.packageversion
|
||||||
|
@ -85,10 +86,11 @@ getUrlOptions = Annex.getState Annex.urloptions >>= \case
|
||||||
manager <- liftIO $ U.newManager $
|
manager <- liftIO $ U.newManager $
|
||||||
avoidtimeout $ tlsManagerSettings
|
avoidtimeout $ tlsManagerSettings
|
||||||
return (urldownloader, manager)
|
return (urldownloader, manager)
|
||||||
allowedaddrs -> do
|
allowedaddrsports -> do
|
||||||
addrmatcher <- liftIO $
|
addrmatcher <- liftIO $
|
||||||
(\l v -> any (\f -> f v) l) . catMaybes
|
(\l v -> any (\f -> f v) l) . catMaybes
|
||||||
<$> mapM makeAddressMatcher allowedaddrs
|
<$> mapM (uncurry makeAddressMatcher)
|
||||||
|
(mapMaybe splitAddrPort allowedaddrsports)
|
||||||
-- Default to not allowing access to loopback
|
-- Default to not allowing access to loopback
|
||||||
-- and private IP addresses to avoid data
|
-- and private IP addresses to avoid data
|
||||||
-- leakage.
|
-- leakage.
|
||||||
|
@ -120,6 +122,19 @@ getUrlOptions = Annex.getState Annex.urloptions >>= \case
|
||||||
-- separate timeout controls, so disable that.
|
-- separate timeout controls, so disable that.
|
||||||
avoidtimeout s = s { managerResponseTimeout = responseTimeoutNone }
|
avoidtimeout s = s { managerResponseTimeout = responseTimeoutNone }
|
||||||
|
|
||||||
|
splitAddrPort :: String -> Maybe (String, Maybe PortNumber)
|
||||||
|
splitAddrPort s
|
||||||
|
-- "[addr]:port" (also allow "[addr]")
|
||||||
|
| "[" `isPrefixOf` s = case splitc ']' (drop 1 s) of
|
||||||
|
[a,cp] -> case splitc ':' cp of
|
||||||
|
["",p] -> do
|
||||||
|
pn <- readMaybe p
|
||||||
|
return (a, Just pn)
|
||||||
|
[""] -> Just (a, Nothing)
|
||||||
|
_ -> Nothing
|
||||||
|
_ -> Nothing
|
||||||
|
| otherwise = Just (s, Nothing)
|
||||||
|
|
||||||
ipAddressesUnlimited :: Annex Bool
|
ipAddressesUnlimited :: Annex Bool
|
||||||
ipAddressesUnlimited =
|
ipAddressesUnlimited =
|
||||||
("all" == ) . annexAllowedIPAddresses <$> Annex.getGitConfig
|
("all" == ) . annexAllowedIPAddresses <$> Annex.getGitConfig
|
||||||
|
|
|
@ -32,6 +32,8 @@ git-annex (8.20200221) UNRELEASED; urgency=medium
|
||||||
* init --version: When the version given is one that automatically
|
* init --version: When the version given is one that automatically
|
||||||
upgrades to a newer version, use the newer version instead.
|
upgrades to a newer version, use the newer version instead.
|
||||||
* Auto upgrades from older repo versions, like v5, now jump right to v8.
|
* Auto upgrades from older repo versions, like v5, now jump right to v8.
|
||||||
|
* Extended annex.security.allowed-ip-addresses to let specific ports
|
||||||
|
of an IP address to be used, while denying use of other ports.
|
||||||
|
|
||||||
-- Joey Hess <id@joeyh.name> Wed, 19 Feb 2020 12:48:58 -0400
|
-- Joey Hess <id@joeyh.name> Wed, 19 Feb 2020 12:48:58 -0400
|
||||||
|
|
||||||
|
|
|
@ -103,10 +103,12 @@ embeddedIpv4 v = case v of
|
||||||
- match that address in a SockAddr. Nothing when the address cannot be
|
- match that address in a SockAddr. Nothing when the address cannot be
|
||||||
- parsed.
|
- parsed.
