permission: add permission for udp #53398
Conversation
|
Review requested:
|
nodejs-github-bot
added
c++
theanarkh
force-pushed
the
add-permission-for-dns
branch
from
de7f6ac
to
0fc2a52
Compare
theanarkh
force-pushed
the
add-permission-for-dns
branch
2 times, most recently
from
8e44fed
to
9c645ef
Compare
|
I assume this also impacts the http module |
Yes. Or we can skip the permission check when using dns module in Node.js core. |
theanarkh
force-pushed
the
add-permission-for-dns
branch
from
9c645ef
to
67f5b92
Compare
Its very important to document it as I think http is unusable without dns being granted |
theanarkh
force-pushed
the
add-permission-for-dns
branch
3 times, most recently
from
9c54926
to
54facc9
Compare
There was a problem hiding this comment.
Hey, thanks for working on that.
Would you mind providing some context on why you believe this is useful for end users? In other words, what kind of security would this provide?
Requesting changes just to make sure we are aligned this is something we'd like to see on the Permission Model
I would say it's 90% unusable. AFAIK Anyway it's not only |
|
Thank you for reviewing the code. I tried to add permission verification to the network(TCP / UDP / DNS) module. The user can set the access to only certain domain names or IP addresses, for example, to avoid SSRF attacks. |
|
@theanarkh I think I'm losing some context. You said you blocked access but I don't see in the code. Are you saying that you blocked at DNS level, isn't it? If that's the case, I was instead talking to prevent |
|
I see a lot of value in this PR, as part of adding permission model to the network. |
|
@marco-ippolito I totally agree. If we agree this is only the first PR which will be shortly followed by others for complete coverage of But I get to choose I'd prefer a single and comprehensive PR that covers both Nonetheless, for clarity I'm not blocking this as it is an amazing piece of work ❤️ |
|
Thanks for all the suggestions, I convert this PR to draft and continue to work on it. |
theanarkh
changed the title
I see that too, it's probably more useful to block all network communication instead of specific DNS operations. |
theanarkh
force-pushed
the
add-permission-for-dns
branch
3 times, most recently
from
ea66a82
to
ed0b811
Compare
theanarkh
force-pushed
the
add-permission-for-dns
branch
2 times, most recently
from
5cf5136
to
29e2adc
Compare
theanarkh
requested review from
RafaelGSS,
anonrig,
ShogunPanda and
marco-ippolito
| at afterDns (node:dgram:337:12) | ||
| at node:dgram:379:9 | ||
| at process.processTicksAndRejections (node:internal/process/task_queues:77:11) { | ||
| code: 'ERR_ACCESS_DENIED' |
There was a problem hiding this comment.
Instead of adding "Permission: bind to 127.0.0.1/9297", we should add a resource field and a permission field to the error object. See how --allow-fs-read works
src/permission/net_permission.cc
Outdated
| &netmask, | ||
| result->netmask, | ||
| ip_version)) { // 127.0.0.1/255.255.255.0 | ||
| std::cerr << "invalid netmask: " << result->netmask << std::endl; |
|
Good work! |
If add permission check in native side, i think we should pass a flags to tell native side if it needs to check the permission. Because the native side should not check the IP if the IP is from In addition. If we use UDP in cluster worker(use So i think we also need to check the permission in JS layer. |
Hey, I'll review it carefully over the week. Sorry for the delay. Since it's a security feature, I want to make sure we have covered all caveats as it would expose security vulnerabilities if landed. |
There was a problem hiding this comment.
