Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF attack possibility? #31

Closed
eayin2 opened this issue Nov 26, 2016 · 5 comments
Closed

CSRF attack possibility? #31

eayin2 opened this issue Nov 26, 2016 · 5 comments
Labels
enhancement

Comments

@eayin2
Copy link

eayin2 commented Nov 26, 2016

Is a REST API around apscheduler not coming with the risk of CSRF attacks, considering that someone could add a job by having you click on a link which sends a HTTP POST request to add a job? https://github.com/viniciuschiele/flask-apscheduler/blob/master/flask_apscheduler/views.py#L35-L46 ?
I'd allow access to flask-apscheduler only from localhost, but it might not be sufficient (see: https://lwn.net/Articles/703485/), if you just click a bad link, which knows about your flask-apscheduler service and adds a job to it. If you don't run a webbrowser on your production server you're fine, because then you don't click on any links, but maybe it should still be considered?

A workaround could be to add jobs via a configuration file (so you are secured by linux file permissions) and then send a REST API request to reload jobs from the configuration file?

Maybe also adding authentication to HTTP requests could improve security?
@viniciuschiele
Copy link
Owner

viniciuschiele commented Nov 26, 2016
edited

Hi @eayin2,

I like the idea of adding HTTP authentication, maybe it could use Flask-HTTPAuth?!

e.g:

from flask_httpauth import HTTPBasicAuth

sched = APScheduler()
sched.auth = HTTPBasicAuth()
sched.init_app(app)

@sched.auth.get_password
def get_password(username):
    # get the password from database
    return ...

And to make a request:

curl -u myusername:mypassword http://localhost:5000/scheduler/jobs

If sched.auth = None so there would be no authentication

What do you think?

@eayin2
Copy link
Author

eayin2 commented Nov 26, 2016
edited

Sounds good and with the request module an HTTP request would look like:

from requests.auth import HTTPBasicAuth
requests.get("http://localhost:5000/scheduler/jobs", auth=HTTPBasicAuth("username", "password"))

Hm, I think that should prevent any CSRF attack and we don't really need confidentiality so basic HTTP auth should suffice. Also HTTP requests to flask-apscheduler are preferably sent on the localhost.

@viniciuschiele
Copy link
Owner

Hi @eayin2

I did a first version of authentication, it isn't using any external library.

I added an example of how to use it:
https://github.com/viniciuschiele/flask-apscheduler/blob/master/examples/auth.py#L16
https://github.com/viniciuschiele/flask-apscheduler/blob/master/examples/auth.py#L32

Authentication is disabled by default.

Let me know what you think.

@eayin2
Copy link
Author

eayin2 commented Nov 29, 2016

Just tested it and it works fine for me, thank you! :)

@eayin2 eayin2 closed this as completed Nov 30, 2016
@viniciuschiele
Copy link
Owner

Hi @eayin2

I've made some changes in the authentication, now there are some classes to deal with the authentication methods.

Take a look at the examples to set how to enable the HTTP basic authentication.

https://github.com/viniciuschiele/flask-apscheduler/blob/master/examples/auth.py#L18
Or
https://github.com/viniciuschiele/flask-apscheduler/blob/master/examples/auth.py#L30

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@viniciuschiele @eayin2