Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-72486

Add developer options to warn when making unsafe unproxied requests

    XMLWordPrintable

Details

    • MOODLE_401_STABLE
    • MOODLE_401_STABLE
    • MDL-72486-unproxied-logging
    • Hide
      1. Download in your Moodle root the attached test page, test-moodle-proxy.php, which grabs a test page of the internet in a variety of ways.
      2. Load test-moodle-proxy.php in your browser.
      3. Confirm each test (out of 4) worked.
      4. Configure moodle to use a proxy (which doesn't exist yet). Add the following lines to your config.php:

        $CFG->proxyhost = 'localhost';
        $CFG->proxyport = '3128';
        $CFG->proxytype = 'http';
        

      5. Reload the test script and confirm that tests 3 & 4 fail (Output: null)
      6. Setup a test proxy. You can either install squid in your OS or use docker:
        1. Installing directly in your OS:

            sudo apt install squid
            

        2. Using docker:
          1. Clone the repo:

            git clone https://github.com/stefpe/squid_proxy.git
            

          2. Change to the working copy folder and modify the squid config file, squid.conf:
            • line 43: http_access allow all
            • comment line 55: # access_log none
          3. Modify docker-compose.yml to use port 3128:
            • line 6: - "3128:3128"
          4. Run the container:

            docker-compose up -d
            

      7. Tail the moodle error logs and keep them open, and also tail the squid logs:
        • Locally:

          sudo tail -f /var/log/squid/access.log
          

        • In docker:

          docker exec -it squid_proxy_proxy_1 tail -f /var/log/squid/access.log
          

      8. Reload the test script and confirm that tests 3 & 4 now pass again as they are using the new proxy.
      9. Confirm that test 1 is working but does not contain the header for the MoodleBot (user-agent header).
      10. Confirm there are no errors in the Moodle logs.
      11. Visit /admin/settings.php?section=http and set proxylogunsafe to on.
      12. Reload the test page and confirm the error logs now contain mention of the call, including the url that was called and the stacktrace of where it came from.
      13. Visit /admin/settings.php?section=http and set proxyfixunsafe to on.
      14. Reload the test page and confirm the call now returns the MoodleBot (user-agent header).
      15. Confirm that each page reload results in 3 access logs in the squid proxy access logs. There could be 4 access logs, depending on your environment.
      Show
      Download in your Moodle root the attached test page, test-moodle-proxy.php , which grabs a test page of the internet in a variety of ways. Load test-moodle-proxy.php in your browser. Confirm each test (out of 4) worked. Configure moodle to use a proxy (which doesn't exist yet). Add the following lines to your config.php : $CFG ->proxyhost = 'localhost' ; $CFG ->proxyport = '3128' ; $CFG ->proxytype = 'http' ; Reload the test script and confirm that tests 3 & 4 fail (Output: null ) Setup a test proxy. You can either install squid in your OS or use docker: Installing directly in your OS: sudo apt install squid Using docker: Clone the repo: git clone https://github.com/stefpe/squid_proxy.git Change to the working copy folder and modify the squid config file, squid.conf : line 43: http_access allow all comment line 55: # access_log none Modify docker-compose.yml to use port 3128: line 6: - "3128:3128" Run the container: docker-compose up -d Tail the moodle error logs and keep them open, and also tail the squid logs: Locally: sudo tail -f /var/log/squid/access.log In docker: docker exec -it squid_proxy_proxy_1 tail -f /var/log/squid/access.log Reload the test script and confirm that tests 3 & 4 now pass again as they are using the new proxy. Confirm that test 1 is working but does not contain the header for the MoodleBot (user-agent header). Confirm there are no errors in the Moodle logs. Visit /admin/settings.php?section=http and set proxylogunsafe to on. Reload the test page and confirm the error logs now contain mention of the call, including the url that was called and the stacktrace of where it came from. Visit /admin/settings.php?section=http and set proxyfixunsafe to on. Reload the test page and confirm the call now returns the MoodleBot (user-agent header). Confirm that each page reload results in 3 access logs in the squid proxy access logs. There could be 4 access logs, depending on your environment.

    Description

      When making a call to the outside world code should use either new curl() or download_file_content instead of the raw php versions of file_get_contents or similar. Or worst case manually add support to whatever you are doing for the moodle proxy.

      It is probably very rare for developers to have a proxy setup, so generally code which doesn't do this correctly gets found in prod when it breaks, and its often edge cases which don't have good test coverage as unit testing calls to the real world aren't deterministic and so not ideal tests.

      As a result moodle has many of these subtle security bugs, often in third party libraries which have not been touched in order to use the moodle proxy.

      So proposing to have some sort of debugging or logging mode which adds instrumentation to php to capture as many of these edge cases and report on them. Ideally this is something that could be on whenever debugging is on and it will log an issue if an outside url is requested even if the proxy isn't configured. It might also need a separate mode for prod use which just logs all such calls to help track down the origin, as this can be quite difficult to reverse engineer.

      Attachments

        1. MDL-72486_testing_1.png
          MDL-72486_testing_1.png
          121 kB
        2. MDL-72486_testing_2.png
          MDL-72486_testing_2.png
          51 kB
        3. MDL-72486_testing_3.png
          MDL-72486_testing_3.png
          286 kB
        4. MDL-72486_testing_4.png
          MDL-72486_testing_4.png
          299 kB
        5. MDL-72486_testing_5.png
          MDL-72486_testing_5.png
          303 kB
        6. test-moodle-proxy.php
          1 kB

        Issue Links

          Activity

            People

              brendanheywood Brendan Heywood
              brendanheywood Brendan Heywood
              Peter Burnett Peter Burnett
              Victor Déniz Falcón Victor Déniz Falcón
              Angelia Dela Cruz Angelia Dela Cruz
              Matteo Scaramuccia, David Woloszyn, Huong Nguyen, Jake Dallimore, Michael Hawkins, Stevani Andolo, David Woloszyn, Huong Nguyen, Jake Dallimore, Michael Hawkins, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                28/Nov/22

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 6 hours
                  6h