Skip to content

feat: Secure proxy endpoint#3813

Merged
chriskari merged 9 commits intokyma-project:mainfrom
chriskari:secure-proxy
Apr 9, 2025
Merged

feat: Secure proxy endpoint#3813
chriskari merged 9 commits intokyma-project:mainfrom
chriskari:secure-proxy

Conversation

@chriskari
Copy link
Contributor

@chriskari chriskari commented Apr 2, 2025
edited
Loading

Description

Changes proposed in this pull request:

  • reenabled endpoint
  • added security checks for protocol and targetURL
  • added timeouts of 30s to avoid hanging requests
  • added rate limiting of 100 requests per 1 minute per IP address
  • added DNS lookup & check for private IPs

Related issue(s)
#3682

Definition of done

  • The PR's title starts with one of the following prefixes:
    • feat: A new feature
    • fix: A bug fix
    • docs: Documentation only changes
    • refactor: A code change that neither fixes a bug nor adds a feature
    • test: Adding tests
    • revert: Revert commit
    • chore: Maintainance changes to the build process or auxiliary tools, libraries, workflows, etc.
  • Related issues are linked. To link internal trackers, use the issue IDs like backlog#4567
  • Explain clearly why you created the PR and what changes it introduces
  • All necessary steps are delivered, for example, tests, documentation, merging

@chriskari chriskari linked an issue Apr 2, 2025 that may be closed by this pull request
Expose CORS proxy endpoint properly secured #3682
Closed
5 tasks
@dbadura dbadura self-assigned this Apr 7, 2025
dbadura
dbadura reviewed Apr 8, 2025
View reviewed changes
backend/proxy.js
Comment on lines +60 to +70
if (parsedUrl.protocol !== 'https:') {
return res.status(403).send('Request Forbidden');
}

if (isLocalDomain(parsedUrl.hostname)) {
return res.status(403).send('Request Forbidden');
}

if (net.isIP(parsedUrl.hostname) !== 0) {
return res.status(403).send('Request Forbidden');
}
Copy link
Contributor

@dbadura dbadura Apr 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can move it to separete function for readibility

backend/proxy.js Outdated
Comment on lines +72 to +83
// Perform DNS resolution to check for private IPs
try {
const addresses = await dns.lookup(parsedUrl.hostname, { all: true });
for (const addr of addresses) {
if (isPrivateIp(addr.address)) {
return res.status(403).send('Request Forbidden');
}
}
} catch (dnsError) {
// If DNS lookup fails, we block the request for safety.
return res.status(403).send('Request Forbidden');
}
Copy link
Contributor

@dbadura dbadura Apr 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can move it to separete function for readibility

@chriskari chriskari merged commit 80961ab into kyma-project:main Apr 9, 2025
16 checks passed
@chriskari chriskari deleted the secure-proxy branch April 17, 2025 09:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dbadura dbadura dbadura approved these changes

@akucharska akucharska Awaiting requested review from akucharska akucharska is a code owner

@mrCherry97 mrCherry97 Awaiting requested review from mrCherry97 mrCherry97 is a code owner

@OliwiaGowor OliwiaGowor Awaiting requested review from OliwiaGowor OliwiaGowor is a code owner

Assignees

@dbadura dbadura

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Expose CORS proxy endpoint properly secured

2 participants

@chriskari @dbadura