Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ANCHOR-403] Prevent SSRF through SEP-1 TOML redirect #1043

Merged
merged 15 commits into from
Aug 10, 2023
Merged

[ANCHOR-403] Prevent SSRF through SEP-1 TOML redirect #1043

merged 15 commits into from
Aug 10, 2023

Conversation

reecexlm
Copy link
Contributor

@reecexlm reecexlm commented Aug 5, 2023
edited
Loading

This PR addresses SDP-001. If an error is encountered while fetching stellar.toml via http, the exception is obfuscated with an error message to avoid ability to use the method to leak aws instance metadata via ssrf.

PR Structure

  • This PR has reasonably narrow scope (if not, break it down into smaller PRs).
  • This PR avoids mixing refactoring changes with feature changes (split into two PRs
    otherwise).

Thoroughness

To test this I used the Anchor Platform e2e test. I updated the profile/config.env to use stellar toml type url and value to be localhost:9000

sep1.toml.type=url
sep1.toml.value=http://localhost:9000/.well-known/stellar.toml

I ran the local flask code which performed redirect to itself and simulated a metadata endpoint.

First to reproduce the error I received the exception in the to local flask app. can see the redirect and then returns a 200 for the fake metadata.

❯ python3 app1.py
 * Serving Flask app 'app1'
 * Debug mode: off
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on all addresses (0.0.0.0)
 * Running on http://127.0.0.1:9000
 * Running on http://192.168.1.106:9000
Press CTRL+C to quit
127.0.0.1 - - [09/Aug/2023 15:26:30] "GET /.well-known/stellar.toml HTTP/1.1" 302 -
127.0.0.1 - - [09/Aug/2023 15:26:30] "GET /hostname HTTP/1.1" 200 -

the fake metadata sent looks like this

{"amiId":"ami-12345678","instanceId":"i-1234567890abcdef0","instanceType":"t2.micro","region":"us-west-2"}

the sep service had exception in toml parse

AnchorPlatformEnd2EndTest > initializationError FAILED
    java.lang.IllegalStateException: Key is not followed by an equals sign on line 1: {"amiId":"ami-12345678","instanceId":"i-1234567890abcdef0","instanceType":"t2.micro","region":"us-west-2"}
        at com.moandjiezana.toml.Toml.read(Toml.java:140)
        at org.stellar.anchor.util.Sep1Helper$TomlContent.<init>(Sep1Helper.java:25)
        at org.stellar.anchor.util.Sep1Helper.parse(Sep1Helper.java:13)
        at org.stellar.anchor.platform.AbstractIntegrationTest.setupTests(AbstractIntegrationTest.kt:44)

Throwing an exception with a customer error message obfuscates the exception message, preventing the leak

AnchorPlatformEnd2EndTest > initializationError FAILED
    java.lang.RuntimeException: Failed to parse TOML content
        at org.stellar.anchor.util.Sep1Helper.parse(Sep1Helper.java:17)
        at org.stellar.anchor.platform.AbstractIntegrationTest.setupTests(AbstractIntegrationTest.kt:44)
        at org.stellar.anchor.platform.AbstractIntegrationTest.setUp(AbstractIntegrationTest.kt:34)
        at org.stellar.anchor.platform.AnchorPlatformEnd2EndTest$Companion.construct(AnchorPlatformEnd2EndTest.kt:14)
        at org.stellar.anchor.platform.AnchorPlatformEnd2EndTest.construct(AnchorPlatformEnd2EndTest.kt)

@reecexlm reecexlm changed the title ANCHOR-403-reece-SSRF-metadata ANCHOR-403-HOTFIX-WIP-DO-NOT-MERGE-reece-SSRF-metadata Aug 5, 2023
@stellar-jenkins
Copy link

Reference Server Preview is available here:
https://anchor-ref-pr1043.previews.kube001.services.stellar-ops.com/
SEP Server Preview is available here:
https://anchor-sep-pr1043.previews.kube001.services.stellar-ops.com/

@stellar-jenkins
Copy link

Reference Server Preview is available here:
https://anchor-ref-pr1043.previews.kube001.services.stellar-ops.com/
SEP Server Preview is available here:
https://anchor-sep-pr1043.previews.kube001.services.stellar-ops.com/

@reecexlm reecexlm changed the base branch from develop to main August 6, 2023 12:09
@stellar-jenkins
Copy link

Reference Server Preview is available here:
https://anchor-ref-pr1043.previews.kube001.services.stellar-ops.com/
SEP Server Preview is available here:
https://anchor-sep-pr1043.previews.kube001.services.stellar-ops.com/

@stellar-jenkins
Copy link

Reference Server Preview is available here:
https://anchor-ref-pr1043.previews.kube001.services.stellar-ops.com/
SEP Server Preview is available here:
https://anchor-sep-pr1043.previews.kube001.services.stellar-ops.com/

@stellar-jenkins
Copy link

Reference Server Preview is available here:
https://anchor-ref-pr1043.previews.kube001.services.stellar-ops.com/
SEP Server Preview is available here:
https://anchor-sep-pr1043.previews.kube001.services.stellar-ops.com/

@reecexlm reecexlm marked this pull request as ready for review August 9, 2023 02:57
@stellar-jenkins
Copy link

