Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Merge pull request from GHSA-chhr-gxrg-64x7
Security/cors configuration
- Loading branch information
Showing
11 changed files
with
231 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| .. _client-development-cors: | ||
|
|
||
| Cross-Origin Resource Sharing (CORS) | ||
| ==================================== | ||
|
|
||
| Some clients develop against Open Zaak using single-page-application technology that | ||
| runs completely in the browser, such as React, Angular or other frameworks. | ||
|
|
||
| Open Zaak must be deployed with an appropriate CORS-configuration for this. | ||
|
|
||
| .. note:: We always recommend using an API gateway/own backend to communicate with Open | ||
| Zaak. It's simpler because you don't have to deal with CORS, and there's less risk | ||
| of credentials/secrets leaking. You should **never** store client ID/secret in your | ||
| dist bundle(s). | ||
|
|
||
| Production-grade settings | ||
| ------------------------- | ||
|
|
||
| In production-like environments, we recommend using an explicit allow-list for the | ||
| trusted origins. This requires deploying Open Zaak with | ||
| ``CORS_ALLOWED_ORIGINS=https://my-app.example.com``, where ``https://my-app.example.com`` | ||
| is the domain where the application is deployed. | ||
|
|
||
| Development/experimental configuration | ||
| -------------------------------------- | ||
|
|
||
| If you're running Open Zaak locally or on an environment with dummy data for | ||
| development purposes, you can grant CORS access to every possible client using | ||
| ``CORS_ALLOW_ALL_ORIGINS=True`` in the Open Zaak deployment. | ||
|
|
||
| Separation of administrative interface and API | ||
| ---------------------------------------------- | ||
|
|
||
| The administrative interface authenticates using session cookies, while the APIs use | ||
| the ``Authorization`` header with bearer tokens. | ||
|
|
||
| The session cookies are never sent on cross-domain requests, and the CORS configuration | ||
| is configured to not allow credentials (which are typically session cookies). The API | ||
| with the ``Authorization`` header is not affected by this policy. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,4 +12,5 @@ Please select your relevant topic | |
| :maxdepth: 2 | ||
|
|
||
| authentication | ||
| cors | ||
| recipes | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,148 @@ | ||
| # SPDX-License-Identifier: EUPL-1.2 | ||
| # Copyright (C) 2019 - 2020 Dimpact | ||
| # | ||
| # Documentation on CORS spec, see MDN | ||
| # https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request | ||
| from unittest.mock import patch | ||
|
|
||
| from django.test import override_settings | ||
| from django.urls import path | ||
|
|
||
| from rest_framework import views | ||
| from rest_framework.response import Response | ||
| from rest_framework.test import APITestCase | ||
|
|
||
| from openzaak.accounts.tests.factories import SuperUserFactory | ||
|
|
||
|
|
||
| class View(views.APIView): | ||
| def get(self, request, *args, **kwargs): | ||
| return Response({"ok": True}) | ||
|
|
||
| post = get | ||
|
|
||
|
|
||
| urlpatterns = [path("cors", View.as_view())] | ||
|
|
||
|
|
||
| class CorsMixin: | ||
| def setUp(self): | ||
| super().setUp() | ||
| mocker = patch( | ||
| "openzaak.utils.middleware.get_version_mapping", return_value={"/": "1.0.0"} | ||
| ) | ||
| mocker.start() | ||
| self.addCleanup(mocker.stop) | ||
|
|
||
|
|
||
| @override_settings(ROOT_URLCONF="openzaak.tests.test_cors_configuration") | ||
| class DefaultCORSConfigurationTests(CorsMixin, APITestCase): | ||
| """ | ||
| Test the default CORS settings. | ||
| """ | ||
|
|
||
| def test_preflight_request(self): | ||
| """ | ||
| Test the most basic preflight request. | ||
| """ | ||
| response = self.client.options( | ||
| "/cors", | ||
| HTTP_ACCESS_CONTROL_REQUEST_METHOD="POST", | ||
| HTTP_ACCESS_CONTROL_REQUEST_HEADERS="origin, x-requested-with", | ||
