New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protect against CSRF #171

Merged
merged 1 commit into from Dec 2, 2018

Conversation

Projects
None yet
3 participants
@randomstuff
Copy link
Contributor

randomstuff commented Oct 2, 2018

No description provided.

@randomstuff

This comment has been minimized.

Copy link
Contributor Author

randomstuff commented Oct 2, 2018

Tests are passing. Still gotta check if it's actually working. I have to figure out how to test this properly.

@randomstuff

This comment has been minimized.

Copy link
Contributor Author

randomstuff commented Oct 3, 2018

This strategy probably won't work happily with Access-Control-Allow-Origin. Do you actually need this?

@randomstuff

This comment has been minimized.

Copy link
Contributor Author

randomstuff commented Oct 4, 2018

I think Access-Control-Allow-Origin is useless because Access-Control-Allow-Methods is not set. It shoul dprobably be removed.

@zamentur

This comment has been minimized.

Copy link
Contributor

zamentur commented Oct 5, 2018

Thanks for your contribution :)

Note: in general case the web admin on the same domain use this API. BUT some advanced users could use an external tools to call this API.

So we need to make a choice about CORS, restrict to the general case or be flexible.

@randomstuff

This comment has been minimized.

Copy link
Contributor Author

randomstuff commented Oct 11, 2018

This is not working because nginx is not configured to propagate the Host header: the yunohost API gets Host: 127.0.0.1:6787. Thus expected_origin is https://127.0.0.1:6787.

@randomstuff randomstuff force-pushed the randomstuff:csrf_protection branch from b5a052a to 7abd3f6 Oct 11, 2018

@randomstuff

This comment has been minimized.

Copy link
Contributor Author

randomstuff commented Oct 11, 2018

I udpated the code. This version only checks if X-Requested-With is set. This is simpler and should work as a simple workaround.

@randomstuff

This comment has been minimized.

Copy link
Contributor Author

randomstuff commented Oct 11, 2018

This is implementing Protecting REST Services: Use of Custom Request Headers which is not super great (apparently it can be broken with some versions of Flash).

A better solution would be to check Origin/Referer. The previous patch did that but for this I'd need a correct Host.

@randomstuff

This comment has been minimized.

Copy link
Contributor Author

randomstuff commented Oct 11, 2018

apparently it can be broken with some versions of Flash

AFAIU this is only true if you have /crossdomain.xml (and a Flash plugin installed).

@alexAubin

This comment has been minimized.

Copy link
Member

alexAubin commented Oct 24, 2018

Hmmm I'm no CSRF expert, but reading the discussion, naively that looks ok/good enough ? Any opinion on this ?

@alexAubin alexAubin added this to the 3.3.x milestone Oct 24, 2018

@randomstuff randomstuff referenced this pull request Nov 4, 2018

Merged

CSRF protection #44

@alexAubin alexAubin modified the milestones: 3.3.x, 3.4.x Nov 27, 2018

@alexAubin
Copy link
Member

alexAubin left a comment

Looks good to me though I'm no security expert.

Proposing to merge soon except if somebody has better ideas ...

@alexAubin alexAubin merged commit 84c9a74 into YunoHost:stretch-unstable Dec 2, 2018

1 check failed

continuous-integration/travis-ci/pr The Travis CI build failed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment