harden(auth): SA3 review follow-ups — IPv6-mapped match + no-proxy-headers guardrail
Post-review hardening (both fail-safe, not bugs): - _client_ip normalizes IPs via ipaddress and unwraps IPv4-mapped IPv6, so a plain TRUSTED_PROXY_IPS=10.10.0.1 also matches a peer surfaced as ::ffff:10.10.0.1 (a Docker/IPv6 self-host footgun that would otherwise silently collapse everyone into one rate-limit bucket). - entrypoint.sh + _client_ip docstring: explicit warning never to add uvicorn --proxy-headers, which would rewrite request.client from the forgeable XFF and defeat the trust check.
This commit is contained in:
parent
7297dbd2a8
commit
776fb38b9b
2 changed files with 23 additions and 2 deletions
|
|
@ -10,4 +10,9 @@ echo "Starting Siftlode API..."
|
|||
# timeout, so Caddy would reuse a connection uvicorn had just closed -> broken pipe / reset
|
||||
# on the next request -> 502. Non-idempotent POSTs (the player's progress/state writes,
|
||||
# fired every 5s) can't be auto-retried by the proxy, so those 502s reached the user.
|
||||
#
|
||||
# SECURITY: do NOT add --proxy-headers / --forwarded-allow-ips here. auth._client_ip trusts
|
||||
# X-Forwarded-For only when the TRUE socket peer is a configured proxy (TRUSTED_PROXY_IPS); those
|
||||
# flags would make uvicorn overwrite request.client from the forgeable XFF, defeating that check and
|
||||
# reopening the rate-limit bypass (SA3).
|
||||
exec uvicorn app.main:app --host 0.0.0.0 --port 8000 --log-config log_config.json --timeout-keep-alive 75
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue