New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Outsource CSRF validation #38445
base: master
Are you sure you want to change the base?
Outsource CSRF validation #38445
Conversation
66b78c5
to
67a7fab
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would refactoring OC\AppFramework\Http\Request::passesCSRFCheck
to use the new CsrfValidator
create more dependency hell? It would avoid to have the logic in two different places.
67a7fab
to
ac0652e
Compare
I agree, having the logic in two different places it not an improvement. The goal is to remove passesCSRFCheck and the CSRFTokenManager from IRequest. |
ac0652e
to
3cb076e
Compare
3cb076e
to
6830563
Compare
f806386
to
6f3ac85
Compare
ca94de7
to
4ba5a0e
Compare
But now all the classes need CsrfValidator and that still needs CsrfTokenManager? |
That's correct. IRequest.passesCSRFCheck is only needed in a couple of places, but IRequest is injected in many more classes. |
I'm having the idea of making IRequest lighter for a while now. We are injecting an IRequest instance in a couple of places. For example, the logger. It makes sense, to include some details from the request object (e.g. request id, ip address, etc.) in our logs, but that requires a CsrfTokenManager instance and therefore a working database connection and cache. As soon as db or cache is unavailable, you can't use the logger anymore. Examples: |
3 years, not 3 versions xP so 36 😔 |
But okay, got it now and see how it improves. Could also remove the dependency already and just depend on |
4ba5a0e
to
fe647d5
Compare
😭
Good idea 👍 |
832af79
to
718c25f
Compare
877f6fd
to
807fd72
Compare
807fd72
to
079df3c
Compare
079df3c
to
57dbd17
Compare
57dbd17
to
8de8409
Compare
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
8de8409
to
cddd9ba
Compare
@@ -201,6 +201,7 @@ public function getCookie(string $key); | |||
* | |||
* @return bool true if CSRF check passed | |||
* @since 6.0.0 | |||
* @deprecated 28.0.0 use CsrfValidator.validate instead |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* @deprecated 28.0.0 use CsrfValidator.validate instead | |
* @deprecated 28.0.0 use \OCP\Security\CSRF\ICsrfValidator::validate instead |
*/ | ||
interface ICsrfValidator { | ||
/** | ||
* @since 28.0.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
description?
|
||
declare(strict_types=1); | ||
|
||
namespace OCP\Security\CSRF; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
namespace OCP\Security\CSRF; | |
namespace OCP\Security\Csrf; |
maybe
https://stackoverflow.com/questions/2236807/java-naming-convention-with-acronyms
Moving to 29 |
Summary
To validate a CSRF token the Request object needs CsrfTokenManager.
CsrfTokenManager is a heavy dependency.
TODO
Checklist