Skip to content

[SECURITY] Add source IP validation for ignore-timeout fallback in session ticket auth#5457

Open
aiceflower wants to merge 2 commits into
apache:masterfrom
aiceflower:fix-source-ip-validation-for-auth-fallback
Open

[SECURITY] Add source IP validation for ignore-timeout fallback in session ticket auth#5457
aiceflower wants to merge 2 commits into
apache:masterfrom
aiceflower:fix-source-ip-validation-for-auth-fallback

Conversation

@aiceflower

Copy link
Copy Markdown
Member

Summary

The dataworkcloud_inner_request=true cookie was client-controllable yet treated as a trusted signal to skip server-side session expiry checks. This PR adds source IP validation so only requests from trusted internal sources (gateway / same-network peers) can trigger the bypass.

Gateway entry point (GatewaySSOUtils.getLoginUser) no longer accepts the cookie-based fallback at all — the gateway is the external trust boundary.

The header-based OTHER_SYSTEM_IGNORE_UM_USER path is also gated behind the same IP check.

Changes

  • SecurityFilter.isRequestIgnoreTimeout: cookie check + IP allowlist (default loopback + RFC1918)
  • SecurityFilter.getLoginUserThrowsExceptionWhenTimeout: header fallback also requires trusted IP
  • GatewaySSOUtils.getLoginUser: removed cookie fallback, only header-based OTHER_SYSTEM_IGNORE_UM_USER
  • New config: linkis.security.trusted.internal.sources (CIDRs, default 127.0.0.1/RFC1918)
  • New config: linkis.security.ignore.timeout.require.internal.ip (default true, escape hatch)

Affected files

  • linkis-commons/linkis-module/.../SecurityFilter.scala (+66/-14)
  • linkis-spring-cloud-services/.../GatewaySSOUtils.scala (+13/-14)

Deployment impact

Scenario Impact
Gateway → backend forwarding No impact (Gateway IP in RFC1918)
Direct backend access (no Gateway) May need IP allowlist config
Gateway on public IP Add Gateway IP to trusted sources
Kubernetes RFC1918 covers pod IPs

🤖 Generated with Claude Code

…okie, remove cookie fallback from gateway

- Add linkis.security.trusted.internal.sources config (default loopback+RFC1918 CIDRs)
- Add linkis.security.ignore.timeout.require.internal.ip config (default true, escape hatch)
- isRequestIgnoreTimeout: validate client IP against trusted sources before honouring cookie
- Add getClientIp/isTrustedInternal helpers with X-Forwarded-For and SubnetUtils CIDR support
- GatewaySSOUtils.getLoginUser: remove client-cookie-based fallback; gateway is external boundary
… source IP validation

- getLoginUserThrowsExceptionWhenTimeout: require trusted internal IP for
  the header-based OTHER_SYSTEM_IGNORE_UM_USER fallback path
- Prevents header-forged internal RPC identity from external IPs
@aiceflower aiceflower force-pushed the fix-source-ip-validation-for-auth-fallback branch from a000bac to de125c8 Compare July 16, 2026 03:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant