-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signed attachment urls #129
Conversation
7c20c7c
to
8ac9ab0
Compare
I've been wanting to do something similar, after @joeljunstrom's suggestion. That being said, this PR has a few problems which have to be adressed before we can consider merging this.
|
That being said, thank you for putting this together. This is definitely something we need and should have. |
I'm also wondering if this should be the default. It makes it hard/impossible to generate URLs client-side, which is annoying, but it's also quite sensible from a security perspective. |
Ok, thanks for the feedback. I can take another pass at this with some additional input:
expected = Digest::SHA1.hexdigest(request.path)
actual = Digest::SHA1.hexdigest(params[:token])
expected == actual Additionally the comparison could happen later in the request, perhaps after retrieving the file from store and processing, at the risk of wasting resources. |
I think we want something like: token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha1"), secret, request.path)
expected = Digest::SHA1.hexdigest(token)
actual = Digest::SHA1.hexdigest(params[:token])
expected == actual Or something like that. Seems like Sha1 is good enough. |
8ac9ab0
to
4128a39
Compare
Inserts the :token param to attachment urls to provide a security measure against unverfied requests and DoS. This changes the url scheme such that previously-cached resources will need to be "re-cached" Add Security middleware to verify non-upload, signed requests Add Security middleware to verify non-upload, signed requests doc upload spec WIP rubocop: security.rb WIP rubocop: spec/refile/app_spec.rb generate signed attachment urls with Refile.sha when secret token is set generate signed attachment urls with Refile.sha when secret token is set WIP rubocop: lib/refile.rb WIP rubocop: spec/refile_spec.rb WIP use HMAC impl for token WIP rename sha -> token WIP modify sinatra app with required token param WIP rubocop WIP restore features
4128a39
to
8710ebf
Compare
provides convenience for generating URLs in development and debugging WIP remove default config
8710ebf
to
dc3a8b6
Compare
Here's take 2 with the suggested changes. To take advantage of the security feature, developers would have to configure the secret token explicitly. It may be worth noting in the README the new URL scheme also means cold cache after upgrading for those running Refile behind CDN in production. |
Until we have a clear use case of the need to generate url's client side maybe this should be enforced ( I realize this breaks existing installations but I think the feature warrants it. |
I agree with @joeljunstrom. Also we should document somewhere what the secret_token should look like. IIRC Rails throws an error if it's too short, which is probably a good thing. |
raise informative error when token not set WIP raise error
less likely to be confused with the generated token based on the secret_key
OK, now an informative error is raised when the secret is missing (borrowing from Devise). I can add an additional check for length if necessary. I've added README instructions as well. |
Would it make sense to default the token to Rails' session token? That way we don't have to add a separate step in the README for it, and most people would by default have a very good, very secure value as their token. |
Good idea. I could add an engine initializer for that. |
Sounds great :) |
tries hard to work for several recent versions of Rails
Added an initializer that works against the |
Done! @rossta thank you so much for an excellent PR, and for hanging in there through all feedback. You did a really fantastic job! |
Rock on, thanks @jnicklas! 🎸 |
It's unfortunate that clients can't generate URLs now, which nihilates the flexibility of URLs when your backend and frontend are separate. But I see why this has to be a default, it would really suck if someone could DoS your application so easily. If the token wouldn't depend on the path, then the attacker would just need to find out the token from one image URL, and still have the same power. |
Adds ability to generate signed attachment urls by configuring `Refile.secret_token' as security against DoS and generation of unauthorized processing.