Commit Graph

185 Commits

Author SHA1 Message Date
Christien Rioux
b7eeec20ab improve dht consensus checking and low level networking 2024-09-21 15:13:29 +00:00
Christien Rioux
22069d3430 improve verbose tracing. clean up some errors. 2024-08-20 15:07:37 -04:00
Christien Rioux
7eff6d12cc add namespacing to WASM TableStore 2024-08-17 01:01:30 +00:00
Christien Rioux
01a4b9c735 cargo fmt 2024-08-11 09:43:37 -07:00
Christien Rioux
f7ce5f93d0 add '--port' command line option for veilid-server that changes the base port for all protocols 2024-08-05 12:27:39 -05:00
Christien Rioux
87a0e38e36 reduce frequency of interface resets on ios 2024-07-25 21:10:12 -04:00
Christien Rioux
2ec843cd17 clean up spans and correct shutdown behavior. clean up reverse connection and hole punch errors 2024-07-21 22:35:41 -04:00
Christien Rioux
35dc7bdfd6 spawn names 2024-07-21 22:35:41 -04:00
Christien Rioux
e568c39efb shutdown work and perfetto logger 2024-07-21 22:35:40 -04:00
Christien Rioux
1c8a76b0a4 fix async-std build 2024-07-17 20:07:23 -04:00
Christien Rioux
4a55cd08c3 crate update work 2024-07-17 18:58:33 -04:00
Christien Rioux
deaff56232 veilid-server now defaults to waiting for port 5150 2024-07-17 18:04:50 -04:00
Christien Rioux
76f5052960 instruments 2024-07-03 21:00:12 -04:00
Christien Rioux
20e76bbed1 flamegraph and instrumentation work 2024-07-03 13:15:59 -04:00
John Smith
c8bb574948 fix warning on windows 2024-04-28 17:37:47 -04:00
Christien Rioux
49e6eace8e add IPC directory to rpm and deb packaging
add config verify step after all command line options have been processed

closes #366
2024-04-28 17:31:04 -04:00
Christien Rioux
ad085ed15e improve logging
dart ffi has duration measurements for veilid_api calls
2024-04-04 14:12:54 -04:00
John Smith
309492e9a8 fix signal handling 2024-03-27 17:53:51 -05:00
Christien Rioux
fdc3de906f major logging cleanup 2024-03-27 17:53:51 -05:00
Christien Rioux
6455aff14a make change_log_ignore a thing 2024-03-27 17:53:51 -05:00
Christien Rioux
a04d4e12c5 integration test and config work 2024-03-27 17:53:50 -05:00
Christien Rioux
ad45660db9 fix tests 2024-03-27 17:53:50 -05:00
Christien Rioux
ef6ecdab79 logging improvements 2024-03-27 17:53:50 -05:00
John Smith
a092463f77 clean up warnings 2024-01-20 22:06:15 -05:00
Christien Rioux
599677bb2d better version 2024-01-19 22:10:10 -05:00
Christien Rioux
617d059eb5 add missing function 2024-01-19 22:04:41 -05:00
John Smith
70ef992714 windows fix 2024-01-19 13:55:35 -05:00
John Smith
5ad4814515 push configuration check to veilid-server 2024-01-19 13:55:35 -05:00
John Smith
25637e5ff5 disable async-std+windows build 2024-01-19 13:55:35 -05:00
John Smith
b11f404d3f async-std support 2024-01-19 13:55:35 -05:00
John Smith
d1aa488883 windows specific ipc logic 2024-01-19 13:55:35 -05:00
John Smith
f47adfa03f change signature of accept function 2024-01-19 13:55:35 -05:00
John Smith
bdb64a96ea cleanup a bit 2024-01-19 13:55:35 -05:00
John Smith
caa2746110 ipc works 2024-01-19 13:55:35 -05:00
John Smith
37979277b5 IPC to server 2024-01-19 13:55:33 -05:00
John Smith
6d2119f32e fix #347 and #349 2024-01-19 13:53:43 -05:00
John Smith
7129343ea1 some debugging for bootstrap and route purge 2024-01-19 13:53:43 -05:00
Christien Rioux
9b8420d288 more watchvalue 2024-01-19 13:53:42 -05:00
Christien Rioux
70e256a25a checkpoint 2024-01-19 13:53:42 -05:00
Christien Rioux
3f86801ecd Merge branch 'salvatoret/clean-up-warnings' into 'main'
Clean up the compile-time warnings

See merge request veilid/veilid!247
2024-01-19 18:53:31 +00:00
Salvatore Testa
5884f89d1a
Clean up the compile-time warnings
These are all the auto-applied warning corrections.
2024-01-11 15:16:18 -08:00
Salvatore Testa
e378d01682
Move default storage config to veilid-core
The default is currently `""` which puts all of the files without
grouping them in the top level.

Instead, use the paths that `veilid-server` has configured as the
defaults.
2024-01-11 10:19:31 -08:00
Kyle H
af27b5aa85 Change 'whitelist' to 'allowlist' globally. 2023-11-23 14:49:45 +00:00
John Smith
a7fb7eea74 dont fail if client port fails to bind 2023-10-14 22:05:29 -04:00
Trent Waddington
72889b8f1a Fix warnings. 2023-10-10 12:51:11 +10:00
Christien Rioux
f596b3ce05 more clippy 2023-09-18 15:22:40 -04:00
Christien Rioux
6438a64fc7 clippy work 2023-09-17 19:37:02 -04:00
Christien Rioux
64d9f456ce
Merge branch 'address-localhost-disk-consumption-attack' into 'main'
Avoid large logs of 127.0.0.1:5959 attack payloads

See merge request veilid/veilid!158
2023-09-03 00:32:29 +00:00
Christien Rioux
e302b764d0 docs and tests work 2023-08-29 15:15:47 -05:00
Rivka Segan
4873a0c0c9 Avoid large logs of 127.0.0.1:5959 attack payloads
Because veilid-server listens on 127.0.0.1 TCP port 5959, it is
potentially open to attacks from websites if a user runs an ordinary
web browser (e.g., Chrome or Firefox) on the same computer.
Specifically, any https website can include JavaScript code that
begins with

   let message = 'WASTE_YOUR_VEILID_SERVER_DISK_SPACE_'.repeat(1000);

   fetch('http://127.0.0.1:5959/' + message)

and the web browser will then send many KB of data to veilid-server,
where it may typically be logged to disk by this code:
2ab51ae3e9/veilid-core/src/veilid_api/serialize_helpers/serialize_json.rs (L6-L12)

(Because Veilid hasn't even reached 1.0, it's very common for users to
enable a large amount of logging.)

The threat model is that someone creates a website that's apparently
of interest to any Veilid user, but the actual purpose of the website
is to leverage the user's web browser to silently tunnel an attack
payload into another application that is local to the user. An attack
that sends more than 1 MB of data (for each fetch API call) is
feasible, and the patch in this MR tries to address that.

Note that the most common web browsers always allow JavaScript on
arbitrary https websites to send data to 127.0.0.1 port 5959, there is
no configuration menu to shut this off, and the user is not alerted
that this is occurring. Brave 1.54 (June 2023) was the first popular
web browser to block this:
https://brave.com/privacy-updates/27-localhost-permission/

This does not mean that an adversary can just as easily setup a
website to send:

  {"op":"Control","args":["Shutdown"],"id":1}

to 127.0.0.1 TCP port 5959 and thereby terminate a veilid-server
process. A web browser using http will always send requests that begin
with specific strings (such as GET or OPTIONS) on the first line, and
the code at:

2ab51ae3e9/veilid-server/src/client_api.rs (L367)

2ab51ae3e9/veilid-server/src/client_api.rs (L244)

2ab51ae3e9/veilid-server/src/client_api.rs (L202)

seems to work together to ensure that no JSON object results in
command execution unless the first line of the input is a JSON object.
(Not sure if this was a design goal, or simply how it turned out.)

A web browser can do other things besides cleartext http (e.g., try to
start a TLS session to 127.0.0.1 TCP port 5959), but it's perhaps
unlikely that the initial bytes of the network traffic, in the context
of the above threat model, would ever be a JSON object.

Note that, although veilid-server is not speaking the HTTP protocol on
127.0.0.1 TCP port 5959, it is still able to read the data sent by any
web browser to http://127.0.0.1:5959, send that data to a JSON parser,
and write the data to the server logs. In limited testing, the HTTP
client typically saw zero bytes of application layer response;
however, if the HTTP client sent a huge amount of data (e.g., 16 MB),
the HTTP client would sometimes receive a large response with JSON
data about veilid-server's internal state. That might be a separate
bug. In the context of the threat model, this may not matter because
that JSON data isn't accessible by the operator of the website (that
hosts the JavaScript code).

There may be many ways to resolve this. First, the Veilid
documentation could recommend never running a web browser on any
machine that has veilid-server with 127.0.0.1 TCP port 5959 open.
Second, the existence of a realistically probe-able service on
127.0.0.1 TCP port 5959 might be considered much too large an attack
surface for an application of Veilid's sensitivity, and interprocess
communication could be replaced with something other than
unauthenticated TCP.

This MR is intended to improve Veilid for an ordinary user who wants
to help the project by installing veilid-server on their primary
personal machine, and wants veilid-cli to remain usable, but needs to
continue routine web browsing on that machine. It provides safer
behavior for such a person. The MR is not intended to benefit experts
who already understand localhost TCP risks, and either avoid all web
browsing on the same machine or have their own countermeasures. These
experts will not see any attacker-controlled traffic on port 5959, and
thus the reduction in logging should be of no concern to them.

Without the patch (and with logging on), data sent by a web browser is
always logged by veilid-server in the form:

   Connection processing failure: Parse error: 'expected value at line 1 column 1' with value 'deserialize_json:
   ---
   GET /<attacker_controlled_data> HTTP/1.1
   ---
    to type veilid_core::veilid_api::json_api::Request'

regardless of how long the attacker controlled data is. Some browsers
such as Chrome start by sending OPTIONS instead of GET.

With the patch, long malformed input is discarded and the log instead
contains:

   Connection processing failure: Parse error: 'expected value at line 1 column 1' with value 'deserialize_json:
   ---
   :skipped long input that's not a JSON object
   ---
    to type veilid_core::veilid_api::json_api::Request'

The patch allows logging of anything where the first non-whitespace
character is a '{' - this is considered safe (at the moment) because
no web browser (realistically used by a local user) can send '{' at
the beginning of the first line. Also, the patch allows logging of
requests smaller than 50 bytes to support two use cases. First, if a
node operator is sending one of the simple JSON API requests by hand
and is accidentally omitting the initial '{' from the JSON object,
they'll be able to see the failure in their logs. Second, non-expert
node operators may want some limited visibility into the details of
adversarial activity on http://127.0.0.1:5959. Of course, this default
logging policy could be made more flexible later if Veilid decides to
stay with unauthenticated TCP. The patch only aims to defeat a simple
DoS attack against the out-of-the-box code.
2023-08-28 04:53:31 +00:00