We need to adjust a few things before landing it. Assuming a regular udpv4 socket server:
const server = udp.createSocket('udp4');
server.on('error', () => {}
server.bind(() => {})
- The error object should contain the
resourceproperty. In this case, resource will be the address + port. - The error object should contain the
permissionproperty. In this case,NetUDP. - How would we handle IPV6 addresses when
--allow-net-udp=IPV4/22? Will Octal IP addresses be covered? We must have tests for all those assertions regardless of whether we are supporting this first iteration or not. - You need to rebase on main, since the
ERR_ACCESS_DENIEDerror changed a bit (b9289a6#diff-670bf55805b781d9a3579f8bca9104c04d94af87cc33220149fd7d37b095ca1cR1115). - We should not use
std::cerr(iostream) for error messages. Instead, create proper error objects. - What if
fdis passed to_createSocketHandle? I don't think we could support it. But, we must document. - Last but not least, can't we move all those checks to the C++ side? I think it's less susceptible to changes that would bypass the UDP Check. For instance, if someone writes a new JS API to create UDP sockets, they might forget to include
permission.hascheck leading to an exposure. If we use theudp_wrap.ccit's more likely to be reused in any new JS API.
Overall, looks really good.
theanarkh
force-pushed
the
add-permission-for-dns
branch
2 times, most recently
from
8b0d61d
to
457760e
Compare
|
@RafaelGSS 3: What does the const dgram = require('dgram')
const server = dgram.createSocket('udp4');
server.on('error', console.log)
server.bind(8888, "::1",() => {})
const dgram = require('dgram')
const server = dgram.createSocket('udp4');
server.on('error', console.log)
server.bind(8888, "localhost",() => {})
If we only check in C++ layer, the code above will throw an error because we do not allow bind to 127.0.0.1(the result of dns.lookup). Thanks for your review. I will continue to improve the code and add more tests. |
| } | ||
| } | ||
| // Resolve address first | ||
| state.handle.lookup(address, afterDns); |
There was a problem hiding this comment.
Why don't we throw the error in .lookup()? This would reduce the duplicated code.
There was a problem hiding this comment.
If the address which is allowed is a domain, we should allow bind to all IPs this domain ponit to, so I think we need check before DNS lookup.
theanarkh
force-pushed
the
add-permission-for-dns
branch
2 times, most recently
from
f555bd8
to
9f3b13c
Compare
|
@anonrig Thanks for your review. I have updated the code and added some replies. |
theanarkh
force-pushed
the
add-permission-for-dns
branch
2 times, most recently
from
d34f32b
to
d389d9a
Compare
theanarkh
force-pushed
the
add-permission-for-dns
branch
from
d389d9a
to
e4e3cc5
Compare
| at afterDns (node:dgram:337:12) | ||
| at node:dgram:379:9 | ||
| at process.processTicksAndRejections (node:internal/process/task_queues:77:11) { | ||
| code: 'ERR_ACCESS_DENIED' |
|
|
||
| // The flag --experimental_permission maybe set after --allow-net-udp | ||
| // So we just check allow_net_udp.size() here | ||
| if (allow_net_udp.size() > 0) { |
There was a problem hiding this comment.
This logic must live on NETPermission::Apply
|
|
||
| namespace permission { | ||
|
|
||
| bool ConvertIPToBitset(std::bitset<IPV6_BIT_LEN>* bitset, |
There was a problem hiding this comment.
We should have a cpp test for this
| bool checked = true; | ||
| if (args.Length() > 3 && args[3]->IsBoolean()) { | ||
| checked = args[3].As<Boolean>()->Value(); | ||
| } |
| @@ -861,4 +861,59 @@ v8::Maybe<int> GetValidFileMode(Environment* env, | |||
| return v8::Just(mode); | |||
| } | |||
|
|
|||
| bool IsDigit(const std::string_view str) { | |||
There was a problem hiding this comment.
All these functions needs a cpp test
Yeah, that's expected. In the future, we can check if |
But we can not know the IP of other domains. For example, when |
Why we simply don't resolve the domain in the C++ layer? Something like:
Also, what happens if I pass:
|
Refs: #44004
This PR add permission check or UDP module. Usage:
node --allow-net-udp=domain1,127.0.0.1/80 --allow-net-udp-in=domain2/9999The format can be
*,*/*,host,host:*,host:port,host/netmask:port,*/port...(hostcan be domain or IP).make -j4 test(UNIX), orvcbuild test(Windows) passes