fix: validate agent-supplied AllowedIPs in coordinator by f0ssel · Pull Request #26144 · coder/coder
AgentCoordinateeAuth.Authorize validated upd.Node.Addresses but applied no check to upd.Node.AllowedIps. Because AllowedIPs are installed verbatim into the WireGuard peer config and drive routing, a malicious agent could advertise a victim agent's /128 and have traffic routed to it, intercepting sessions intended for the victim workspace. Apply the same UUID-derivation validation to AllowedIps that is already used for Addresses, via a shared authorizeNodePrefixes helper. This covers both the in-memory and Postgres coordinators, which share this auth path. Fixes PLAT-264 (SEC-89).
![coder-agents-review[bot]](https://avatars.githubusercontent.com/in/3454270?s=60&v=4){kind=small}
Wrap the errors returned by authorizeNodePrefixes so an operator can tell whether a rejected prefix came from Addresses or AllowedIps instead of having to compare the address against both fields manually. Rename the loop variable to prefixStr to match the parameter, and correct a test comment that said "immediately" while asserting eventual closure. Addresses review feedback on #26144.
The AgentCoordinateeAuth.Authorize AllowedIPs cases are already covered at the coordinator level (in-memory AgentWithoutClients_InvalidAllowedIP and PG TestPGCoordinatorSingle_AgentInvalidAllowedIP), matching the existing InvalidAddress and InvalidBits coverage. The unit test duplicated that matrix, slowing the suite and creating two places to maintain.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters