Endpoint /ping reveals sensitive information
Closed this issue · 4 comments
Describe the Bug
The /ping endpoint exposed by each node returns the IP address of the requester. It's not working as intended when a node is behind a proxy. Then it will return the IP address of the proxy. I think it is not intended and not secure as it reveals the internal address range of the infrastructure where the node is running.
To Reproduce
Open https://<PUBLIC_IP_OF_THE_NODE:/ping
Problematic Code
https://github.com/nucypher/nucypher/blob/v7.0.4/nucypher/network/server.py#L276
On the "server-side" the ping endpoint only accesses the remote's request and returns results back to the requester (e2e encrypted using SSL/TLS). This information is extracted from the TCP/IP connection established between the client and the server. When a request passes through a proxy, the proxy often replaces the original IP address with its own in the TCP/IP packet headers. Given that the connection is established in public and each request is encrypted for the node it's unclear how parsing an incoming requests ip headers or connection metadata can reveal any sensitive information in a well-configured network.
Furthermore, if your proxy is allowing internal IP addresses to pass through from the internal host's request headers -- does this mean that you expect a different inbound vs outbound IP address?
So far I have been unable to reproduce this issue while running behind several different types of NAT/proxies. Can you please elaborate on your issue? Perhaps your proxy or network configuration is not handling request headers correctly?
After a deeper investigation, It's become clear that I have examined the issue with the assumption that the sender's proxy was causing the problem, but actually the issue is with the remote's proxy! Indeed, If the remote is behind a proxy the request header is replaced with a local private network address, then forwarded along to the node, which then responds with the internal IP.
Thanks for indicating this issue we'll have a fix in for the next release.
I've started work on this issue in #3398. Feel free to post there if you have additional requests or comments.
Closed for 7.1.x via #3398