Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API needs authentication or to stop using POST #137

Open
lahwran opened this issue Jun 26, 2023 · 4 comments
Open

API needs authentication or to stop using POST #137

lahwran opened this issue Jun 26, 2023 · 4 comments

Comments

@lahwran
Copy link

lahwran commented Jun 26, 2023

Arbitrary websites can request localhost urls unless they have the appropriate headers, and this only protects against some request types. Specifically, POST is not blocked by a lack of an Access-Control-Allow-Origin header. ActivityWatch does not appear to have one, so the browser should block requests from webpages loaded from remote urls.

$ curl -vv -H "Origin: http://attacker.com" http://localhost:5600
*   Trying 127.0.0.1:5600...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5600 (#0)
> GET / HTTP/1.1
> Host: localhost:5600
> User-Agent: curl/7.68.0
> Accept: */*
> Origin: http://attacker.com
> 
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: Werkzeug/2.1.2 Python/3.9.14
< Date: Mon, 26 Jun 2023 15:13:41 GMT
< Content-Disposition: inline; filename=index.html
< Content-Type: text/html; charset=utf-8
< Content-Length: 1683
< Last-Modified: Mon, 26 Sep 2022 19:14:27 GMT
< Cache-Control: no-cache
< Date: Mon, 26 Jun 2023 15:13:41 GMT
< Connection: close

https://about.gitlab.com/blog/2021/09/07/why-are-developers-vulnerable-to-driveby-attacks/

@johan-bjareholt
Copy link
Member

johan-bjareholt commented Jun 26, 2023

We have CORS setup with flask_cors so this should not be possible.
Either something has changed in newer aw-server versions, or you are running you aw-server with custom origins enabled (you can do that either with an CLI argument or by enabling it in the config file for aw-server).

def _config_cors(cors_origins: List[str], testing: bool):

Can you reproduce it with aw-server-rust as well? We are using rocket_cors in aw-server-rust, worked a few months ago at least.

I'm unfortunately on vacation and dont have a laptop with me, so I can't reproduce ATM.

@ErikBjare
Copy link
Member

Looking at that source file, I notice that the CORS headers are only configured for the /api/* endpoints.

That should probably be fixed.

@lahwran
Copy link
Author

lahwran commented Jun 26, 2023

I don't see any fixable bug in CORS, and my report may have been misleading; what I'm reporting is that the lack of authentication means having correct CORS configuration does not block POST, and so authentication is needed. But I also might have misunderstood CORS. I'll double check on latest.

@ErikBjare
Copy link
Member

ErikBjare commented Jun 27, 2023

No, I think you're right.

I've thought through this before (a long time ago) and came to the conclusion it was not a (significant) issue, at the time.

I still think there's not much of an issue in our case (except maybe a low-severity disk-spam/DoS vuln), but you are right: other origins can make cross-site POST requests, they just won't see the response. (https://security.stackexchange.com/questions/183981/why-dont-browsers-block-cross-site-posts-by-default)

I'm sick right now, so don't have the brain power for security mindset. But we should look into if we can remedy this. (check Origin header server-side?)

Thank you for raising this issue again, always appreciate an extra set of eyes on security.

Edit: asked ChatGPT too just for reference. I think it covers the issue pretty well: https://chat.openai.com/share/2a9730d7-e762-4075-8b49-2c6ebc4a3d7b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants