Skip to content

Latest commit

 

History

History
64 lines (53 loc) · 6.59 KB

threat-modeling.md

File metadata and controls

64 lines (53 loc) · 6.59 KB

Threat Model Analysis for cloudflare/pingora

Threat: Upstream TLS Verification Bypass

  • Description: An attacker sends crafted requests to pingora, exploiting a misconfiguration or vulnerability in pingora's TLS verification logic for upstream connections. The attacker might present an invalid certificate, and pingora might incorrectly accept it, allowing impersonation of a legitimate upstream server.
    • Impact: Complete compromise of data confidentiality and integrity between pingora and the upstream. Attacker can intercept, modify, or inject data, leading to data breaches or system compromise.
    • Affected Pingora Component: pingora::proxy::http::connect_to_upstream, specifically the TLS handshake and certificate validation logic within the tls module (and related configuration options like tls_connector and verify_hostname).
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Strict TLS Configuration: Enforce verify_hostname = true (or equivalent) for all upstream connections. Never disable certificate verification.
      • Certificate Pinning: Use certificate pinning (ca_cert or similar) for critical upstreams.
      • Code Review: Regularly review pingora's TLS handling code (especially tls and proxy modules).
      • Dependency Updates: Keep pingora and its TLS library up-to-date.
      • Testing: Automated tests to check for proper TLS verification with invalid certificates.

Threat: Configuration Injection via Unvalidated Input

  • Description: If pingora's configuration is dynamically generated from user input without proper validation, an attacker could inject malicious configuration directives. This is a vulnerability within how pingora handles its configuration.
    • Impact: Highly variable, potentially ranging from denial of service to complete system compromise, depending on the injected configuration.
    • Affected Pingora Component: The configuration loading and parsing mechanism (likely within pingora::config). The vulnerability depends on how user input influences the configuration.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Strict Input Validation: Implement extremely strict input validation and sanitization for any data influencing the pingora configuration. Use a whitelist approach.
      • Configuration Templates: Use a secure templating engine (if dynamic configuration is needed) that prevents arbitrary code execution.
      • Principle of Least Privilege: The process generating the configuration should have minimal privileges.
      • Configuration Auditing: Log and audit all configuration changes.
      • Separate Configuration Source: Avoid directly exposing configuration endpoints to untrusted users.

Threat: Header Manipulation Leading to Request Smuggling

  • Description: An attacker sends crafted HTTP requests with malformed or ambiguous headers that are misinterpreted by pingora's own HTTP parsing logic. This is a vulnerability in how pingora handles HTTP requests before forwarding them.
    • Impact: Bypass of security filters, access to unauthorized resources, potential for cache poisoning, and server-side request forgery (SSRF).
    • Affected Pingora Component: pingora::proxy::http::v1::request_header and pingora::proxy::http::v1::response_header (and related functions for parsing and forwarding HTTP headers).
    • Risk Severity: High
    • Mitigation Strategies:
      • Strict Header Parsing: Ensure pingora uses a strict and secure HTTP parser that rejects ambiguous or malformed headers.
      • Header Normalization: Normalize headers within pingora before forwarding (remove duplicates, choose consistent interpretations).
      • Testing: Fuzzing tests targeting pingora's header parsing with malformed requests.

Threat: Resource Exhaustion via Connection Flooding (Specifically targeting pingora)

  • Description: An attacker opens many connections to pingora, exceeding configured limits or exhausting pingora's internal resources (file descriptors, memory used by the pingora process). This focuses on pingora's ability to handle connections.
    • Impact: Denial of service. Legitimate users cannot connect to pingora.
    • Affected Pingora Component: pingora::server and related components for managing connections (event loop, socket handling). Configuration options like max_connections are directly relevant.
    • Risk Severity: High
    • Mitigation Strategies:
      • Connection Limits: Configure appropriate max_connections limits in pingora's configuration.
      • Rate Limiting: Implement rate limiting within pingora (if supported) or externally.
      • Connection Timeouts: Configure appropriate timeouts for idle connections within pingora.
      • Monitoring: Monitor pingora's resource usage (connections, memory, CPU).

Threat: Cache Poisoning (if caching is enabled within pingora)

  • Description: If pingora is configured to cache responses, an attacker could craft requests to cause pingora to cache a malicious response, which is then served to other users. This is a vulnerability in pingora's caching logic.
    • Impact: Distribution of malicious content, potential for XSS or client-side attacks, data breaches.
    • Affected Pingora Component: pingora::cache (and related components if a custom caching implementation is used). Cache key generation and cache control header handling are critical.
    • Risk Severity: High
    • Mitigation Strategies:
      • Cache Key Validation: Ensure the cache key is generated based on all relevant request attributes and cannot be manipulated.
      • Cache Control Headers: Respect cache control headers and configure appropriate defaults within pingora.
      • No Caching of Sensitive Data: Avoid caching responses with sensitive information.
      • Regular Cache Purging: Implement a mechanism to regularly purge the cache.
      • Input Validation: Validate any user input that influences the cache key or cached response.