Exempt files#show_relative from protect_from_forgery #945
Conversation
Opened instructure#945 to pull into upstream.
|
Any feedback? |
|
FWIW, if this fixes downloading files (stored on the local backend) this would be greatly helpful to our team too. If someone can provide an alternative work-around through configuration that would be great too for now. |
|
Thanks for the contribution @grahamb, sorry it's taken us so long to look at this. I have asked someone on the canvas team to review it. I know that it won't be merged without tests at the very least, but it's probably worth looking into the security implications first. |
grahamb
force-pushed
the
csrf-files-controller-show-relative
branch
from
f21d53f
to
4f28243
Compare
|
@omarkhan fair enough! I opened this to start that discussion; we've been running with this patch since November but it's a very blunt instrument. If there's a better way to handle this I'm all for it. My branch has diverged quite a bit from master since November, so I just rebased and pushed up again. |
|
Hi @grahamb - unfortunately I couldn't get any buy-in from product to work on this. It's definitely a legit bug but since we don't use local storage in this way it's not something that affects us directly. If you have time to come up with a fix that is more targeted I'd be happy to revisit this, but until then I'm going to close the PR. Thanks again for the contribution though, and feel free to get in touch if you have any questions! |
|
Hi @omarkhan - that's disappointing to hear that you couldn't get any buy-in. As you note, it's a real bug. Using local storage is fairly common in the open-source Canvas world, and it's one of the largest sources of bugs due to it not being used by Instructure. |
|
That's a fair point @grahamb. I'll leave this pull request open to track the issue. |
|
Thanks for keeping this on the radar, @omarkhan. We'll try here to see if we can find a good solution; any input from your side is always appreciated ;) |
|
We would also like to see a real fix for this issue. If local storage is a supported feature, bugs like this (and #1064) should be resolved. Thanks all. |
|
@grahamb What are your thoughts on adding a call to |
|
@defektive I'll take a look at doing that, as soon as I can figure out why my docker env is throwing a |
|
@defektive just want to confirm: are you suggesting that we:
That does seem to work (in that the JS file is allowed to be accessed). I'm not sure the second step is required if |
|
@grahamb I am not sure about the 2nd step also. Ideally we could make this an opt-in setting, or specifically tag branding files to be allowed. The way it currently is (if your testing goes well), puts us in a nice place where open source isn't borked, and not all files are bypassing CSRF protections. |
grahamb
force-pushed
the
csrf-files-controller-show-relative
branch
from
4f28243
to
f11849a
Compare
|
Some quick testing shows that the |
|
@grahamb can you add a test to make sure we are/are not verifying authenticity for the appropriate contexts? |
|
I've been working on tests but I'm having trouble with it – I can create an attachment on the Account, but the test user can't download it; it throws a 401 Unauthorized. I posted a couple of times in IRC last week about it but didn't get a response:
|
|
@defektive ok -- got a couple of tests wired up. |
grahamb
force-pushed
the
csrf-files-controller-show-relative
branch
from
b8d6f36
to
438f451
Compare
|
Awesome! Thanks for getting that added! |
|
Hi @grahamb, thanks for your contribution! Your code is being reviewed by our developers. Once the review is complete, I'll A) post code review comments here if changes are requested, or B) merge the code if it is deemed ready-to-merge. |
|
@spencerolson let me know if you'd like me to squash the commits. |
|
@grahamb I squashed them into one commit on our side before passing onto the devs for review, thanks though! |
|
@grahamb D'oh, it looks like 8dfd1f9 just landed and caused a merge conflict here. Would you mind pushing up a new commit with conflicts resolved? Also, if you could squash the commits, that would be great :D Still waiting on a full code review from our developers on this one, but I did notice there were some trailing whitespaces in the commit; not a big deal but if you could remove those trailing whitespaces with the new commit, that would be excellent. Let me know if you have any questions. Spencer |
Rails 4.1 introduces CSRF protection from remote <script> tags. This prevents locally-stored JavaScript files uploaded as part of a brand config from loading. This change enforces CSRF protection for non-Account-context files, but allows Account-context files to be downloaded. Test plan: 1. Create a new brand config. 2. Add a JS file to the brand config. 3. Save and apply the brand config. 4. The JS file should load and execute on page-load, and should not be blocked by CSRF.
grahamb
force-pushed
the
csrf-files-controller-show-relative
branch
from
438f451
to
614d13c
Compare
|
@spencerolson done! You might want to have @lukfugl verify that his change still works as well with this in place as we're now both monkeying with the There are some |
|
@grahamb awesome, I'm running your newest commit through the build right now. Hopefully those failing Thanks for the heads up; I'll add @lukfugl as a reviewer. He took a gander at it in an earlier form (I saw your commit was going to conflict with his and gave him a heads up) and I think the two commits will jive together just fine. I ran script/rlint on your commit and noticed a few relevant INFO comments: Doesn't seem like any of those are show-stoppers, but I'll leave that decision to the devs who review this one. Also seeing some trailing whitespaces here: Thanks again for your contribution and I'll let you know if I see any test failures when the build finishes. Spencer |
|
Wohoo! All tests passed. those Thanks! |
|
I'm only seeing extra whitespace on As for the rlint issues, I can fix them, but in my experience with the Canvas codebase (and the rest of |
|
Yeah @grahamb I wouldn't worry about it. I'll let you know when I hear back from reviewers on this one. Thanks again for your contribution! |
Rails 4.1 introduces CSRF protection from remote <script> tags. This prevents locally-stored JavaScript files uploaded as part of a brand config from loading. This change enforces CSRF protection for non-Account-context files, but allows Account-context files to be downloaded. Test plan: 1. Create a new brand config. 2. Add a JS file to the brand config. 3. Save and apply the brand config. 4. The JS file should load and execute on page-load, and should not be blocked by CSRF. closes CORE-844 closes GH-945 Change-Id: Id59c139a379b286af610947824fedad63b6b7113 Reviewed-on: https://gerrit.instructure.com/137416 Reviewed-by: Brent Burgoyne <bburgoyne@instructure.com> Tested-by: Jenkins QA-Review: Tucker McKnight <tmcknight@instructure.com> Product-Review: Brent Burgoyne <bburgoyne@instructure.com>
Rails 4.1 introduces CSRF protection from remote <script> tags. This prevents locally-stored JavaScript files uploaded as part of a brand config from loading.
The security implications of exempting
show_relativeneeds to be discussed. It would be nice if this could be scoped to account-context files only.Test plan:
A signed CLA is on file under my employer, Simon Fraser University.