From 4550535cbbdc2340931d8e20c221737125cab64d Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Thu, 21 Dec 2023 16:56:55 -0800 Subject: [PATCH] send proper IPv6 names avoid bracketing notation (#18699) Following policies if present ``` "Condition": { "IpAddress": { "aws:SourceIp": [ "54.240.143.0/24", "2001:DB8:1234:5678::/64" ] } } ``` And client is making a request to MinIO via IPv6 can potentially crash the server. Workarounds are turn-off IPv6 and use only IPv4 --- cmd/bucket-policy.go | 2 +- internal/handlers/proxy.go | 21 ++++++++++++++++----- internal/handlers/proxy_test.go | 4 ++-- 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/cmd/bucket-policy.go b/cmd/bucket-policy.go index addfaf96e..f0a216c9e 100644 --- a/cmd/bucket-policy.go +++ b/cmd/bucket-policy.go @@ -121,7 +121,7 @@ func getConditionValues(r *http.Request, lc string, cred auth.Credentials) map[s "CurrentTime": {currTime.Format(time.RFC3339)}, "EpochTime": {strconv.FormatInt(currTime.Unix(), 10)}, "SecureTransport": {strconv.FormatBool(r.TLS != nil)}, - "SourceIp": {handlers.GetSourceIP(r)}, + "SourceIp": {handlers.GetSourceIPRaw(r)}, "UserAgent": {r.UserAgent()}, "Referer": {r.Referer()}, "principaltype": {principalType}, diff --git a/internal/handlers/proxy.go b/internal/handlers/proxy.go index aedab5b2d..4e5dc966b 100644 --- a/internal/handlers/proxy.go +++ b/internal/handlers/proxy.go @@ -113,16 +113,27 @@ func GetSourceIPFromHeaders(r *http.Request) string { return addr } -// GetSourceIP retrieves the IP from the request headers +// GetSourceIPRaw retrieves the IP from the request headers // and falls back to r.RemoteAddr when necessary. -func GetSourceIP(r *http.Request) string { +// however returns without bracketing. +func GetSourceIPRaw(r *http.Request) string { addr := GetSourceIPFromHeaders(r) - if addr != "" { - return addr + if addr == "" { + addr = r.RemoteAddr } // Default to remote address if headers not set. - addr, _, _ = net.SplitHostPort(r.RemoteAddr) + raddr, _, _ := net.SplitHostPort(addr) + if raddr == "" { + return addr + } + return raddr +} + +// GetSourceIP retrieves the IP from the request headers +// and falls back to r.RemoteAddr when necessary. +func GetSourceIP(r *http.Request) string { + addr := GetSourceIPRaw(r) if strings.ContainsRune(addr, ':') { return "[" + addr + "]" } diff --git a/internal/handlers/proxy_test.go b/internal/handlers/proxy_test.go index f014daf7f..ccd415df2 100644 --- a/internal/handlers/proxy_test.go +++ b/internal/handlers/proxy_test.go @@ -62,10 +62,10 @@ func TestGetSourceIP(t *testing.T) { {xForwardedFor, "8.8.8.8, 8.8.4.4", "8.8.8.8"}, // Multiple {xForwardedFor, "", ""}, // None {xRealIP, "8.8.8.8", "8.8.8.8"}, // Single address - {xRealIP, "[2001:db8:cafe::17]:4711", "[2001:db8:cafe::17]:4711"}, // IPv6 address + {xRealIP, "[2001:db8:cafe::17]:4711", "[2001:db8:cafe::17]"}, // IPv6 address {xRealIP, "", ""}, // None {forwarded, `for="_gazonk"`, "_gazonk"}, // Hostname - {forwarded, `For="[2001:db8:cafe::17]:4711`, `[2001:db8:cafe::17]:4711`}, // IPv6 address + {forwarded, `For="[2001:db8:cafe::17]:4711`, `[2001:db8:cafe::17]`}, // IPv6 address {forwarded, `for=192.0.2.60;proto=http;by=203.0.113.43`, `192.0.2.60`}, // Multiple params {forwarded, `for=192.0.2.43, for=198.51.100.17`, "192.0.2.43"}, // Multiple params {forwarded, `for="workstation.local",for=198.51.100.17`, "workstation.local"}, // Hostname