Enable CSRF via cookie to header approach #1551
Conversation
karriebear
force-pushed
the
feature/1524-CSRF-for-file-uploads
branch
2 times, most recently
from
b2e10c6
to
c3cc9ad
Compare
karriebear
force-pushed
the
feature/1524-CSRF-for-file-uploads
branch
from
2e61ae1
to
6b049bf
Compare
karriebear
force-pushed
the
feature/1524-CSRF-for-file-uploads
branch
from
6b049bf
to
b5afdb5
Compare
| @@ -28,10 +28,11 @@ | |||
| from streamlit import env_util | |||
| from streamlit.ConfigOption import ConfigOption | |||
|
|
|||
| os.environ["STREAMLIT_COOKIE_SECRET"] = "chocolatechip" | |||
There was a problem hiding this comment.
If we are patching the os.environ dict during ConfigTest.setUp(), why do we need modify the real os.environ dict?
There was a problem hiding this comment.
Thanks for the catch. Ideally we would go with patching in ConfigTest.setUp() but unfortunately this conflicts when running all the tests. config.cookieSecret is saved on first call and other tests references this config without the patch, setting the config without using the environment variable. Modifying the os.environ dict here so it can set before any other test will run. Need to clean up ConfigTest.setup()
There was a problem hiding this comment.
Maybe this could be moved inside the setUp() function then, given that we try to delete it during tearDown()?
There was a problem hiding this comment.
If we move it into setUp(), it looks like it's too late. config.cookieSecret gets set and saved to a random value from another test calling it. by the time config_test runs and sets up the environment variable, we already have a random value set assuming no environment variable exist.
I should actually remove the deleting of the variable into the actual test instead of tearDown()
There was a problem hiding this comment.
Ah OK, sounds good, thanks for looking into it!
Co-authored-by: Amey Deshpande <10554902+Amey-D@users.noreply.github.com>
karriebear
force-pushed
the
feature/1524-CSRF-for-file-uploads
branch
from
669ba60
to
d6b65ca
Compare
karriebear
force-pushed
the
feature/1524-CSRF-for-file-uploads
branch
from
d6b65ca
to
c9e795c
Compare
| @@ -28,10 +28,11 @@ | |||
| from streamlit import env_util | |||
| from streamlit.ConfigOption import ConfigOption | |||
|
|
|||
| os.environ["STREAMLIT_COOKIE_SECRET"] = "chocolatechip" | |||
There was a problem hiding this comment.
Maybe this could be moved inside the setUp() function then, given that we try to delete it during tearDown()?
frontend/src/lib/utils.test.ts
Outdated
| @@ -52,3 +52,17 @@ describe("flattenElements", () => { | |||
| ) | |||
| }) | |||
| }) | |||
|
|
|||
| describe("getCookie", () => { | |||
| document.cookie = "flavor=chocolatechip" | |||
There was a problem hiding this comment.
I missed this part earlier, but it looks like document.cookie is a string containing a semicolon-separated list of all cookies (i.e. key=value pairs) (ref). Given getCookie() uses regex, it might be worthwhile adding testcases when the cookie appears at the first and last locations in the list of all cookies:
document.cookie = "flavor=chocolatechip; type=darkchocolate; size=medium"
document.cookie = "type=darkchocolate; flavor=chocolatechip; size=medium"
and
document.cookie = "type=darkchocolate; size=medium; flavor=chocolatechip"
etc
There was a problem hiding this comment.
good point, i'll add more test cases!
karriebear
force-pushed
the
feature/1524-CSRF-for-file-uploads
branch
from
836d054
to
f6664e7
Compare
| @@ -28,10 +28,11 @@ | |||
| from streamlit import env_util | |||
| from streamlit.ConfigOption import ConfigOption | |||
|
|
|||
| os.environ["STREAMLIT_COOKIE_SECRET"] = "chocolatechip" | |||
There was a problem hiding this comment.
Ah OK, sounds good, thanks for looking into it!
* develop: Remove Python 3 reference, add 288 ref (#1582) Use env variable for environment name (#1569) Add diffmazing_cropper.sh to convert diff images from Cypress into snapshots you can commit to Git (#1560) Fix progress bar value (#1573) Updated run_streamlit_remotely.md (#1578) Replace iterrows with itertuples in st.map code (#1562) Pass in server.maxUploadSize to http server max_buffer_size (#1558) Enable CSRF via cookie to header approach (#1551)
* feature/plugins: (CC) Add EventTarget shim (streamlit#1577) Ensure node_modules doesn't land in LocalSourcesWatcher (streamlit#1575) Disable allow-same-origin for security reasons (streamlit#1576) Remove Python 3 reference, add 288 ref (streamlit#1582) Use env variable for environment name (streamlit#1569) Add diffmazing_cropper.sh to convert diff images from Cypress into snapshots you can commit to Git (streamlit#1560) Fix progress bar value (streamlit#1573) Updated run_streamlit_remotely.md (streamlit#1578) Replace iterrows with itertuples in st.map code (streamlit#1562) Pass in server.maxUploadSize to http server max_buffer_size (streamlit#1558) Enable CSRF via cookie to header approach (streamlit#1551)
Issue: Fixes #1524
Description:
server.cookieSecret. Secret can be set inconfig.tomlor as an environment variable or CLI argument. If no secret is provided, a random hex is generated (this is not recommended for deployment to multiple replicas).Contribution License Agreement
By submiting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.