|
||||||
-
|
-
|
||||||
|
- When a port is specified, will only match a SockAddr using the same port.
|
||||||
|
-
|
||||||
- This does not involve any DNS lookups.
|
- This does not involve any DNS lookups.
|
||||||
-}
|
-}
|
||||||
makeAddressMatcher :: String -> IO (Maybe (SockAddr -> Bool))
|
makeAddressMatcher :: String -> Maybe PortNumber -> IO (Maybe (SockAddr -> Bool))
|
||||||
makeAddressMatcher s = go
|
makeAddressMatcher s mp = go
|
||||||
<$> catchDefaultIO [] (getAddrInfo (Just hints) (Just s) Nothing)
|
<$> catchDefaultIO [] (getAddrInfo (Just hints) (Just s) Nothing)
|
||||||
where
|
where
|
||||||
hints = defaultHints
|
hints = defaultHints
|
||||||
|
@ -117,6 +119,11 @@ makeAddressMatcher s = go
|
||||||
go [] = Nothing
|
go [] = Nothing
|
||||||
go l = Just $ \sockaddr -> any (match sockaddr) (map addrAddress l)
|
go l = Just $ \sockaddr -> any (match sockaddr) (map addrAddress l)
|
||||||
|
|
||||||
match (SockAddrInet _ a) (SockAddrInet _ b) = a == b
|
match (SockAddrInet p a) (SockAddrInet _ b) = a == b && matchport p
|
||||||
match (SockAddrInet6 _ _ a _) (SockAddrInet6 _ _ b _) = a == b
|
match (SockAddrInet6 p _ a _) (SockAddrInet6 _ _ b _) = a == b && matchport p
|
||||||
match _ _ = False
|
match _ _ = False
|
||||||
|
|
||||||
|
matchport p = case mp of
|
||||||
|
Nothing -> True
|
||||||
|
Just p' -> p == p'
|
||||||
|
|
||||||
|
|
|
@ -1608,6 +1608,11 @@ Remotes are configured using these settings in `.git/config`.
|
||||||
Note that, since the interfaces of curl and youtube-dl do not allow
|
Note that, since the interfaces of curl and youtube-dl do not allow
|
||||||
these IP address restrictions to be enforced, curl and youtube-dl will
|
these IP address restrictions to be enforced, curl and youtube-dl will
|
||||||
never be used unless annex.security.allowed-ip-addresses=all.
|
never be used unless annex.security.allowed-ip-addresses=all.
|
||||||
|
|
||||||
|
To allow accessing local or private IP addresses on only specific ports,
|
||||||
|
use the syntax "[addr]:port". For example,
|
||||||
|
"[127.0.0.1]:80 [127.0.0.1]:443 [::1]:80 [::1]:443" allows
|
||||||
|
localhost on the http ports only.
|
||||||
|
|
||||||
* `annex.security.allowed-http-addresses`
|
* `annex.security.allowed-http-addresses`
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
date="2020-02-25T18:32:02Z"
|
date="2020-02-25T18:32:02Z"
|
||||||
content="""
|
content="""
|
||||||
As to ports, it seems reasonable to support eg
|
As to ports, it seems reasonable to support eg
|
||||||
security.allowed-ip-addresses=127.0.0.1:80 to make sure that the massive
|
security.allowed-ip-addresses=[127.0.0.1]:80 to make sure that the massive
|
||||||
electron app I have running on some random other port doesn't get abused
|
electron app I have running on some random other port doesn't get abused
|
||||||
to exfiltrate the contents of my $HOME. As a non-random example. :)
|
to exfiltrate the contents of my $HOME. As a non-random example. :)
|
||||||
"""]]
|
"""]]
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
[[!comment format=mdwn
|
||||||
|
username="joey"
|
||||||
|
subject="""comment 3"""
|
||||||
|
date="2020-02-25T19:30:35Z"
|
||||||
|
content="""
|
||||||
|
Implemented specifying allowed ports.
|
||||||
|
"""]]
|
Loading…
Reference in a new issue