Websocket Proxy should verify Origin header
If the Origin HTTP header passed in the WebSocket handshake does not match the host, this could indicate an attempt at a cross-site attack. This commit adds a check to verify the origin matches the host. SecurityImpact Change-Id: Ica6ec23d6f69a236657d5ba0c3f51b693c633649 Closes-Bug: 1409142
This commit is contained in:
parent
e5ed57dc3f
commit
fdb73a2d44
|
@ -30,9 +30,15 @@ from nova.consoleauth import rpcapi as consoleauth_rpcapi
|
|||
from nova import context
|
||||
from nova import exception
|
||||
from nova.i18n import _
|
||||
from oslo_config import cfg
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
CONF = cfg.CONF
|
||||
CONF.import_opt('novncproxy_base_url', 'nova.vnc')
|
||||
CONF.import_opt('html5proxy_base_url', 'nova.spice', group='spice')
|
||||
CONF.import_opt('base_url', 'nova.console.serial', group='serial_console')
|
||||
|
||||
|
||||
class NovaProxyRequestHandlerBase(object):
|
||||
def address_string(self):
|
||||
|
@ -41,6 +47,22 @@ class NovaProxyRequestHandlerBase(object):
|
|||
# deployments due to DNS configuration and break VNC access completely
|
||||
return str(self.client_address[0])
|
||||
|
||||
def verify_origin_proto(self, console_type, origin_proto):
|
||||
if console_type == 'novnc':
|
||||
expected_proto = \
|
||||
urlparse.urlparse(CONF.novncproxy_base_url).scheme
|
||||
elif console_type == 'spice-html5':
|
||||
expected_proto = \
|
||||
urlparse.urlparse(CONF.spice.html5proxy_base_url).scheme
|
||||
elif console_type == 'serial':
|
||||
expected_proto = \
|
||||
urlparse.urlparse(CONF.serial_console.base_url).scheme
|
||||
else:
|
||||
detail = _("Invalid Console Type for WebSocketProxy: '%s'") % \
|
||||
console_type
|
||||
raise exception.ValidationError(detail=detail)
|
||||
return origin_proto == expected_proto
|
||||
|
||||
def new_websocket_client(self):
|
||||
"""Called after a new WebSocket connection has been established."""
|
||||
# Reopen the eventlet hub to make sure we don't share an epoll
|
||||
|
@ -79,6 +101,28 @@ class NovaProxyRequestHandlerBase(object):
|
|||
if not connect_info:
|
||||
raise exception.InvalidToken(token=token)
|
||||
|
||||
# Verify Origin
|
||||
expected_origin_hostname = self.headers.getheader('Host')
|
||||
if ':' in expected_origin_hostname:
|
||||
e = expected_origin_hostname
|
||||
expected_origin_hostname = e.split(':')[0]
|
||||
origin_url = self.headers.getheader('Origin')
|
||||
# missing origin header indicates non-browser client which is OK
|
||||
if origin_url is not None:
|
||||
origin = urlparse.urlparse(origin_url)
|
||||
origin_hostname = origin.hostname
|
||||
origin_scheme = origin.scheme
|
||||
if origin_hostname == '' or origin_scheme == '':
|
||||
detail = _("Origin header not valid.")
|
||||
raise exception.ValidationError(detail=detail)
|
||||
if expected_origin_hostname != origin_hostname:
|
||||
detail = _("Origin header does not match this host.")
|
||||
raise exception.ValidationError(detail=detail)
|
||||
if not self.verify_origin_proto(connect_info['console_type'],
|
||||
origin.scheme):
|
||||
detail = _("Origin header protocol does not match this host.")
