TUN-7628: Correct Host parsing for Access

Will no longer provide full hostname with path from provided
`--hostname` flag for cloudflared access to the Host header field.
This addresses certain issues caught from a security fix in go
1.19.11 and 1.20.6 in the net/http URL parsing.

cmd/cloudflared/access/carrier.go

@@ -70,14 +70,14 @@ func ssh(c *cli.Context) error {
 
  // get the hostname from the cmdline and error out if its not provided
  rawHostName := c.String(sshHostnameFlag)
- hostname, err := validation.ValidateHostname(rawHostName)
- if err != nil || rawHostName == "" {
+ url, err := parseURL(rawHostName)
+ if err != nil {
+ log.Err(err).Send()
  return cli.ShowCommandHelp(c, "ssh")
  }
- originURL := ensureURLScheme(hostname)
 
  // get the headers from the cmdline and add them
- headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
+ headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
  if c.IsSet(sshTokenIDFlag) {
  headers.Set(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
  }
@@ -89,9 +89,9 @@ func ssh(c *cli.Context) error {
  carrier.SetBastionDest(headers, c.String(sshDestinationFlag))
 
  options := &carrier.StartOptions{
- OriginURL: originURL,
+ OriginURL: url.String(),
  Headers: headers,
- Host: hostname,
+ Host: url.Host,
  }
 
  if connectTo := c.String(sshConnectTo); connectTo != "" {
@@ -138,20 +138,9 @@ func ssh(c *cli.Context) error {
  // default to 10 if provided but unset
  maxMessages = 10
  }
- logger := log.With().Str("host", hostname).Logger()
+ logger := log.With().Str("host", url.Host).Logger()
  s = stream.NewDebugStream(s, &logger, maxMessages)
  }
  carrier.StartClient(wsConn, s, options)
  return nil
 }
-
-func buildRequestHeaders(values []string) http.Header {
- headers := make(http.Header)
- for _, valuePair := range values {
- header, value, found := strings.Cut(valuePair, ":")
- if found {
- headers.Add(strings.TrimSpace(header), strings.TrimSpace(value))
- }
- }
- return headers
-}

cmd/cloudflared/access/cmd.go

@@ -222,8 +222,7 @@ func login(c *cli.Context) error {
  log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 
  args := c.Args()
- rawURL := ensureURLScheme(args.First())
- appURL, err := url.Parse(rawURL)
+ appURL, err := parseURL(args.First())
  if args.Len() < 1 || err != nil {
  log.Error().Msg("Please provide the url of the Access application")
  return err
@@ -252,16 +251,6 @@ func login(c *cli.Context) error {
  return nil
 }
 
-// ensureURLScheme prepends a URL with https:// if it doesn't have a scheme. http:// URLs will not be converted.
-func ensureURLScheme(url string) string {
- url = strings.Replace(strings.ToLower(url), "http://", "https://", 1)
- if !strings.HasPrefix(url, "https://") {
- url = fmt.Sprintf("https://%s", url)
-
- }
- return url
-}
-
 // curl provides a wrapper around curl, passing Access JWT along in request
 func curl(c *cli.Context) error {
  err := sentry.Init(sentry.ClientOptions{
@@ -345,7 +334,7 @@ func generateToken(c *cli.Context) error {
  if err != nil {
  return err
  }
- appURL, err := url.Parse(ensureURLScheme(c.String("app")))
+ appURL, err := parseURL(c.String("app"))
  if err != nil || c.NumFlags() < 1 {
  fmt.Fprintln(os.Stderr, "Please provide a url.")
  return err
@@ -398,7 +387,7 @@ func sshGen(c *cli.Context) error {
  return cli.ShowCommandHelp(c, "ssh-gen")
  }
 
- originURL, err := url.Parse(ensureURLScheme(hostname))
+ originURL, err := parseURL(hostname)
  if err != nil {
  return err
  }
@@ -499,7 +488,7 @@ func isFileThere(candidate string) bool {
 // Then makes a request to to the origin with the token to ensure it is valid.
 // Returns nil if token is valid.
 func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context, log *zerolog.Logger) error {
- headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
+ headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
  if c.IsSet(sshTokenIDFlag) {
  headers.Add(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
  }

cmd/cloudflared/access/validation.go

@@ -0,0 +1,55 @@
+package access
+
+import (
+ "errors"
+ "fmt"
+ "net/http"
+ "net/url"
+ "strings"
+
+ "golang.org/x/net/http/httpguts"
+)
+
+// parseRequestHeaders will take user-provided header values as strings "Content-Type: application/json" and create
+// a http.Header object.
+func parseRequestHeaders(values []string) http.Header {
+ headers := make(http.Header)
+ for _, valuePair := range values {
+ header, value, found := strings.Cut(valuePair, ":")
+ if found {
+ headers.Add(strings.TrimSpace(header), strings.TrimSpace(value))
+ }
+ }
+ return headers
+}
+
+// parseHostname will attempt to convert a user provided URL string into a string with some light error checking on
+// certain expectations from the URL.
+// Will convert all HTTP URLs to HTTPS
+func parseURL(input string) (*url.URL, error) {
+ if input == "" {
+ return nil, errors.New("no input provided")
+ }
+ if !strings.HasPrefix(input, "https://") && !strings.HasPrefix(input, "http://") {
+ input = fmt.Sprintf("https://%s", input)
+ }
+ url, err := url.ParseRequestURI(input)
+ if err != nil {
+ return nil, fmt.Errorf("failed to parse as URL: %w", err)
+ }
+ if url.Scheme != "https" {
+ url.Scheme = "https"
+ }
+ if url.Host == "" {
+ return nil, errors.New("failed to parse Host")
+ }
+ host, err := httpguts.PunycodeHostPort(url.Host)
+ if err != nil || host == "" {
+ return nil, err
+ }
+ if !httpguts.ValidHostHeader(host) {
+ return nil, errors.New("invalid Host provided")
+ }
+ url.Host = host
+ return url, nil
+}

