Enforce same origin for all resources of an RRDP server. (#953)

This PR enforces that all resources fetched for an RRDP server have the same origin as the URI provided in the CA certificate. It checks this for all URIs provided in the server’s notification file and restricts redirects to URIs with the same origin.
NLnetLabs · Apr 11, 2024 · 105dfe9 · 105dfe9
1 parent 4b8a3d5
commit 105dfe9
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 2 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/collector/rrdp/http.rs b/src/collector/rrdp/http.rs
@@ -5,7 +5,7 @@ use std::time::Duration;
 use bytes::Bytes;
 use chrono::{DateTime, Utc};
 use log::{error, warn};
-use reqwest::header;
+use reqwest::{header, redirect};
 use reqwest::{Certificate, Proxy, StatusCode};
 use reqwest::blocking::{Client, ClientBuilder, RequestBuilder, Response};
 use rpki::uri;
@@ -52,6 +52,9 @@ impl HttpClient {
         builder = builder.user_agent(&config.rrdp_user_agent);
         builder = builder.tcp_keepalive(config.rrdp_tcp_keepalive);
         builder = builder.timeout(None); // Set per request.
+        builder = builder.redirect(
+            redirect::Policy::custom(Self::redirect_policy)
+        );
         if let Some(timeout) = config.rrdp_connect_timeout {
             builder = builder.connect_timeout(timeout);
         }
@@ -256,6 +259,29 @@ impl HttpClient {
         }
     }
     */
+
+    /// The redirect policy.
+    ///
+    /// We allow up to 10 redirects (reqwest’s default policy) but only if
+    /// the origin stays the same.
+    fn redirect_policy(attempt: redirect::Attempt) -> redirect::Action {
+        if attempt.previous().len() > 9 {
+            return attempt.stop();
+        }
+        let orig = match attempt.previous().first() {
+            Some(url) => url,
+            None => return attempt.follow() // Shouldn’t happen?
+        };
+        let new = attempt.url();
+        let orig = (orig.scheme(), orig.host(), orig.port());
+        let new = (new.scheme(), new.host(), new.port());
+        if orig == new {
+            attempt.follow()
+        }
+        else {
+            attempt.stop()
+        }
+    }
 }
 
 

diff --git a/src/collector/rrdp/update.rs b/src/collector/rrdp/update.rs
@@ -98,6 +98,12 @@ impl Notification {
             warn!("RRDP {}: {}", uri, err);
             Failed
         })?;
+        if !content.has_matching_origins(&uri) {
+            warn!("RRDP {}: snapshot or delta files with different origin",
+                uri
+            );
+            return Err(Failed)
+        }
         content.sort_deltas();
         Ok(Notification { uri, content, etag, last_modified })
     }