|
||||
raise exception.ValidationError(detail=detail)
|
||||
|
||||
self.msg(_('connect info: %s'), str(connect_info))
|
||||
host = connect_info['host']
|
||||
port = int(connect_info['port'])
|
||||
|
|
|
@ -20,6 +20,9 @@ import mock
|
|||
from nova.console import websocketproxy
|
||||
from nova import exception
|
||||
from nova import test
|
||||
from oslo_config import cfg
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
||||
|
||||
class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
|
||||
|
@ -32,15 +35,85 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
|
|||
self.wh.msg = mock.MagicMock()
|
||||
self.wh.do_proxy = mock.MagicMock()
|
||||
self.wh.headers = mock.MagicMock()
|
||||
CONF.set_override('novncproxy_base_url',
|
||||
'https://example.net:6080/vnc_auto.html')
|
||||
CONF.set_override('html5proxy_base_url',
|
||||
'https://example.net:6080/vnc_auto.html',
|
||||
'spice')
|
||||
CONF.set_override('base_url',
|
||||
'https://example.net:6080/vnc_auto.html',
|
||||
'serial_console')
|
||||
|
||||
def _fake_getheader(self, header):
|
||||
if header == 'cookie':
|
||||
return 'token="123-456-789"'
|
||||
elif header == 'Origin':
|
||||
return 'https://example.net:6080'
|
||||
elif header == 'Host':
|
||||
return 'example.net:6080'
|
||||
else:
|
||||
return
|
||||
|
||||
def _fake_getheader_bad_token(self, header):
|
||||
if header == 'cookie':
|
||||
return 'token="XXX"'
|
||||
elif header == 'Origin':
|
||||
return 'https://example.net:6080'
|
||||
elif header == 'Host':
|
||||
return 'example.net:6080'
|
||||
else:
|
||||
return
|
||||
|
||||
def _fake_getheader_bad_origin(self, header):
|
||||
if header == 'cookie':
|
||||
return 'token="123-456-789"'
|
||||
elif header == 'Origin':
|
||||
return 'https://bad-origin-example.net:6080'
|
||||
elif header == 'Host':
|
||||
return 'example.net:6080'
|
||||
else:
|
||||
return
|
||||
|
||||
def _fake_getheader_blank_origin(self, header):
|
||||
if header == 'cookie':
|
||||
return 'token="123-456-789"'
|
||||
elif header == 'Origin':
|
||||
return ''
|
||||
elif header == 'Host':
|
||||
return 'example.net:6080'
|
||||
else:
|
||||
return
|
||||
|
||||
def _fake_getheader_no_origin(self, header):
|
||||
if header == 'cookie':
|
||||
return 'token="123-456-789"'
|
||||
elif header == 'Origin':
|
||||
return None
|
||||
elif header == 'Host':
|
||||
return 'any-example.net:6080'
|
||||
else:
|
||||
return
|
||||
|
||||
def _fake_getheader_http(self, header):
|
||||
if header == 'cookie':
|
||||
return 'token="123-456-789"'
|
||||
elif header == 'Origin':
|
||||
return 'http://example.net:6080'
|
||||
elif header == 'Host':
|
||||
return 'example.net:6080'
|
||||
else:
|
||||
return
|
||||
|
||||
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
|
||||
def test_new_websocket_client(self, check_token):
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000'
|
||||
'port': '10000',
|
||||
'console_type': 'novnc'
|
||||
}
|
||||
self.wh.socket.return_value = '<socket>'
|
||||
self.wh.path = "http://127.0.0.1/?token=123-456-789"
|
||||
self.wh.headers.getheader = self._fake_getheader
|
||||
|
||||
self.wh.new_websocket_client()
|
||||
|
||||
|
@ -53,6 +126,7 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
|
|||
check_token.return_value = False
|
||||
|
||||
self.wh.path = "http://127.0.0.1/?token=XXX"
|
||||
self.wh.headers.getheader = self._fake_getheader_bad_token
|
||||
|
||||
self.assertRaises(exception.InvalidToken,
|
||||
self.wh.new_websocket_client)
|
||||
|
@ -62,11 +136,12 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
|
|||
def test_new_websocket_client_novnc(self, check_token):
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000'
|
||||
'port': '10000',
|
||||
'console_type': 'novnc'
|
||||
}
|
||||
self.wh.socket.return_value = '<socket>'
|
||||
self.wh.path = "http://127.0.0.1/"
|
||||
self.wh.headers.getheader.return_value = "token=123-456-789"
|
||||
self.wh.headers.getheader = self._fake_getheader
|
||||
|
||||
self.wh.new_websocket_client()
|
||||
|
||||
|
@ -79,7 +154,7 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
|
|||
check_token.return_value = False
|
||||
|
||||
self.wh.path = "http://127.0.0.1/"
|
||||
self.wh.headers.getheader.return_value = "token=XXX"
|
||||
self.wh.headers.getheader = self._fake_getheader_bad_token
|
||||
|
||||
self.assertRaises(exception.InvalidToken,
|
||||
self.wh.new_websocket_client)
|
||||
|
@ -90,7 +165,8 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
|
|||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000',
|
||||
'internal_access_path': 'vmid'
|
||||
'internal_access_path': 'vmid',
|
||||
'console_type': 'novnc'
|
||||
}
|
||||
|
||||
tsock = mock.MagicMock()
|
||||
|
@ -98,6 +174,7 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
|
|||
|
||||
self.wh.socket.return_value = tsock
|
||||
self.wh.path = "http://127.0.0.1/?token=123-456-789"
|
||||
self.wh.headers.getheader = self._fake_getheader
|
||||
|
||||
self.wh.new_websocket_client()
|
||||
|
||||
|
@ -110,7 +187,8 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
|
|||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000',
