Skip to content

Forwarded Headers Middleware: X-Forwarded-Prefix Applied when it comes from an Unknown Proxy #61449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
yannic-hamann-abb opened this issue Apr 11, 2025 · 1 comment · Fixed by #61530
Closed
1 task done

Forwarded Headers Middleware: X-Forwarded-Prefix Applied when it comes from an Unknown Proxy #61449

yannic-hamann-abb opened this issue Apr 11, 2025 · 1 comment · Fixed by #61530
Labels
area-middleware Includes: URL rewrite, redirect, response cache/compression, session, and other general middlewares
Milestone
10.0-preview4

Comments

@yannic-hamann-abb
Copy link
Contributor

yannic-hamann-abb commented Apr 11, 2025
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

I am not understanding the security concerns why X-Forwarded-Fields should be only allowed for known proxies - but that is what the documentation implies.
The current implementation of ForwardedHeadersMiddleware only breaks and logs Unknown proxy: {RemoteIpAndPort} when the flag ForwardedHeaders.XForwardedFor is set.

Documentation says:

Address ranges of known networks to accept forwarded headers from.

With other words you can end up with a configuration like:

var options = new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedPrefix };

which modifies your request.PathBase even though it comes from an unknown proxy. Is this a bug or by design? If by design maybe documentation could be improved.
XForwardedProto and XForwardedHost are potentially bypassed in the same way.

Expected Behavior

Unknown due to my limited security understanding. Maybe HttpContext.Request.PathBase should be left untouched by the middleware when header comes from an unknown proxy.

Steps To Reproduce

var options = new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedPrefix };
// options.KnownNetworks.Add(new Microsoft.AspNetCore.HttpOverrides.IPNetwork(IPAddress.Parse("0.0.0.0"), 0));
_application.UseForwardedHeaders(options);

Exceptions (if any)

No response

.NET Version

9.0.104

Anything else?

I would like to contribute to fix this issue. I am planning to write some tests tomorrow for this and suggest a PR with some more detailed description of the issue.
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-middleware Includes: URL rewrite, redirect, response cache/compression, session, and other general middlewares label Apr 11, 2025
@yannic-hamann-abb
Copy link
Contributor Author

yannic-hamann-abb commented Apr 13, 2025
edited
Loading

Proof that there is a bug and that XForwardedPrefix, XForwardedProto and XForwardedHost headers can be spoofed because the CheckKnownAddress method that determines if the headers can be trusted only kicks in when XForwardedFor is set: f0aa956.

I also cannot delete this issue. I contacted [email protected] to delete this issue. I think it is not a super critical security issue - and I wasn't really 100% sure if the headers can be spoofed when I created this.
But from reading a bit more this could even potentially qualify for a bug bounty 😂.
Anyhow, I am not frequently contributing to open source and it would make me happy and proud when I can commit a change to this repo that fixes this.

@yannic-hamann-abb yannic-hamann-abb mentioned this issue Apr 17, 2025
Merged
4 tasks
@BrennanConroy BrennanConroy modified the milestones: 2.1.x, 10.0-preview4 Apr 22, 2025
This was referenced Apr 23, 2025
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-middleware Includes: URL rewrite, redirect, response cache/compression, session, and other general middlewares
Projects
None yet
Milestone
10.0-preview4
2 participants
@BrennanConroy @yannic-hamann-abb