Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Live: Rely on app url for origin check #35983

Merged
merged 3 commits into from
Jun 23, 2021
Merged

Live: Rely on app url for origin check #35983

merged 3 commits into from
Jun 23, 2021

Conversation

FZambia
Copy link
Contributor

@FZambia FZambia commented Jun 21, 2021
edited by marefr

What this PR does / why we need it:

At this moment we follow same origin strategy for WS connections, in current implementation this requires request Host to be properly set. Unfortunately this means that HTTP Host header should be properly passed on load balancer level (keeping port part, for example using $http_host Nginx variable). Here we change the check function to look at AppURL (root_url in configuration) for origin check - thus all requests from browsers using public URL should be authorized by Live.

Which issue(s) this PR fixes:

Fixes #34537

@FZambia FZambia requested review from ryantxu and marefr June 21, 2021 08:51
@FZambia FZambia requested a review from a team as a code owner June 21, 2021 08:51
@FZambia FZambia requested review from wbrowne and removed request for a team June 21, 2021 08:51
@FZambia FZambia mentioned this pull request Jun 21, 2021
Closed
wbrowne
wbrowne approved these changes Jun 21, 2021
View reviewed changes
Copy link
Member

@wbrowne wbrowne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Was just thinking would it be simpler to pass the AppURL as part of the WebsocketConfig instead? But maybe that's mixing concerns - don't have enough context to fully judge

@FZambia
Copy link
Contributor Author

FZambia commented Jun 21, 2021

Was just thinking would it be simpler to pass the AppURL as part of the WebsocketConfig instead?

One of 2 WebsocketConfig is part of Centrifuge lib - it accepts CheckOrigin func only, so passing AppURL is not possible for it.

@FZambia FZambia added the old backport v8.0.x Mark PR for automatic backport to v8.0.x label Jun 21, 2021
ryantxu
ryantxu reviewed Jun 21, 2021
View reviewed changes
pkg/services/live/live.go
@@ -277,6 +290,23 @@ func (g *GrafanaLive) Init() error {
return nil
}

func checkOrigin(r *http.Request, appURL *url.URL) bool {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My only concern is when appURL = "localhost:3000"

This usually means that the appURL was not actually configured. In the frontend, we decided to just use the browser URL rather than having an error that everyone needs to fix. Can we do the same here? essentially skip verification if it is not specified?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

localhost:3000 will work since if root_url not configured then appURL is http://localhost:3000/.

Approach in this pr won't work if root_url set to sth like https://mygrafana.example.com but user tries to open http://localhost:3000/ which is an actual upstream behind https://mygrafana.example.com.

In theory we can skip check if Origin starts with http://localhost: - in this case I can only imagine a case where a user can hijack WS connection for it's own account only. But this won't help a lot with cases where Grafana instance is accessed over ip: like 127.0.0.1:3000 or 10.0.0.1:3000 etc.

@ryantxu ryantxu self-requested a review June 22, 2021 15:55
@FZambia FZambia merged commit 5bbf455 into main Jun 23, 2021
@FZambia FZambia deleted the FZambia/live_origin_check_fix branch June 23, 2021 16:51
grafanabot pushed a commit that referenced this pull request Jun 23, 2021
@FZambia @grafanabot
Live: rely on app url for origin check (#35983)
4cb7079 
(cherry picked from commit 5bbf455)
@grafanabot grafanabot mentioned this pull request Jun 23, 2021
Merged
FZambia added a commit that referenced this pull request Jun 23, 2021
@grafanabot @FZambia
Live: rely on app url for origin check (#35983) (#36089)
24c9820 
(cherry picked from commit 5bbf455)

Co-authored-by: Alexander Emelin <frvzmb@gmail.com>
@marefr
Copy link
Member

marefr commented Jun 24, 2021
edited

@FZambia this and the backport PR lacks a milestone which is important to keep track of which changes went into which release, Please assign milestone. This should probably have "add to changelog" label as well since a bug fix and it should be included in the release notes/changelog.

@FZambia FZambia added this to the 8.0.4 milestone Jun 24, 2021
This was referenced Jun 30, 2021
Closed
Closed
@jackw jackw changed the title Live: rely on app url for origin check Live: Rely on app url for origin check Jun 30, 2021
bryanuribe pushed a commit to open-o11y/grafana that referenced this pull request Aug 6, 2021
@FZambia @bryanuribe
Live: rely on app url for origin check (grafana#35983)
a1c67d6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryantxu ryantxu ryantxu approved these changes

@wbrowne wbrowne wbrowne approved these changes

@marefr marefr Awaiting requested review from marefr

Assignees
No one assigned
Labels
add to changelog area/backend area/streaming old backport v8.0.x Mark PR for automatic backport to v8.0.x
Projects
None yet
Milestone
8.0.4
Development

Successfully merging this pull request may close these issues.

no live updates; /api/live/ws always returns 403
5 participants
@FZambia @marefr @ryantxu @wbrowne @grafanabot