IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies.
rustfs/src/auth.rs:289-304 sets remote_addr from X-Forwarded-For/X-Real-Ip, then inserts SourceIp via
get_source_ip_raw, with no trust boundary or proxy validation:
let remote_addr = header.get("x-forwarded-for").and_then(...).or_else(|| header.get("x-real-ip")...).unwrap_or("127.0.0.1");args.insert("SourceIp", vec![get_source_ip_raw(header, remote_addr)]);rustfs/src/storage/access.rs (authorization path), so any request that forges the header can meet aws:SourceIp conditions.rustfs-auth-trusted-ip-header-spoofing-poc.tar.gz
Steps (already included in rustfs-auth-trusted-ip-header-spoofing-poc/):
mkdir -p /tmp/rustfs-data1 /tmp/rustfs-data2
RUSTFS_ACCESS_KEY=devadmin RUSTFS_SECRET_KEY=devadmin \
cargo run --bin rustfs -- --address 0.0.0.0:9000 \
/tmp/rustfs-data1 /tmp/rustfs-data2
rustfs-auth-trusted-ip-header-spoofing-poc/, run: ENDPOINT=http://127.0.0.1:9000 make run
The script:
- Creates bucket `rustfs-trusted-ip-poc`.
- Applies a bucket policy allowing `s3:ListBucket` only from `10.0.0.5/32` (`Principal: {"AWS":["*"]},` Resource array).
- Sends three unauthenticated `ListBucket` calls:
- Baseline (no spoof) → HTTP 403.
- Spoofed `X-Forwarded-For: 10.0.0.5` → HTTP 200 (policy bypass).
- Spoofed...
1.0.0-alpha.78Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:NVI:HVA:NSubsequent System
SC:NSI:NSA:N7.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P