yandex
[feature request] Check for default location with regexp server name
Consider we have the following nginx configuration:
server {
listen 127.0.1.2:80;
server_name ~^([a-z0-9]+).site.com;
rewrite (.*) https://$server_name/$1 redirect;
}
And if it happens so that this is the first server for that IP:port and there is no default server for that IP:port - this server automatically becomes default server for that IP:port. In that case an attacker can reveal server_name part of nginx config with the following request:
$ curl -I http://127.0.1.2/ -H Host: --http1.0
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.13.6
Date: Tue, 17 Apr 2018 11:48:46 GMT
Content-Type: text/html
Content-Length: 161
Connection: close
Location: https://~^([a-z0-9]+).site.com//
This must be a rare case, and not too much information is revealed, but anyway if you add check for that it would be great.
Hi! I know about this problem, but I don't know how to fix it correctly. Maybe you have some ideas? I can add a default server section absence check, but it will often be false positive :(
Well, I would have done it the following way:
- collect all IP:port pairs from configs; exclude pairs that have servers with
server_name "" - for each pair, find default server (with
default_server directiveor the first server for that pair) - check each default server for regexp as its first server_name
Yes, this is correct path if we are checking the SLB configuration. But in case of downstream nginx (e.g. application-level nginx behind L7 balancer) this is wouldn't make sense. On the other hand, it is not such a frequent configuration in the wild, so I'll think do the following:
- check for a default server section existence
- check for a regexes in first server_name of it