authorize_helper.isLoopbackAddress has flaws

Question

authorize_helper.isLoopbackAddress has flaws

it9gamelog opened this issue a year ago · 1 comments

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
This issue affects my Ory Network project.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Describe the bug

isLoopbackAddress from https://github.com/ory/fosite/blame/45a6785cc54fcbd9195b0de4b821bb5fed6a41be/authorize_helper.go#L144 allows pattern that are not loopback address, because of the bug in the regex

String such as 127.0.0.11230, 127x0x0x11230, [::1]1230 is expected to returns false from this function, instead of true

I am proposing a fix in the repro section below.

I don't think this is security critical though, there seems to be no way to construct a real internet routable domain from this and probably has no open redirect problem.

Reproducing the bug

package main

import (
	"fmt"
	"regexp"
)

// isLoopbackAddress from https://github.com/ory/fosite/blame/45a6785cc54fcbd9195b0de4b821bb5fed6a41be/authorize_helper.go#L144
func isLoopbackAddress(address string) bool {
	match, _ := regexp.MatchString("^(127.0.0.1|\\[::1\\])(:?)(\\d*)$", address)
	return match
}

func isLoopbackAddressFixed(address string) bool {
	match, _ := regexp.MatchString("^(127\\.0\\.0\\.1|\\[::1\\])(:\\d*)?$", address)
	return match
}

func main() {
	fmt.Println(isLoopbackAddress("127.0.0.11230") == isLoopbackAddressFixed("127.0.0.11230")) // BUG, expects false!
	fmt.Println(isLoopbackAddress("127x0x0x11230") == isLoopbackAddressFixed("127x0x0x11230")) // BUG, expects false!
	fmt.Println(isLoopbackAddress("[::1]1230") == isLoopbackAddressFixed("[::1]1230"))         // BUG, expects false!

	fmt.Println(isLoopbackAddress("127.0.0.1") == isLoopbackAddressFixed("127.0.0.1"))
	fmt.Println(isLoopbackAddress("127.0.0.1:1230") == isLoopbackAddressFixed("127.0.0.1:1230"))
	fmt.Println(isLoopbackAddress("[::1]") == isLoopbackAddressFixed("[::1]"))
	fmt.Println(isLoopbackAddress("[::1]:1230") == isLoopbackAddressFixed("[::1]:1230"))
}

Relevant log output

No response

Relevant configuration

No response

Version

45a6785 (Latest)

On which operating system are you observing this issue?

Other

In which environment are you deploying?

Other

Additional Context

No response

Answer 1 · 2023-06-14T12:50:16.000Z

Thank you for the report! PRs with test cases are welcomed :)