Commit Graph

226 Commits

Author SHA1 Message Date
John Smith
a7fb7eea74 dont fail if client port fails to bind 2023-10-14 22:05:29 -04:00
Trent Waddington
72889b8f1a Fix warnings. 2023-10-10 12:51:11 +10:00
Christien Rioux
563b80e31c Merge branch 'clippy-fixes' into 'main'
Clippy fixes

See merge request veilid/veilid!195
2023-09-19 00:43:41 +00:00
Christien Rioux
f596b3ce05 more clippy 2023-09-18 15:22:40 -04:00
Christien Rioux
6438a64fc7 clippy work 2023-09-17 19:37:02 -04:00
TC Johnson
fa13f95a10
Version update: v0.2.2 → v0.2.3
- Security fix for WS denial of service
- Support for latest Rust 1.72
2023-09-17 13:21:57 -05:00
John Smith
d60c296303 cargo upgrades 2023-09-16 21:56:19 -04:00
TC Johnson
06c0abead8
Version update: v0.2.1 → v0.2.2 2023-09-16 17:32:16 -05:00
Christien Rioux
960a4cb964 Revert "version bump fix"
This reverts commit 2d291b86b6.
2023-09-16 16:51:59 -04:00
Christien Rioux
ba72aa9dd3 version bump fix 2023-09-16 16:51:59 -04:00
Christien Rioux
7f3f7c9166 clean up cargo.toml 2023-09-16 16:51:59 -04:00
TC Johnson
65826b219b
Version update: v0.2.0 → v0.2.1 2023-09-03 19:45:12 -05:00
John Smith
896df0bb97 more forking 2023-09-03 10:08:04 -04:00
Christien Rioux
64d9f456ce
Merge branch 'address-localhost-disk-consumption-attack' into 'main'
Avoid large logs of 127.0.0.1:5959 attack payloads

See merge request veilid/veilid!158
2023-09-03 00:32:29 +00:00
TC Johnson
2c46a159a3
Version update: v0.1.10 → v0.2.0 2023-09-02 09:45:56 -05:00
Christien Rioux
90772728c2 bumpversion fixes 2023-09-02 10:41:59 -04:00
Christien Rioux
e302b764d0 docs and tests work 2023-08-29 15:15:47 -05:00
Rivka Segan
4873a0c0c9 Avoid large logs of 127.0.0.1:5959 attack payloads
Because veilid-server listens on 127.0.0.1 TCP port 5959, it is
potentially open to attacks from websites if a user runs an ordinary
web browser (e.g., Chrome or Firefox) on the same computer.
Specifically, any https website can include JavaScript code that
begins with

   let message = 'WASTE_YOUR_VEILID_SERVER_DISK_SPACE_'.repeat(1000);

   fetch('http://127.0.0.1:5959/' + message)

and the web browser will then send many KB of data to veilid-server,
where it may typically be logged to disk by this code:
2ab51ae3e9/veilid-core/src/veilid_api/serialize_helpers/serialize_json.rs (L6-L12)

(Because Veilid hasn't even reached 1.0, it's very common for users to
enable a large amount of logging.)

The threat model is that someone creates a website that's apparently
of interest to any Veilid user, but the actual purpose of the website
is to leverage the user's web browser to silently tunnel an attack
payload into another application that is local to the user. An attack
that sends more than 1 MB of data (for each fetch API call) is
feasible, and the patch in this MR tries to address that.

Note that the most common web browsers always allow JavaScript on
arbitrary https websites to send data to 127.0.0.1 port 5959, there is
no configuration menu to shut this off, and the user is not alerted
that this is occurring. Brave 1.54 (June 2023) was the first popular
web browser to block this:
https://brave.com/privacy-updates/27-localhost-permission/

This does not mean that an adversary can just as easily setup a
website to send:

  {"op":"Control","args":["Shutdown"],"id":1}

to 127.0.0.1 TCP port 5959 and thereby terminate a veilid-server
process. A web browser using http will always send requests that begin
with specific strings (such as GET or OPTIONS) on the first line, and
the code at:

2ab51ae3e9/veilid-server/src/client_api.rs (L367)

2ab51ae3e9/veilid-server/src/client_api.rs (L244)

2ab51ae3e9/veilid-server/src/client_api.rs (L202)

seems to work together to ensure that no JSON object results in
command execution unless the first line of the input is a JSON object.
(Not sure if this was a design goal, or simply how it turned out.)

A web browser can do other things besides cleartext http (e.g., try to
start a TLS session to 127.0.0.1 TCP port 5959), but it's perhaps
unlikely that the initial bytes of the network traffic, in the context
of the above threat model, would ever be a JSON object.

Note that, although veilid-server is not speaking the HTTP protocol on
127.0.0.1 TCP port 5959, it is still able to read the data sent by any
web browser to http://127.0.0.1:5959, send that data to a JSON parser,
and write the data to the server logs. In limited testing, the HTTP
client typically saw zero bytes of application layer response;
however, if the HTTP client sent a huge amount of data (e.g., 16 MB),
the HTTP client would sometimes receive a large response with JSON
data about veilid-server's internal state. That might be a separate
bug. In the context of the threat model, this may not matter because
that JSON data isn't accessible by the operator of the website (that
hosts the JavaScript code).

