Re: [whatwg/url] Addressing HTTP servers over Unix domain sockets (#577) from Gabriel Corona on 2023-12-10 (public-webapps-github@w3.org from December 2023)

From: Gabriel Corona <notifications@github.com>
Date: Sun, 10 Dec 2023 15:56:44 -0800
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/577/1849132898@github.com>

For context about the pitfalls of stuffing/smuggling a Unix socket path in a HTTP URI, the Node.js [Requests](https://github.com/request/request/#unix-domain-sockets) and [got](https://github.com/sindresorhus/got/blob/main/documentation/2-options.md#enableunixsockets) libraries would allow stuffing a Unix domain socket path in a HTTP URI like so: `http://unix:/var/run/docker.sock:/containers/json`. It turned out this [could be exploited](https://nvd.nist.gov/vuln/detail/CVE-2022-33987) by a remote web server to target a local Unix domain socket through a HTTP redirect. In got, this feature is now [disabled by default](https://github.com/sindresorhus/got/issues/2046) and [HTTP redirects to Unix sockets are now disabled](https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc).

I would think that the ability to address arbitrary Unix domain sockets in HTTP(S) URIs is fraught with peril. If this were part of the URI standards, client applications and libraries would be expected to implement this feature and this would certainly end up generating a lot of vulnerabilities such as CVE-2022-33987: attacks on arbitrary Unix domain socket application through malicious redirects or more generally through malicious URIs.

What *might* be useful is:

* the ability for the user to map domain names to Unix domain sockets in client applications;
* *maybe* associating some domain name suffix to system-local bound services which are explicitly designed to be used this way (eg. `*.user.alt` for user services and `*.system.alt` for system services),
  * with some way for applications to expose themselves this way,
  * these domain names could be considered as [secure contexts](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts).

 but this is really outside of the scope of the URL standard.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/577#issuecomment-1849132898
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/url/issues/577/1849132898@github.com>

Received on Sunday, 10 December 2023 23:56:50 UTC