Ciscoman's notes (Записки цыщика c дипломом)

I'm Cisco Champion Community member for 2017!

I'm Cisco Champion Community member for 2017!
"Cisco Champions are passionate about Cisco and happy to share our knowledge, experience, and feedback."

вторник, 25 октября 2016 г.

Zscaler cloud proxy and obvious logical flaw in default PAC file template

 Here is the default PAC file template from Zscaler cloud security solution:

function FindProxyForURL(url, host) {
    var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;
    var resolved_ip = dnsResolve(host);

    /* Don't send non-FQDN or private IP auths to us */
    if (isPlainHostName(host) || isInNet(resolved_ip, "192.0.2.0","255.255.255.0") || privateIP.test(host)) {
        return "DIRECT";
    }

    /* FTP goes directly */
    if (url.substring(0,4) == "ftp:") {
        return "DIRECT";
    }

    /* Updates are directly accessible */
    if (((localHostOrDomainIs(host, "trust.zscaler.com")) ||
        (localHostOrDomainIs(host, "trust.zscaler.net")) ||
        (localHostOrDomainIs(host, "trust.zscalerone.net")) ||
        (localHostOrDomainIs(host, "trust.zscalertwo.net")) ||
        (localHostOrDomainIs(host, "trust.zscloud.net")) ) &&
        (url.substring(0,5) == "http:" || url.substring(0,6) == "https:")){
        return "DIRECT";
    }

    /* Default Traffic Forwarding. Forwarding to Zen on port 80, but you can use port 9400 also */
    return "PROXY ${GATEWAY}:80; PROXY ${SECONDARY_GATEWAY}:80; DIRECT";
}
 I don't know how, but quiet obvious error crept here, highlighted with bold:


    var resolved_ip = dnsResolve(host);

    /* Don't send non-FQDN or private IP auths to us */
    if (isPlainHostName(host) || isInNet(resolved_ip, "192.0.2.0","255.255.255.0") || privateIP.test(host)) {
And here is the screenshot for sake of proof:




The point being here is that privateIP.test should check resolved_ip variable against regexp instead of host. That's it. So the correct variant is here:

    var resolved_ip = dnsResolve(host);

    /* Don't send non-FQDN or private IP auths to us */
    if (isPlainHostName(host) || isInNet(resolved_ip, "192.0.2.0","255.255.255.0") || privateIP.test(resolved_ip)) {

Strictly speaking, this is not only Zscaler's default PAC template error, but somehow this code snippet was spread widely across the Internet.

For example, the same error migrated here:

http://itzecurity.blogspot.ru/2016/05/pac-file-recommendation-warnings-and.html

and here:

http://findproxyforurl.com/pac-code-snippets-examples/

 and even here:

https://support.google.com/chrome/a/answer/3504945?hl=en

Certainly, at the time you will check it, error may be fixed. But this is good sign that means my blog post was notified.

Hope this helps somebody.

Постоянные читатели

Поиск по этому блогу