| HTTP_ORIGIN="https://evil.com", | ||
| ) | ||
|
|
||
| self.assertNotIn("Access-Control-Allow-Origin", response) | ||
| self.assertNotIn("Access-Control-Allow-Credentials", response) | ||
|
|
||
| def test_credentialed_request(self): | ||
| user = SuperUserFactory.create(password="secret") | ||
| self.assertTrue(self.client.login(username=user.username, password="secret")) | ||
|
|
||
| response = self.client.get("/cors", HTTP_ORIGIN="https://evil.com",) | ||
|
|
||
| self.assertNotIn("Access-Control-Allow-Origin", response) | ||
| self.assertNotIn("Access-Control-Allow-Credentials", response) | ||
|
|
||
|
|
||
| @override_settings( | ||
| ROOT_URLCONF="openzaak.tests.test_cors_configuration", | ||
| CORS_ALLOW_ALL_ORIGINS=True, | ||
| CORS_ALLOW_CREDENTIALS=False, | ||
| ) | ||
| class CORSEnabledWithoutCredentialsTests(CorsMixin, APITestCase): | ||
| """ | ||
| Test the default CORS settings. | ||
| """ | ||
|
|
||
| def test_preflight_request(self): | ||
| """ | ||
| Test the most basic preflight request. | ||
| """ | ||
| response = self.client.options( | ||
| "/cors", | ||
| HTTP_ACCESS_CONTROL_REQUEST_METHOD="POST", | ||
| HTTP_ACCESS_CONTROL_REQUEST_HEADERS="origin, x-requested-with", | ||
| HTTP_ORIGIN="https://evil.com", | ||
| ) | ||
|
|
||
| # wildcard "*" prevents browsers from sending credentials - this is good | ||
| self.assertNotEqual(response["Access-Control-Allow-Origin"], "https://evil.com") | ||
| self.assertEqual(response["Access-Control-Allow-Origin"], "*") | ||
| self.assertNotIn("Access-Control-Allow-Credentials", response) | ||
|
|
||
| def test_simple_request(self): | ||
| response = self.client.get("/cors", HTTP_ORIGIN="https://evil.com",) | ||
|
|
||
| # wildcard "*" prevents browsers from sending credentials - this is good | ||
| self.assertNotEqual(response["Access-Control-Allow-Origin"], "https://evil.com") | ||
| self.assertEqual(response["Access-Control-Allow-Origin"], "*") | ||
| self.assertNotIn("Access-Control-Allow-Credentials", response) | ||
|
|
||
| def test_credentialed_request(self): | ||
| user = SuperUserFactory.create(password="secret") | ||
| self.assertTrue(self.client.login(username=user.username, password="secret")) | ||
|
|
||
| response = self.client.get("/cors", HTTP_ORIGIN="https://evil.com",) | ||
|
|
||
| # wildcard "*" prevents browsers from sending credentials - this is good | ||
| self.assertNotEqual(response["Access-Control-Allow-Origin"], "https://evil.com") | ||
| self.assertEqual(response["Access-Control-Allow-Origin"], "*") | ||
| self.assertNotIn("Access-Control-Allow-Credentials", response) | ||
|
|
||
|
|
||
| @override_settings( | ||
| ROOT_URLCONF="openzaak.tests.test_cors_configuration", | ||
| CORS_ALLOW_ALL_ORIGINS=True, | ||
| CORS_ALLOW_CREDENTIALS=False, | ||
| ) | ||
| class CORSEnabledWithAuthHeaderTests(CorsMixin, APITestCase): | ||
| def test_preflight_request(self): | ||
| """ | ||
| Test a pre-flight request for requests including the HTTP Authorization header. | ||
| The inclusion of htis header makes it a not-simple request, see | ||
| https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simple_requests | ||
| """ | ||
| response = self.client.options( | ||
| "/cors", | ||
| HTTP_ACCESS_CONTROL_REQUEST_METHOD="GET", | ||
| HTTP_ACCESS_CONTROL_REQUEST_HEADERS="origin, x-requested-with, authorization", | ||
| HTTP_ORIGIN="https://evil.com", | ||
| ) | ||
|
|
||
| self.assertEqual(response["Access-Control-Allow-Origin"], "*") | ||
| self.assertIn( | ||
| "authorization", response["Access-Control-Allow-Headers"].lower(), | ||
| ) | ||
| self.assertNotIn("Access-Control-Allow-Credentials", response) | ||
|
|
||
| def test_credentialed_request(self): | ||
| response = self.client.get( | ||
| "/cors", | ||
| HTTP_ORIGIN="http://localhost:3000", | ||
| HTTP_AUTHORIZATION="Bearer foobarbaz", | ||
| ) | ||
|
|
||
| self.assertEqual(response["Access-Control-Allow-Origin"], "*") | ||
| self.assertNotIn("Access-Control-Allow-Credentials", response) |