New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable CSRF via cookie to header approach #1551
Enable CSRF via cookie to header approach #1551
Conversation
b2e10c6
to
c3cc9ad
Compare
2e61ae1
to
6b049bf
Compare
6b049bf
to
b5afdb5
Compare
@@ -28,10 +28,11 @@ | |||
from streamlit import env_util | |||
from streamlit.ConfigOption import ConfigOption | |||
|
|||
os.environ["STREAMLIT_COOKIE_SECRET"] = "chocolatechip" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we are patching the os.environ
dict during ConfigTest.setUp()
, why do we need modify the real os.environ
dict?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the catch. Ideally we would go with patching in ConfigTest.setUp()
but unfortunately this conflicts when running all the tests. config.cookieSecret
is saved on first call and other tests references this config without the patch, setting the config without using the environment variable. Modifying the os.environ
dict here so it can set before any other test will run. Need to clean up ConfigTest.setup()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this could be moved inside the setUp()
function then, given that we try to delete it during tearDown()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we move it into setUp()
, it looks like it's too late. config.cookieSecret
gets set and saved to a random value from another test calling it. by the time config_test
runs and sets up the environment variable, we already have a random value set assuming no environment variable exist.
I should actually remove the deleting of the variable into the actual test instead of tearDown()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah OK, sounds good, thanks for looking into it!
Co-authored-by: Amey Deshpande <10554902+Amey-D@users.noreply.github.com>
669ba60
to
d6b65ca
Compare
d6b65ca
to
c9e795c
Compare
@@ -28,10 +28,11 @@ | |||
from streamlit import env_util | |||
from streamlit.ConfigOption import ConfigOption | |||
|
|||
os.environ["STREAMLIT_COOKIE_SECRET"] = "chocolatechip" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this could be moved inside the setUp()
function then, given that we try to delete it during tearDown()
?
frontend/src/lib/utils.test.ts
Outdated
@@ -52,3 +52,17 @@ describe("flattenElements", () => { | |||
) | |||
}) | |||
}) | |||
|
|||
describe("getCookie", () => { | |||
document.cookie = "flavor=chocolatechip" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I missed this part earlier, but it looks like document.cookie
is a string containing a semicolon-separated list of all cookies (i.e. key=value pairs) (ref). Given getCookie()
uses regex, it might be worthwhile adding testcases when the cookie appears at the first and last locations in the list of all cookies:
document.cookie = "flavor=chocolatechip; type=darkchocolate; size=medium"
document.cookie = "type=darkchocolate; flavor=chocolatechip; size=medium"
and
document.cookie = "type=darkchocolate; size=medium; flavor=chocolatechip"
etc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point, i'll add more test cases!
836d054
to
f6664e7
Compare
@@ -28,10 +28,11 @@ | |||
from streamlit import env_util | |||
from streamlit.ConfigOption import ConfigOption | |||
|
|||
os.environ["STREAMLIT_COOKIE_SECRET"] = "chocolatechip" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah OK, sounds good, thanks for looking into it!
* develop: Remove Python 3 reference, add 288 ref (#1582) Use env variable for environment name (#1569) Add diffmazing_cropper.sh to convert diff images from Cypress into snapshots you can commit to Git (#1560) Fix progress bar value (#1573) Updated run_streamlit_remotely.md (#1578) Replace iterrows with itertuples in st.map code (#1562) Pass in server.maxUploadSize to http server max_buffer_size (#1558) Enable CSRF via cookie to header approach (#1551)
* feature/plugins: (CC) Add EventTarget shim (streamlit#1577) Ensure node_modules doesn't land in LocalSourcesWatcher (streamlit#1575) Disable allow-same-origin for security reasons (streamlit#1576) Remove Python 3 reference, add 288 ref (streamlit#1582) Use env variable for environment name (streamlit#1569) Add diffmazing_cropper.sh to convert diff images from Cypress into snapshots you can commit to Git (streamlit#1560) Fix progress bar value (streamlit#1573) Updated run_streamlit_remotely.md (streamlit#1578) Replace iterrows with itertuples in st.map code (streamlit#1562) Pass in server.maxUploadSize to http server max_buffer_size (streamlit#1558) Enable CSRF via cookie to header approach (streamlit#1551)
Issue: Fixes #1524
Description:
server.cookieSecret
. Secret can be set inconfig.toml
or as an environment variable or CLI argument. If no secret is provided, a random hex is generated (this is not recommended for deployment to multiple replicas).Contribution License Agreement
By submiting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.