fix(security): harden IP allowlist against XFF bypass and spoofing (#3)
Hardens the IP allowlist in require_auth against the two bypasses filed in #3. 1. Bypass via missing X-Forwarded-For (no IP to check, allowlist skipped). 2. Spoofing via attacker-controlled X-Forwarded-For (header trusted unconditionally). Resolves both by deriving the client IP from the socket peer (ConnectInfo<SocketAddr>) and only honoring X-Forwarded-For when the immediate peer is in a new security.trusted_proxies allowlist (default empty = strict). Fails closed with 403 forbidden_ip when a non-empty allowlist is configured and the client IP cannot be determined. Empty ip_whitelist continues to mean allow all (preserved for dev installs). 27 pm-auth tests pass (12 new resolver + 8 new middleware + 7 existing). Spec: tasks/ip-allowlist-spec.md.
This commit is contained in:
Draco-Lunaris-Echo
committed by
GitHub
GitHub
parent
8873b2c70c
commit
3bdae4bcc5
2
SPEC.md
2
SPEC.md
@ -88,7 +88,7 @@
|
||||
- Refresh tokens: opaque, server-side stored, 1-hour inactivity timeout, rotated on use, revocable
|
||||
- mTLS for all agent communication (TLS 1.3 only)
|
||||
- HTTPS for web UI (TLS 1.3 only)
|
||||
- **IP whitelist enforcement on all connection points**
|
||||
- **IP whitelist enforcement on all connection points** (with `security.trusted_proxies` to optionally honor `X-Forwarded-For` from a configured proxy; empty default = strict mode that uses the socket peer IP and ignores `X-Forwarded-For`; non-empty allowlist + unresolvable peer IP = fail-closed `403 forbidden_ip`) [Issue #3 / `tasks/ip-allowlist-spec.md`]
|
||||
- Role-based access control:
|
||||
- **Admin**: Full access to manage all aspects of Linux Patch Manager
|
||||
- **Operator**: Can add/remove clients, manage schedules and patches only for devices in their group memberships
|
||||
|
||||
Reference in New Issue
Block a user