authorize_helper.isLoopbackAddress has flaws
it9gamelog opened this issue · 1 comments
it9gamelog commented
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- This issue affects my Ory Network project.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Describe the bug
isLoopbackAddress from https://github.com/ory/fosite/blame/45a6785cc54fcbd9195b0de4b821bb5fed6a41be/authorize_helper.go#L144 allows pattern that are not loopback address, because of the bug in the regex
String such as 127.0.0.11230
, 127x0x0x11230
, [::1]1230
is expected to returns false
from this function, instead of true
I am proposing a fix in the repro section below.
I don't think this is security critical though, there seems to be no way to construct a real internet routable domain from this and probably has no open redirect problem.
Reproducing the bug
package main
import (
"fmt"
"regexp"
)
// isLoopbackAddress from https://github.com/ory/fosite/blame/45a6785cc54fcbd9195b0de4b821bb5fed6a41be/authorize_helper.go#L144
func isLoopbackAddress(address string) bool {
match, _ := regexp.MatchString("^(127.0.0.1|\\[::1\\])(:?)(\\d*)$", address)
return match
}
func isLoopbackAddressFixed(address string) bool {
match, _ := regexp.MatchString("^(127\\.0\\.0\\.1|\\[::1\\])(:\\d*)?$", address)
return match
}
func main() {
fmt.Println(isLoopbackAddress("127.0.0.11230") == isLoopbackAddressFixed("127.0.0.11230")) // BUG, expects false!
fmt.Println(isLoopbackAddress("127x0x0x11230") == isLoopbackAddressFixed("127x0x0x11230")) // BUG, expects false!
fmt.Println(isLoopbackAddress("[::1]1230") == isLoopbackAddressFixed("[::1]1230")) // BUG, expects false!
fmt.Println(isLoopbackAddress("127.0.0.1") == isLoopbackAddressFixed("127.0.0.1"))
fmt.Println(isLoopbackAddress("127.0.0.1:1230") == isLoopbackAddressFixed("127.0.0.1:1230"))
fmt.Println(isLoopbackAddress("[::1]") == isLoopbackAddressFixed("[::1]"))
fmt.Println(isLoopbackAddress("[::1]:1230") == isLoopbackAddressFixed("[::1]:1230"))
}
Relevant log output
No response
Relevant configuration
No response
Version
45a6785 (Latest)
On which operating system are you observing this issue?
Other
In which environment are you deploying?
Other
Additional Context
No response
aeneasr commented
Thank you for the report! PRs with test cases are welcomed :)