[ruby-core:92037] [Ruby trunk Feature#15734] Parsing of shorthand IPv4 addresses compatible with inet

ruby-core@ruby-lang.org archive (unofficial mirror)
 help / color / mirror / Atom feed

* [ruby-core:92037] [Ruby trunk Feature#15734] Parsing of shorthand IPv4 addresses compatible with inet_aton
       [not found] <redmine.issue-15734.20190328175036@ruby-lang.org>
@ 2019-03-28 17:50 ` envek
  0 siblings, 0 replies; only message in thread
From: envek @ 2019-03-28 17:50 UTC (permalink / raw
  To: ruby-core

Issue #15734 has been reported by Envek (Andrey Novikov).

----------------------------------------
Feature #15734: Parsing of shorthand IPv4 addresses compatible with inet_aton 
https://bugs.ruby-lang.org/issues/15734

* Author: Envek (Andrey Novikov)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
Hi Ruby team!

I've created pull request to ipaddr gem: https://github.com/ruby/ipaddr/pull/12
I want it to be merged and included to the version of gem that bundled in Ruby itself.

---

Many applications (like browsers, `curl`, and `ping`) and even Ruby's own `Net::HTTP` library accepts shorthand IPv4 addresses like `127.1` or `2130706433` that both stands for `127.0.0.1`.

```
$ irb
irb(main):001:0> require 'net/http'
irb(main):002:0> Net::HTTP.get(URI.parse("http://127.1/")) # Success if you have web server running locally
=> "<!DOCTYPE html>\n<html>\n<head>\n<title>Welcome to nginx!</title>…"
```

But IPAddr can't accept such addresses, and it is really confusing:
```
irb(main):003:0> IPAddr.new("http://127.1/")
IPAddr::InvalidAddressError (invalid address: http://127.1/)
```

This pull request makes parsing IPv4 to match the behavior of most well-known applications despite that isn't a standardized extension, but there is an RFC draft: [Textual Representation of IPv4 and IPv6 Addresses](https://tools.ietf.org/html/draft-main-ipaddr-text-rep-00).

Moreover, that mismatch in behavior could cause security vulnerabilities in Ruby applications that use network, allow users to provide URLs to access (like “Upload picture from URL”), and have incorrectly configured URL filtering. A malicious user then could provide a link like `http://2130706433/private_file` which currently will not be recognized as loopback IP address but `Net::HTTP.get` will happily query local host's web server for the `private_file`. This called an [SSRF attack](https://en.wikipedia.org/wiki/Server-side_request_forgery). Actually, I created this pull request because our security auditors reported such vulnerability in one of our applications.
**NOTE**: There is **no** security flaw in ipaddr itself! It is just possible to get when you're developing an application.

See also:
 - Discussion at Reddit: https://www.reddit.com/r/networking/comments/7cf0zp/documentation_of_the_behavior_of_shorthand_ipv4/
 - `inet_aton` man page: https://linux.die.net/man/3/inet_aton

-- 
https://bugs.ruby-lang.org/

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2019-03-28 17:50 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <redmine.issue-15734.20190328175036@ruby-lang.org>
2019-03-28 17:50 ` [ruby-core:92037] [Ruby trunk Feature#15734] Parsing of shorthand IPv4 addresses compatible with inet_aton envek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).