cmd/cloudflared/access/validation_test.go

@@ -0,0 +1,80 @@
+package access
+
+import (
+ "fmt"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestParseRequestHeaders(t *testing.T) {
+ values := parseRequestHeaders([]string{"client: value", "secret: safe-value", "trash", "cf-trace-id: 000:000:0:1:asd"})
+ assert.Len(t, values, 3)
+ assert.Equal(t, "value", values.Get("client"))
+ assert.Equal(t, "safe-value", values.Get("secret"))
+ assert.Equal(t, "000:000:0:1:asd", values.Get("cf-trace-id"))
+}
+
+func TestParseURL(t *testing.T) {
+ schemes := []string{
+ "http://",
+ "https://",
+ "",
+ }
+ hosts := []struct {
+ input string
+ expected string
+ }{
+ {"localhost", "localhost"},
+ {"127.0.0.1", "127.0.0.1"},
+ {"127.0.0.1:9090", "127.0.0.1:9090"},
+ {"::1", "::1"},
+ {"::1:8080", "::1:8080"},
+ {"[::1]", "[::1]"},
+ {"[::1]:8080", "[::1]:8080"},
+ {":8080", ":8080"},
+ {"example.com", "example.com"},
+ {"hello.example.com", "hello.example.com"},
+ {"bücher.example.com", "xn--bcher-kva.example.com"},
+ }
+ paths := []string{
+ "",
+ "/test",
+ "/example.com?qwe=123",
+ }
+ for i, scheme := range schemes {
+ for j, host := range hosts {
+ for k, path := range paths {
+ t.Run(fmt.Sprintf("%d_%d_%d", i, j, k), func(t *testing.T) {
+ input := fmt.Sprintf("%s%s%s", scheme, host.input, path)
+ expected := fmt.Sprintf("%s%s%s", "https://", host.expected, path)
+ url, err := parseURL(input)
+ assert.NoError(t, err, "input: %s\texpected: %s", input, expected)
+ assert.Equal(t, expected, url.String())
+ assert.Equal(t, host.expected, url.Host)
+ assert.Equal(t, "https", url.Scheme)
+ })
+ }
+ }
+ }
+
+ t.Run("no input", func(t *testing.T) {
+ _, err := parseURL("")
+ assert.ErrorContains(t, err, "no input provided")
+ })
+
+ t.Run("missing host", func(t *testing.T) {
+ _, err := parseURL("https:///host")
+ assert.ErrorContains(t, err, "failed to parse Host")
+ })
+
+ t.Run("invalid path only", func(t *testing.T) {
+ _, err := parseURL("/host")
+ assert.ErrorContains(t, err, "failed to parse Host")
+ })
+
+ t.Run("invalid parse URL", func(t *testing.T) {
+ _, err := parseURL("https://host\\host")
+ assert.ErrorContains(t, err, "failed to parse as URL")
+ })
+}

go.mod

@@ -36,11 +36,11 @@ require (
  go.opentelemetry.io/otel/trace v1.6.3
  go.opentelemetry.io/proto/otlp v0.15.0
  go.uber.org/automaxprocs v1.4.0
- golang.org/x/crypto v0.8.0
- golang.org/x/net v0.9.0
+ golang.org/x/crypto v0.11.0
+ golang.org/x/net v0.12.0
  golang.org/x/sync v0.1.0
- golang.org/x/sys v0.7.0
- golang.org/x/term v0.7.0
+ golang.org/x/sys v0.10.0
+ golang.org/x/term v0.10.0
  google.golang.org/protobuf v1.28.1
  gopkg.in/natefinch/lumberjack.v2 v2.0.0
  gopkg.in/yaml.v3 v3.0.1
@@ -91,7 +91,7 @@ require (
  golang.org/x/exp v0.0.0-20221205204356-47842c84f3db // indirect
  golang.org/x/mod v0.8.0 // indirect
  golang.org/x/oauth2 v0.6.0 // indirect
- golang.org/x/text v0.9.0 // indirect
+ golang.org/x/text v0.11.0 // indirect
  golang.org/x/tools v0.6.0 // indirect
  google.golang.org/appengine v1.6.7 // indirect
  google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd // indirect

go.sum

@@ -404,8 +404,8 @@ golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
-golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -475,8 +475,8 @@ golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
-golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
+golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -545,12 +545,12 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220808155132-1c4a2a72c664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
-golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
+golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
+golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -559,8 +559,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=