|
||||
'internal_access_path': 'xxx'
|
||||
'internal_access_path': 'xxx',
|
||||
'console_type': 'novnc'
|
||||
}
|
||||
|
||||
tsock = mock.MagicMock()
|
||||
|
@ -118,6 +196,7 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
|
|||
|
||||
self.wh.socket.return_value = tsock
|
||||
self.wh.path = "http://127.0.0.1/?token=123-456-789"
|
||||
self.wh.headers.getheader = self._fake_getheader
|
||||
|
||||
self.assertRaises(exception.InvalidConnectionInfo,
|
||||
self.wh.new_websocket_client)
|
||||
|
@ -130,10 +209,12 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
|
|||
version_info.return_value = (2, 7, 3)
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000'
|
||||
'port': '10000',
|
||||
'console_type': 'novnc'
|
||||
}
|
||||
self.wh.socket.return_value = '<socket>'
|
||||
self.wh.path = "http://127.0.0.1/?token=123-456-789"
|
||||
self.wh.headers.getheader = self._fake_getheader
|
||||
|
||||
self.wh.new_websocket_client()
|
||||
|
||||
|
@ -148,10 +229,12 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
|
|||
version_info.return_value = (2, 7, 3)
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000'
|
||||
'port': '10000',
|
||||
'console_type': 'novnc'
|
||||
}
|
||||
self.wh.socket.return_value = '<socket>'
|
||||
self.wh.path = "ws://127.0.0.1/?token=123-456-789"
|
||||
self.wh.headers.getheader = self._fake_getheader
|
||||
|
||||
self.assertRaises(exception.NovaException,
|
||||
self.wh.new_websocket_client)
|
||||
|
@ -172,3 +255,107 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
|
|||
|
||||
self.assertFalse(getfqdn.called) # no reverse dns look up
|
||||
self.assertEqual(handler.address_string(), '8.8.8.8') # plain address
|
||||
|
||||
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
|
||||
def test_new_websocket_client_novnc_bad_origin_header(self, check_token):
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000',
|
||||
'console_type': 'novnc'
|
||||
}
|
||||
|
||||
self.wh.path = "http://127.0.0.1/"
|
||||
self.wh.headers.getheader = self._fake_getheader_bad_origin
|
||||
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.wh.new_websocket_client)
|
||||
|
||||
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
|
||||
def test_new_websocket_client_novnc_blank_origin_header(self, check_token):
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000',
|
||||
'console_type': 'novnc'
|
||||
}
|
||||
|
||||
self.wh.path = "http://127.0.0.1/"
|
||||
self.wh.headers.getheader = self._fake_getheader_blank_origin
|
||||
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.wh.new_websocket_client)
|
||||
|
||||
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
|
||||
def test_new_websocket_client_novnc_no_origin_header(self, check_token):
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000',
|
||||
'console_type': 'novnc'
|
||||
}
|
||||
self.wh.socket.return_value = '<socket>'
|
||||
self.wh.path = "http://127.0.0.1/"
|
||||
self.wh.headers.getheader = self._fake_getheader_no_origin
|
||||
|
||||
self.wh.new_websocket_client()
|
||||
|
||||
check_token.assert_called_with(mock.ANY, token="123-456-789")
|
||||
self.wh.socket.assert_called_with('node1', 10000, connect=True)
|
||||
self.wh.do_proxy.assert_called_with('<socket>')
|
||||
|
||||
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
|
||||
def test_new_websocket_client_novnc_bad_origin_proto_vnc(self,
|
||||
check_token):
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000',
|
||||
'console_type': 'novnc'
|
||||
}
|
||||
|
||||
self.wh.path = "http://127.0.0.1/"
|
||||
self.wh.headers.getheader = self._fake_getheader_http
|
||||
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.wh.new_websocket_client)
|
||||
|
||||
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
|
||||
def test_new_websocket_client_novnc_bad_origin_proto_spice(self,
|
||||
check_token):
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000',
|
||||
'console_type': 'spice-html5'
|
||||
}
|
||||
|
||||
self.wh.path = "http://127.0.0.1/"
|
||||
self.wh.headers.getheader = self._fake_getheader_http
|
||||
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.wh.new_websocket_client)
|
||||
|
||||
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
|
||||
def test_new_websocket_client_novnc_bad_origin_proto_serial(self,
|
||||
check_token):
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000',
|
||||
'console_type': 'serial'
|
||||
}
|
||||
|
||||
self.wh.path = "http://127.0.0.1/"
|
||||
self.wh.headers.getheader = self._fake_getheader_http
|
||||
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.wh.new_websocket_client)
|
||||
|
||||
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
|
||||
def test_new_websocket_client_novnc_bad_console_type(self, check_token):
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000',
|
||||
'console_type': 'bad-console-type'
|
||||
}
|
||||
|
||||
self.wh.path = "http://127.0.0.1/"
|
||||
self.wh.headers.getheader = self._fake_getheader
|
||||
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.wh.new_websocket_client)
|
||||
|
|
Loading…
Reference in New Issue