tsweb: check for key-based debug access before XFF check (#9093)

Fly apps all set X-Forwarded-For, which breaks debug access even
with a preshared key otherwise.

Updates tailscale/corp#3601

Signed-off-by: David Anderson <danderson@tailscale.com>
This commit is contained in:
Dave Anderson 2023-08-25 11:12:11 -07:00 committed by GitHub
parent 6b6a8cf843
commit 7b18ed293b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -51,6 +51,9 @@ func IsProd443(addr string) bool {
// AllowDebugAccess reports whether r should be permitted to access // AllowDebugAccess reports whether r should be permitted to access
// various debug endpoints. // various debug endpoints.
func AllowDebugAccess(r *http.Request) bool { func AllowDebugAccess(r *http.Request) bool {
if allowDebugAccessWithKey(r) {
return true
}
if r.Header.Get("X-Forwarded-For") != "" { if r.Header.Get("X-Forwarded-For") != "" {
// TODO if/when needed. For now, conservative: // TODO if/when needed. For now, conservative:
return false return false
@ -66,14 +69,19 @@ func AllowDebugAccess(r *http.Request) bool {
if tsaddr.IsTailscaleIP(ip) || ip.IsLoopback() || ipStr == envknob.String("TS_ALLOW_DEBUG_IP") { if tsaddr.IsTailscaleIP(ip) || ip.IsLoopback() || ipStr == envknob.String("TS_ALLOW_DEBUG_IP") {
return true return true
} }
if r.Method == "GET" { return false
urlKey := r.FormValue("debugkey") }
keyPath := envknob.String("TS_DEBUG_KEY_PATH")
if urlKey != "" && keyPath != "" { func allowDebugAccessWithKey(r *http.Request) bool {
slurp, err := os.ReadFile(keyPath) if r.Method != "GET" {
if err == nil && string(bytes.TrimSpace(slurp)) == urlKey { return false
return true }
} urlKey := r.FormValue("debugkey")
keyPath := envknob.String("TS_DEBUG_KEY_PATH")
if urlKey != "" && keyPath != "" {
slurp, err := os.ReadFile(keyPath)
if err == nil && string(bytes.TrimSpace(slurp)) == urlKey {
return true
} }
} }
return false return false