security(connlib): Dont allow acces to non-subdomains for a given resource (#2996)

Previously, we just assumed that the domain in the query is a subdomain of the resource but a malicious actor can hijack that field to access domains that doesn't correspond to that resource. With this patch we don't even resolve the address for unrelated domains.
2026-01-27 10:18:54 +00:00 · 2023-12-22 14:42:32 -03:00
parent a5330f4e77
commit afb989ced9
1 changed files with 13 additions and 3 deletions
--- a/rust/connlib/tunnel/src/control_protocol/gateway.rs
+++ b/rust/connlib/tunnel/src/control_protocol/gateway.rs
@@ -90,10 +90,16 @@ where
        }

        let resource_addresses = match &resource {
-            ResourceDescription::Dns(_) => {
+            ResourceDescription::Dns(r) => {
                let Some(domain) = client_payload.domain.clone() else {
                    return Err(Error::ControlProtocolError);
                };
+
+                if !domain.iter_suffixes().any(|d| d.to_string() == r.address) {
+                    let _ = ice.stop().await;
+                    return Err(Error::InvalidResource);
+                }
+
                (domain.to_string(), 0)
                    .to_socket_addrs()?
                    .map(|addrs| addrs.ip().into())
@@ -170,11 +176,15 @@ where
            .find(|(_, p)| p.inner.conn_id == client_id)
        {
            let addresses = match &resource {
-                ResourceDescription::Dns(_) => {
-                    let Some(ref domain) = domain else {
+                ResourceDescription::Dns(r) => {
+                    let Some(domain) = domain.as_ref() else {
                        return None;
                    };

+                    if !domain.iter_suffixes().any(|d| d.to_string() == r.address) {
+                        return None;
+                    }
+
                    (domain.to_string(), 0)
                        .to_socket_addrs()
                        .ok()?