Reference Server Preview is available here:
https://anchor-ref-pr1043.previews.kube001.services.stellar-ops.com/
SEP Server Preview is available here:
https://anchor-sep-pr1043.previews.kube001.services.stellar-ops.com/

@stellar-jenkins
Copy link

Reference Server Preview is available here:
https://anchor-ref-pr1043.previews.kube001.services.stellar-ops.com/
SEP Server Preview is available here:
https://anchor-sep-pr1043.previews.kube001.services.stellar-ops.com/

@stellar-jenkins
Copy link

Reference Server Preview is available here:
https://anchor-ref-pr1043.previews.kube001.services.stellar-ops.com/
SEP Server Preview is available here:
https://anchor-sep-pr1043.previews.kube001.services.stellar-ops.com/

@reecexlm reecexlm changed the title ANCHOR-403-HOTFIX-WIP-DO-NOT-MERGE-reece-SSRF-metadata ANCHOR-403-HOTFIX-Prevent-SSRF-metadata-leak Aug 9, 2023
@stellar-jenkins
Copy link

Reference Server Preview is available here:
https://anchor-ref-pr1043.previews.kube001.services.stellar-ops.com/
SEP Server Preview is available here:
https://anchor-sep-pr1043.previews.kube001.services.stellar-ops.com/

@stellar-jenkins
Copy link

Something went wrong with PR preview build please check

@stellar-jenkins
Copy link

Something went wrong with PR preview build please check

@stellar-jenkins
Copy link

Reference Server Preview is available here:
https://anchor-ref-pr1043.previews.kube001.services.stellar-ops.com/
SEP Server Preview is available here:
https://anchor-sep-pr1043.previews.kube001.services.stellar-ops.com/

@stellar-jenkins
Copy link

Reference Server Preview is available here:
https://anchor-ref-pr1043.previews.kube001.services.stellar-ops.com/
SEP Server Preview is available here:
https://anchor-sep-pr1043.previews.kube001.services.stellar-ops.com/

@stellar-jenkins
Copy link

Reference Server Preview is available here:
https://anchor-ref-pr1043.previews.kube001.services.stellar-ops.com/
SEP Server Preview is available here:
https://anchor-sep-pr1043.previews.kube001.services.stellar-ops.com/

philipliu
philipliu approved these changes Aug 10, 2023
View reviewed changes
Copy link
Contributor

@philipliu philipliu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@philipliu philipliu changed the title ANCHOR-403-HOTFIX-Prevent-SSRF-metadata-leak [ANCHOR-403] Prevent SSRF through SEP-1 TOML redirect Aug 10, 2023
@philipliu philipliu requested a review from lijamie98 August 10, 2023 17:03
@philipliu philipliu dismissed lijamie98’s stale review August 10, 2023 17:04

Comments resolved

@reecexlm reecexlm removed the request for review from lijamie98 August 10, 2023 17:06
@reecexlm reecexlm merged commit 574e8c7 into main Aug 10, 2023
@reecexlm reecexlm deleted the ANCHOR-403-reece-SDP001-aws-metadata branch August 10, 2023 17:08
JakeUrban
JakeUrban reviewed Aug 10, 2023
View reviewed changes
core/src/main/java/org/stellar/anchor/util/NetUtil.java
Comment on lines +21 to +23
if (!response.isSuccessful()) {
throw new IOException(String.format("Unable to fetch data from %s", url));
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure we want to throw an exception in this case? We aren't interested in the response body of a 400 transaction?

Copy link
Contributor Author

@reecexlm reecexlm Aug 10, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks! I will add the response code. will that satisfy ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

making additional changes per discussion in slack.

Ifropc
Ifropc reviewed Aug 10, 2023
View reviewed changes
core/src/main/java/org/stellar/anchor/util/Sep1Helper.java
try {
return new TomlContent(tomlString);
} catch (Exception e) {
// obfuscate exception message to prevent metadata leaks
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we still log it on ERR level? Otherwise it's hard to debug what went wrong

@reecexlm reecexlm mentioned this pull request Aug 14, 2023
Closed
reecexlm added a commit that referenced this pull request Aug 14, 2023
@reecexlm
[ANCHOR-403] Prevent SSRF through SEP-1 TOML redirect (#1043)
5a46998 
* ANCHOR-403-reece-SSRF-metadata

* use assertThrows

* additional cleanup

* remove custom exception

* make sure that the log event is actually captured by adding a verification step before the assertions

* temporary setting toml to url to test

* just testing. ignore

* try other file

* patch toml parser as well

* replace comment

* revert

* lint

* debugF

* revert config changes

* revert defaults
reecexlm added a commit that referenced this pull request Aug 14, 2023
@reecexlm
Anchor 403 backmerge to develop (#1055)
e6b2c01 
* [ANCHOR-403] Prevent SSRF through SEP-1 TOML redirect (#1043)
* ANCHOR-403-reece-SSRF-metadata
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ifropc Ifropc Ifropc left review comments

@JakeUrban JakeUrban JakeUrban left review comments

@philipliu philipliu philipliu approved these changes

@lijamie98 lijamie98 lijamie98 left review comments

Assignees

@reecexlm reecexlm

Labels
HOTFIX
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@reecexlm @stellar-jenkins @lijamie98 @JakeUrban @philipliu @Ifropc