Enforce same origin for all resources of an RRDP server. (#953)

partim · web-flow · commit 105dfe940667 · 2024-04-11T17:43:11.000+02:00
This PR enforces that all resources fetched for an RRDP server have the same
origin as the URI provided in the CA certificate. It checks this for all
URIs provided in the server’s notification file and restricts redirects to
URIs with the same origin.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/collector/rrdp/http.rs b/src/collector/rrdp/http.rs
@@ -5,7 +5,7 @@ use std::time::Duration;
 use bytes::Bytes;
 use chrono::{DateTime, Utc};
 use log::{error, warn};
-use reqwest::header;
+use reqwest::{header, redirect};
 use reqwest::{Certificate, Proxy, StatusCode};
 use reqwest::blocking::{Client, ClientBuilder, RequestBuilder, Response};
 use rpki::uri;
@@ -52,6 +52,9 @@ impl HttpClient {
         builder = builder.user_agent(&config.rrdp_user_agent);
         builder = builder.tcp_keepalive(config.rrdp_tcp_keepalive);
         builder = builder.timeout(None); // Set per request.
+        builder = builder.redirect(
+            redirect::Policy::custom(Self::redirect_policy)
+        );
         if let Some(timeout) = config.rrdp_connect_timeout {
             builder = builder.connect_timeout(timeout);
         }
@@ -256,6 +259,29 @@ impl HttpClient {
         }
     }
     */
+
+    /// The redirect policy.
+    ///
+    /// We allow up to 10 redirects (reqwest’s default policy) but only if
+    /// the origin stays the same.
+    fn redirect_policy(attempt: redirect::Attempt) -> redirect::Action {
+        if attempt.previous().len() > 9 {
+            return attempt.stop();
+        }
+        let orig = match attempt.previous().first() {
+            Some(url) => url,
+            None => return attempt.follow() // Shouldn’t happen?
+        };
+        let new = attempt.url();
+        let orig = (orig.scheme(), orig.host(), orig.port());
+        let new = (new.scheme(), new.host(), new.port());
+        if orig == new {
+            attempt.follow()
+        }
+        else {
+            attempt.stop()
+        }
+    }
 }
 
 
diff --git a/src/collector/rrdp/update.rs b/src/collector/rrdp/update.rs
@@ -98,6 +98,12 @@ impl Notification {
             warn!("RRDP {}: {}", uri, err);
             Failed
         })?;
+        if !content.has_matching_origins(&uri) {
+            warn!("RRDP {}: snapshot or delta files with different origin",
+                uri
+            );
+            return Err(Failed)
+        }
         content.sort_deltas();
         Ok(Notification { uri, content, etag, last_modified })
     }
