Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIFI-12487 Add CSRF Protection to Registry #8136

Merged
merged 1 commit into from Dec 18, 2023
Merged

NIFI-12487 Add CSRF Protection to Registry #8136

merged 1 commit into from Dec 18, 2023

Conversation

exceptionfactory
Copy link
Contributor

Summary

NIFI-12487 Adds Cross-Site Request Forgery protection to NiFi Registry using the Spring Security CSRF Filter and several components that follow the same approach currently implemented for NiFi CSRF protection.

NiFi Registry does not use cookies for passing Application Bearer Tokens, and instead relies on the HTTP Authorization header to be populated using a custom JavaScript request interceptor. This approach mitigates a number of potential threats. Introducing the CSRF Filter provides an additional layer of protection. Following a strategy similar to NiFi, the CSRF Request Matcher is based on the default Spring Security HTTP Method matching plus the presence of the Request Token cookie. This enables programmatic clients to continue working without reconfiguration, while requiring browser-based clients to pass the Request-Token header, as implemented through updates to the JavaScript request interceptor.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using mvn clean install -P contrib-check
    • JDK 21

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

@exceptionfactory
NIFI-12487 Added CSRF Protection to Registry
e226f6f 
- Added CSRF Token Repository based on existing implementation
- Updated Angular Request Interceptor to read cookie and send Request-Token Header
dan-s1
dan-s1 reviewed Dec 12, 2023
View reviewed changes
Copy link
Contributor

@dan-s1 dan-s1 left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just noted some style issues where with some slight changes the code can be shortened.

.../main/java/org/apache/nifi/registry/web/security/authentication/csrf/CsrfRequestMatcher.java Show resolved Hide resolved
...nifi/registry/web/security/authentication/csrf/StandardCsrfTokenRequestAttributeHandler.java Show resolved Hide resolved
bbende
bbende approved these changes Dec 18, 2023
View reviewed changes
Copy link
Contributor

@bbende bbende left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, verified the request token is being set in the Cookie and sent back in the header

@bbende bbende merged commit 2794193 into apache:main Dec 18, 2023
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dan-s1 dan-s1 dan-s1 left review comments

@bbende bbende bbende approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@exceptionfactory @bbende @dan-s1