There may be many ways to resolve this. First, the Veilid
documentation could recommend never running a web browser on any
machine that has veilid-server with 127.0.0.1 TCP port 5959 open.
Second, the existence of a realistically probe-able service on
127.0.0.1 TCP port 5959 might be considered much too large an attack
surface for an application of Veilid's sensitivity, and interprocess
communication could be replaced with something other than
unauthenticated TCP.

This MR is intended to improve Veilid for an ordinary user who wants
to help the project by installing veilid-server on their primary
personal machine, and wants veilid-cli to remain usable, but needs to
continue routine web browsing on that machine. It provides safer
behavior for such a person. The MR is not intended to benefit experts
who already understand localhost TCP risks, and either avoid all web
browsing on the same machine or have their own countermeasures. These
experts will not see any attacker-controlled traffic on port 5959, and
thus the reduction in logging should be of no concern to them.

Without the patch (and with logging on), data sent by a web browser is
always logged by veilid-server in the form:

   Connection processing failure: Parse error: 'expected value at line 1 column 1' with value 'deserialize_json:
   ---
   GET /<attacker_controlled_data> HTTP/1.1
   ---
    to type veilid_core::veilid_api::json_api::Request'

regardless of how long the attacker controlled data is. Some browsers
such as Chrome start by sending OPTIONS instead of GET.

With the patch, long malformed input is discarded and the log instead
contains:

   Connection processing failure: Parse error: 'expected value at line 1 column 1' with value 'deserialize_json:
   ---
   :skipped long input that's not a JSON object
   ---
    to type veilid_core::veilid_api::json_api::Request'

The patch allows logging of anything where the first non-whitespace
character is a '{' - this is considered safe (at the moment) because
no web browser (realistically used by a local user) can send '{' at
the beginning of the first line. Also, the patch allows logging of
requests smaller than 50 bytes to support two use cases. First, if a
node operator is sending one of the simple JSON API requests by hand
and is accidentally omitting the initial '{' from the JSON object,
they'll be able to see the failure in their logs. Second, non-expert
node operators may want some limited visibility into the details of
adversarial activity on http://127.0.0.1:5959. Of course, this default
logging policy could be made more flexible later if Veilid decides to
stay with unauthenticated TCP. The patch only aims to defeat a simple
DoS attack against the out-of-the-box code.
2023-08-28 04:53:31 +00:00
Christien Rioux
3125c19f02 doc work 2023-08-27 16:39:50 -05:00
Δ ǀ Ξ ȼ
5b2b27cb31 veilid-server with Clap v4 2023-08-22 21:12:23 +00:00
Christien Rioux
cb9b19fc9f up connection limits for ws 2023-08-22 15:11:45 -04:00
TC Johnson
513116e672
Version update: v0.1.9 → v0.1.10 2023-08-20 11:37:18 -05:00
Petr Krutov
d9e0f757b0 fixed network-ket arg 2023-08-20 14:04:30 +04:00
TC Johnson
dfeecdde0d
Version update: v0.1.8 → v0.1.9 2023-08-19 17:35:52 -05:00
TC Johnson
04c26e48f0 'Version update: 0.1.7 → 0.1.8' 2023-08-18 20:27:01 -05:00
a1ecbr0wn
c46fcea005
Fix to get server version, sorry 2023-08-18 23:27:27 +01:00
a1ecbr0wn
7e39d08de6
Get the server version number from Cargo.toml 2023-08-18 23:14:37 +01:00
Christien Rioux
1a18201260 fix tests 2023-08-18 00:53:31 -04:00
Christien Rioux
559ac5f162 fix server port allocation 2023-08-18 00:06:21 -04:00
John Smith
8a287d13ef 0.1.7 2023-07-30 19:33:58 -04:00
John Smith
1861650d44 0.1.6 2023-07-22 16:28:05 -04:00
TC Johnson
4951e983c7
Release 0.1.5 2023-07-22 12:02:10 -05:00
Christien Rioux
fa45f491eb 0.1.4 2023-07-19 21:15:54 -04:00
John Smith
4702a33a4a licensing 2023-07-19 12:48:44 -04:00
Christien Rioux
f65400a1ce network fixes 2023-07-19 10:07:51 -04:00
John Smith
fff6742c6f version bump 2023-07-17 17:53:42 -04:00
Christien Rioux
217a2470b0 first version bump 2023-07-16 15:04:00 -04:00
John Smith
e674eaf496 capability work 2023-07-03 18:01:02 -04:00
John Smith
dfb4eefd92 switch out capabilities 2023-07-03 15:10:28 -04:00
John Smith
05a9ee754e cleanup dht stuff and client/server api 2023-06-28 23:15:06 -04:00
John Smith
297908796c remove owo colors 2023-06-25 14:09:22 -04:00
John Smith
234f048241 simplify tracing 2023-06-24 22:59:51 -04:00
John Smith
c8624a73a2 oops 2023-06-24 20:23:57 -04:00
John Smith
909ef6bf69 messages cleanup 2023-06-24 20:23:33 -04:00
John Smith
acebcb7947 network keying 2023-06-23 21:12:48 -04:00
John Smith
bc6421acf7 fixes 2023-06-23 17:01:52 -04:00
John Smith
dfc22aee8e fix tests 2023-06-22 18:31:31 -04:00
John Smith
addfd64473 xfer 2023-06-22 17:42:34 -04:00
John Smith
d6f442d431 better error handling 2023-06-15 20:22:54 -04:00
John Smith
615e0ca1d0 more tests 2023-06-14 21:06:10 -04:00
John Smith
532bcf2e2a json api cli working 2023-06-09 19:08:49 -04:00
John Smith
419bfcd8ce checkpoint 2023-06-08 14:07:09 -04:00
John Smith
317f036598 server api 2023-06-07 17:39:10 -04:00
John Smith
88db69c28f checkpoint 2023-06-06 19:09:29 -04:00
John Smith
6a86f2265a json api work 2023-06-03 18:33:27 -04:00
John Smith
0a890c8707 removing dev branch, many changes 2023-05-29 19:24:57 +00:00
John Smith
e91044e33d crash fixes 2023-03-14 14:52:02 -04:00
John Smith
dae2e7c10f xfer 2023-03-13 17:57:51 -04:00
John Smith
ff9b421631 fix tests 2023-03-03 10:55:31 -05:00
John Smith
dfd1af0c6b bugfixes 2023-03-01 20:12:30 -05:00
John Smith
562f9bb7f7 refactor 2023-03-01 15:50:30 -05:00
John Smith
615158d54e cleaning up 2023-02-28 21:11:26 -05:00
John Smith
1d8e2d3fda bootstrap 2023-02-13 16:12:46 -05:00
John Smith
1ba0cdb9cf checkpoint 2023-02-11 15:54:55 -05:00
John Smith
a58a87719c break everything 2023-02-07 21:44:50 -05:00
John Smith
16d74b96f3 alignment refactor 2022-12-16 21:55:03 -05:00
John Smith
bbf97a535a windows support and more recursion fixes 2022-12-01 19:08:40 -05:00
John Smith
5d8fa97360 fix server 2022-12-01 17:38:43 -05:00
John Smith
b1bdf76ae8 refactor 2022-11-26 21:37:23 -05:00
John Smith
27f7f49d4f checkpoint 2022-11-21 22:50:42 -05:00
John Smith
688995ed0d pr work 2022-11-16 12:49:53 -05:00
John Smith
662ed03d19 capnp ids 2022-11-12 22:20:31 -05:00
John Smith
94d1598ce1 remove node_dial_info 2022-11-12 21:29:43 -05:00
John Smith
1c93b6e8cb rkyv issue 2022-11-12 12:10:38 -05:00
John Smith
baf1353fd2 test 2022-11-11 18:00:11 -05:00
John Smith
404f579baa add tokio console 2022-11-03 11:28:29 -04:00
John Smith
6d5df71ac1 routing table refactor 2022-10-18 21:53:45 -04:00
John Smith
e85d72f21a more private route work 2022-10-13 22:05:43 -04:00
John Smith
046b61d5d8 more app message call 2022-09-30 22:37:55 -04:00
John Smith
507d02974c Merge branch 'main' of gitlab.hackers.town:veilid/veilid into dev 2022-09-23 11:31:15 -04:00
Adam Shamblin
90e51e70c7
WIP, docs folder 2022-09-19 20:18:35 -06:00
Adam Shamblin
b7e05ceea0
WIP, further docs 2022-09-19 19:18:46 -06:00
John Smith
e0a5b1bd69 refactor checkpoint 2022-09-03 13:57:25 -04:00
John Smith
2be409da61 change hostnames 2022-08-28 14:46:14 -04:00
John Smith
1b59633d73 crlf 2022-08-23 13:30:49 -04:00
John Smith
997eca05b6 igd 2022-08-22 13:27:26 -04:00
John Smith
568a308c82 testing 2022-08-18 19:27:18 -04:00
John Smith
0204af263d detection work 2022-08-07 14:55:48 -04:00
John Smith
ef096eb310 liveness tweaks 2022-08-05 18:07:32 -04:00
John Smith
9b0ab866f1 network 2022-08-04 20:21:03 -04:00
John Smith
400d7021d2 refactor 2022-07-14 16:57:34 -04:00
John Smith
007150c818 fix windows 2022-07-12 13:07:02 -04:00
John Smith
529aa93ab7 test 2022-07-12 13:02:50 -04:00
John Smith
7e0d7dad06 refactor 2022-07-10 17:36:50 -04:00
John Smith
cd0cd78e30 eyre work 2022-07-06 23:15:51 -04:00
John Smith
48cd02c39d min_peer_count 2022-07-05 21:38:46 -04:00
John Smith
36f95692f6 fix relay 2022-07-05 19:47:25 -04:00
John Smith
e31aa84db0 cli fix 2022-07-02 11:41:25 -04:00
John Smith
d96e5a131c more cleanup 2022-07-01 16:20:43 -04:00
John Smith
c106d324c8 api and log refactor 2022-07-01 12:13:52 -04:00