Mercurial > p > roundup > code
comparison roundup/rest.py @ 7155:89a59e46b3af
improve REST interface security
When using REST, we reflect the client's origin. If the wildcard '*'
is used in allowed_api_origins all origins are allowed. When this is
done, it also added an 'Access-Control-Allow-Credentials: true'
header.
This Credentials header should not be added if the site is matched
only by '*'. This header should be provided only for explicit origins
(e.g. https://example.org) not for the wildcard.
This is now fixed for CORS preflight OPTIONS request as well as normal
GET, PUT, DELETE, POST, PATCH and OPTIONS requests.
A missing Access-Control-Allow-Credentials will prevent the tracker
from being accessed using credentials. This prevents an unauthorized
third party web site from using a user's credentials to access
information in the tracker that is not publicly available.
Added test for this specific case.
In addition, allowed_api_origins can include explicit origins in
addition to '*'. '*' must be first in the list.
Also adapted numerous tests to work with these changes.
Doc updates.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Feb 2023 12:01:33 -0500 |
| parents | 626ef84579a3 |
| children | 6f09103a6522 |
comparison
equal
deleted
inserted
replaced
| 7154:f614176903d0 | 7155:89a59e46b3af |
|---|---|
| 2199 self.client.setHeader( | 2199 self.client.setHeader( |
| 2200 "Access-Control-Allow-Origin", | 2200 "Access-Control-Allow-Origin", |
| 2201 self.client.request.headers.get("Origin") | 2201 self.client.request.headers.get("Origin") |
| 2202 ) | 2202 ) |
| 2203 | 2203 |
| 2204 # allow credentials | 2204 # Allow credentials if origin is acceptable. |
| 2205 self.client.setHeader( | 2205 # |
| 2206 "Access-Control-Allow-Credentials", | 2206 # If Access-Control-Allow-Credentials header not returned, |
| 2207 "true" | 2207 # but the client request is made with credentials |
| 2208 ) | 2208 # data will be sent but not made available to the |
| 2209 # calling javascript in browser. | |
| 2210 # Prevents exposure of data to an invalid origin when | |
| 2211 # credentials are sent by client. | |
| 2212 # | |
| 2213 # If admin puts * first in allowed_api_origins | |
| 2214 # we do not allow credentials but do reflect the origin. | |
| 2215 # This allows anonymous access. | |
| 2216 if self.client.is_origin_header_ok(api=True, credentials=True): | |
| 2217 self.client.setHeader( | |
| 2218 "Access-Control-Allow-Credentials", | |
| 2219 "true" | |
| 2220 ) | |
| 2221 | |
| 2209 # set allow header in case of error. 405 handlers below should | 2222 # set allow header in case of error. 405 handlers below should |
| 2210 # replace it with a custom version as will OPTIONS handler | 2223 # replace it with a custom version as will OPTIONS handler |
| 2211 # doing CORS. | 2224 # doing CORS. |
| 2212 self.client.setHeader( | 2225 self.client.setHeader( |
| 2213 "Allow", | 2226 "Allow", |