+ "details": "### Summary\nIP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies.\n\n### Details\n\n - Vulnerable code: `rustfs/src/auth.rs:289-304` sets `remote_addr` from `X-Forwarded-For`/`X-Real-Ip`, then inserts `SourceIp` via\n `get_source_ip_raw`, with no trust boundary or proxy validation:\n - `let remote_addr = header.get(\"x-forwarded-for\").and_then(...).or_else(|| header.get(\"x-real-ip\")...).unwrap_or(\"127.0.0.1\");`\n - `args.insert(\"SourceIp\", vec![get_source_ip_raw(header, remote_addr)]);`\n - This value feeds IAM/bucket policy evaluation in `rustfs/src/storage/access.rs` (authorization path), so any request that forges the header can meet `aws:SourceIp` conditions.\n - No authentication is required beyond the request itself; the header is taken at face value even on direct connections.\n\n\n### PoC\n\n[rustfs-auth-trusted-ip-header-spoofing-poc.tar.gz](https://github.com/user-attachments/files/24038162/rustfs-auth-trusted-ip-header-spoofing-poc.tar.gz)\n\n\nSteps (already included in `rustfs-auth-trusted-ip-header-spoofing-poc/`):\n\n 1. Start RustFS with two local volumes, e.g.:\n\n```\n mkdir -p /tmp/rustfs-data1 /tmp/rustfs-data2\n RUSTFS_ACCESS_KEY=devadmin RUSTFS_SECRET_KEY=devadmin \\\n cargo run --bin rustfs -- --address 0.0.0.0:9000 \\\n /tmp/rustfs-data1 /tmp/rustfs-data2\n```\n\n 2. From `rustfs-auth-trusted-ip-header-spoofing-poc`/, run:\n\n```\n ENDPOINT=http://127.0.0.1:9000 make run\n```\n\n The script:\n - Creates bucket `rustfs-trusted-ip-poc`.\n - Applies a bucket policy allowing `s3:ListBucket` only from `10.0.0.5/32` (`Principal: {\"AWS\":[\"*\"]},` Resource array).\n - Sends three unauthenticated `ListBucket` calls:\n - Baseline (no spoof) → HTTP 403.\n - Spoofed `X-Forwarded-For: 10.0.0.5` → HTTP 200 (policy bypass).\n - Spoofed `X-Forwarded-For: 1.2.3.4` → HTTP 403.\n - Responses saved to `poc-baseline.xml`, `poc-spoofed.xml`, `poc-deny.xml`.\n\n\n### Impact\n\n - Vulnerability type: Authorization bypass of IP-allowlist (`aws:SourceIp`) via header spoofing.\n - Who is impacted: Any deployment relying on `aws:SourceIp` in IAM/bucket policies for S3 operations. Attackers with network reach to RustFS can forge forwarded-IP headers to gain list/read/write where IP restrictions were meant to block them.\n\n### Credits\nIdentified by SecMate (https://secmate.dev) automated analysis and validated during manual triage.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments