[SECURITY] Add source IP validation for ignore-timeout fallback in session ticket auth#5457
Open
aiceflower wants to merge 2 commits into
Open
Conversation
…okie, remove cookie fallback from gateway - Add linkis.security.trusted.internal.sources config (default loopback+RFC1918 CIDRs) - Add linkis.security.ignore.timeout.require.internal.ip config (default true, escape hatch) - isRequestIgnoreTimeout: validate client IP against trusted sources before honouring cookie - Add getClientIp/isTrustedInternal helpers with X-Forwarded-For and SubnetUtils CIDR support - GatewaySSOUtils.getLoginUser: remove client-cookie-based fallback; gateway is external boundary
… source IP validation - getLoginUserThrowsExceptionWhenTimeout: require trusted internal IP for the header-based OTHER_SYSTEM_IGNORE_UM_USER fallback path - Prevents header-forged internal RPC identity from external IPs
a000bac to
de125c8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
dataworkcloud_inner_request=truecookie was client-controllable yet treated as a trusted signal to skip server-side session expiry checks. This PR adds source IP validation so only requests from trusted internal sources (gateway / same-network peers) can trigger the bypass.Gateway entry point (
GatewaySSOUtils.getLoginUser) no longer accepts the cookie-based fallback at all — the gateway is the external trust boundary.The header-based
OTHER_SYSTEM_IGNORE_UM_USERpath is also gated behind the same IP check.Changes
SecurityFilter.isRequestIgnoreTimeout: cookie check + IP allowlist (default loopback + RFC1918)SecurityFilter.getLoginUserThrowsExceptionWhenTimeout: header fallback also requires trusted IPGatewaySSOUtils.getLoginUser: removed cookie fallback, only header-basedOTHER_SYSTEM_IGNORE_UM_USERlinkis.security.trusted.internal.sources(CIDRs, default 127.0.0.1/RFC1918)linkis.security.ignore.timeout.require.internal.ip(default true, escape hatch)Affected files
linkis-commons/linkis-module/.../SecurityFilter.scala(+66/-14)linkis-spring-cloud-services/.../GatewaySSOUtils.scala(+13/-14)Deployment impact
🤖 Generated with Claude Code