Skip to content

Warn on port spoofing /7 #29463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Rick-Anderson merged 15 commits into from
Jun 14, 2023
Merged

Warn on port spoofing /7 #29463

Rick-Anderson merged 15 commits into from
Jun 14, 2023

Conversation

@Rick-Anderson
Copy link
Contributor

@Rick-Anderson Rick-Anderson commented Jun 8, 2023
edited by github-actions bot
Loading

@Rick-Anderson Rick-Anderson marked this pull request as ready for review June 8, 2023 00:34
@Rick-Anderson Rick-Anderson requested a review from guardrex June 8, 2023 00:44
@guardrex
Copy link
Collaborator

guardrex commented Jun 8, 2023

host port spoofing

Isn't the concern beyond just port spoofing to include the host as well? ... or did you want it with a slash there ... "host/port spoofing"?

RequireAuthorization

I'm not clear on why that would work. I didn't see that that was a solution in dotnet/aspnetcore#46057.

@Rick-Anderson
Copy link
Contributor Author

Rick-Anderson commented Jun 8, 2023

@guardrex check my last commit on host/porr and suggest better wording.

RequireAuthorization

I'm not clear on why that would work. I didn't see that that was a solution in dotnet/aspnetcore#46057.

The PU will likely nix that but I thought I'd add it. It doesn't prevent authorized hosts from spoofing, just unauthorized, lol.

guardrex
guardrex reviewed Jun 8, 2023
View reviewed changes
guardrex
guardrex approved these changes Jun 8, 2023
View reviewed changes
Copy link
Collaborator

@guardrex guardrex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm cool, except for this line ...

To prevent unauthorized clients from spoofing the port, call xref:Microsoft.AspNetCore.Builder.AuthorizationEndpointConventionBuilderExtensions.RequireAuthorization%2A:

... just because I don't think that's going to work.

guardrex
guardrex reviewed Jun 8, 2023
View reviewed changes
Rick-Anderson
Rick-Anderson commented Jun 8, 2023
View reviewed changes
aspnetcore/host-and-deploy/health-checks.md
Comment on lines +105 to +107
To prevent unauthorized clients from spoofing the port, call <xref:Microsoft.AspNetCore.Builder.AuthorizationEndpointConventionBuilderExtensions.RequireAuthorization%2A>:

:::code language="csharp" source="~/host-and-deploy/health-checks/samples/7.x/HealthChecksSample/Snippets/Program.cs" id="snippet_MapHealthChecksRequireHostPortAuth":::
Copy link
Contributor Author

@Rick-Anderson Rick-Anderson Jun 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be removed?

@Rick-Anderson Rick-Anderson requested a review from JamesNK June 8, 2023 18:09
@Rick-Anderson
Copy link
Contributor Author

Rick-Anderson commented Jun 8, 2023

I'm cool, except for this line ...

To prevent unauthorized clients from spoofing the port, call xref:Microsoft.AspNetCore.Builder.AuthorizationEndpointConventionBuilderExtensions.RequireAuthorization%2A:

... just because I don't think that's going to work.

@JamesNK will decide. It prevents unauthorized clients from port spoofing, but not authorized clients.

@Rick-Anderson Rick-Anderson requested review from JamesNK and removed request for JamesNK June 9, 2023 21:51
@JamesNK
Copy link
Member

JamesNK commented Jun 10, 2023

I'm not familiar with this attack or workaround. I'm not the right person to review.

@Rick-Anderson Rick-Anderson removed the request for review from JamesNK June 10, 2023 02:29
@Rick-Anderson
Copy link
Contributor Author

Rick-Anderson commented Jun 10, 2023
edited
Loading

@blowdart or @Tratcher can you recommend a reviewer?

@Rick-Anderson Rick-Anderson requested a review from Tratcher June 13, 2023 19:07
Tratcher
Tratcher reviewed Jun 13, 2023
View reviewed changes
@Rick-Anderson Rick-Anderson requested a review from Tratcher June 13, 2023 21:15
Tratcher
Tratcher approved these changes Jun 14, 2023
View reviewed changes
@Rick-Anderson Rick-Anderson enabled auto-merge (squash) June 14, 2023 18:23
@Rick-Anderson Rick-Anderson merged commit 3a092ef into main Jun 14, 2023
@Rick-Anderson Rick-Anderson deleted the hostPortSpoof branch June 14, 2023 18:24
@david-acker david-acker mentioned this pull request Jun 14, 2023
Closed
Donciavas pushed a commit to Donciavas/AspNetCore.Docs that referenced this pull request Feb 7, 2024
@Rick-Anderson @guardrex
@Tratcher @Donciavas
Warn on port spoofing /7 (dotnet#29463)
6177b5b 
* Warn on port spoofing /7

* Warn on port spoofing /7

* Warn on port spoofing /7

* Warn on port spoofing /7

* Warn on port spoofing /7

* Warn on port spoofing /7

* Update aspnetcore/includes/spoof.md

Co-authored-by: Luke Latham <[email protected]>

* Apply suggestions from code review

Co-authored-by: Luke Latham <[email protected]>

* Warn on port spoofing /7

* Warn on port spoofing /7

* Warn on port spoofing /7

* Warn on port spoofing /7

* Warn on port spoofing /7

* Warn on port spoofing /7

* Update aspnetcore/includes/spoof.md

Co-authored-by: Chris Ross <[email protected]>

---------

Co-authored-by: Luke Latham <[email protected]>
Co-authored-by: Chris Ross <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@guardrex guardrex guardrex approved these changes

@Tratcher Tratcher Tratcher approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unsafe pattern for port restriction in documentation

5 participants

@Rick-Anderson @guardrex @JamesNK @Tratcher