Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIFI-10871 Skip CSRF processing for replicated HTTP requests #6715

Closed
wants to merge 2 commits into from
Closed

NIFI-10871 Skip CSRF processing for replicated HTTP requests #6715

wants to merge 2 commits into from

Conversation

exceptionfactory
Copy link
Contributor

Summary

NIFI-10871 Adds a new Servlet Filter to the application Spring Security Filter Chain configuration for skipping Cross-Site Request Forgery processing on HTTP requests replicated between cluster nodes.

The introduction of CSRF mitigation using the standard Spring Security CsrfFilter causes the application to generate and set a __Secure-Request-Token cookie on HTTP responses. This is not necessary for requests replicated from one cluster node to another. As a result of the current behavior, requests to cluster nodes can return intermittent HTTP 403 responses when a client web browser sends mismatched __Secure-Request-Token Cookie and Request-Token Header values.

Skipping CSRF token generation for cluster replicated requests avoids introducing a new value for the __Secure-Request-Token Cookie, which resolves intermittent HTTP 403 responses in clustered deployments. The new SkipReplicatedCsrfFilter matches HTTP requests based on the presence of the custom X-RequestTransactionId, which the standard Request Replicator applies to replicated requests.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using mvn clean install -P contrib-check
    • JDK 8
    • JDK 11
    • JDK 17

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

@exceptionfactory
NIFI-10871 Skipped CSRF processing for replicated HTTP requests
ff5c575 
- Updated Security Filter Configuration to avoid unnecessary CSRF Request Token generation for requests replicated between cluster nodes
tpalfy
tpalfy reviewed Nov 24, 2022
View reviewed changes
...i-web-security/src/main/java/org/apache/nifi/web/security/csrf/SkipReplicatedCsrfFilter.java
@Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response, final FilterChain filterChain) throws ServletException, IOException {
if (REQUEST_MATCHER.matches(request)) {
CsrfFilter.skipRequest(request);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering, won't it become too easy to mount a CSRF attack by adding such a header to a forged request?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback @tpalfy. Setting a custom HTTP header requires running custom JavaScript code, which is not possible from standard CSRF attacks.

I pushed a change to also check for the absence of the __Secure-Authorization-Bearer Cookie as part of the Request Matcher. This means that requests containing the Bearer Cookie will trigger the standard CSRF Filter regardless of the presence of the Replicated Header. This serves as an additional sanity check, and still works for replicated requests, because the cluster Request Replicator removes the Bearer Cookie before sending to other nodes.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm okay with it. Just noting that IF the server is/becomes vulnerable to XSS, with this change it may automatically become vulnerable to CSRF as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A Cross-Site Scripting vulnerability would be able to make use of existing JavaScript request processing that adds the custom request token header to all requests. The __Secure-Authorization-Bearer token is not accessible from JavaScript, so the impact of an XSS attack is somewhat limited in that regard. The introduction of this new filter for skipping replicated requests should not alter the impact of a theoretical XSS vulnerability.

kulikg
kulikg reviewed Nov 24, 2022
View reviewed changes
...i-web-security/src/main/java/org/apache/nifi/web/security/csrf/SkipReplicatedCsrfFilter.java
@Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response, final FilterChain filterChain) throws ServletException, IOException {
if (REQUEST_MATCHER.matches(request)) {
CsrfFilter.skipRequest(request);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest you to mark forged requests in logs using MDC. So that any activity in a NiFi instance resulted by a forged request could have a mark like [forged] in the log entry. This could improve clarity.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback @kulikg. The standard Spring Security CsrfFilter will throw a specialized CSRF Token Exception for requests with mismatching tokens. Enabling Spring Security logging provides additional details, and if some other tracking is necessary, it seems like that would be better to address in a separate issue.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took a look and it seems MDC is not introduced yet. We may consider to add it later on.

@asfgit asfgit closed this in d55fb91 Nov 29, 2022
@tpalfy
Copy link
Contributor

tpalfy commented Nov 29, 2022

Thanks @exceptionfactory for your work!
LGTM, merged to main.

asfgit pushed a commit that referenced this pull request Nov 30, 2022
@exceptionfactory @joewitt
NIFI-10871 Skipped CSRF processing for replicated HTTP requests
4aa86b8 
- Updated Security Filter Configuration to avoid unnecessary CSRF Request Token generation for requests replicated between cluster nodes

This closes #6715.

Signed-off-by: Tamas Palfy <tpalfy@apache.org>
lizhizhou pushed a commit to lizhizhou/nifi that referenced this pull request Jan 2, 2023
@exceptionfactory @lizhizhou
NIFI-10871 Skipped CSRF processing for replicated HTTP requests
36d22ea 
- Updated Security Filter Configuration to avoid unnecessary CSRF Request Token generation for requests replicated between cluster nodes

This closes apache#6715.

Signed-off-by: Tamas Palfy <tpalfy@apache.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kulikg kulikg kulikg left review comments

@tpalfy tpalfy tpalfy left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@exceptionfactory @tpalfy @kulikg