Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 5201:a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
and
https://seclab.stanford.edu/websec/csrf/csrf.pdf
Basically implement Synchronizer (CSRF) Tokens per form on a page.
Single use (destroyed once used). Random input data for the token
includes:
system random implementation in python using /dev/urandom
(fallback to random based on timestamp as the seed. Not
as good, but should be ok for the short lifetime of the
token??)
the id (in cpython it's the memory address) of the object
requesting a token. In theory this depends on memory layout, the
history of the process (how many previous objects have been
allocated from the heap etc.) I claim without any proof that for
long running processes this is another source of randomness. For
short running processes with little activity it could be guessed.
last the floating point time.time() value is added. This may
only have 1 second resolution so may be guessable.
Hopefully for a short lived (2 week by default) token this is
sufficient. Also in the current implementation the user is notified when
validation fails and is told why. This allows the roundup admin to find
the log entry (at error level) and try to resolve the issue. In the
future user notification may change but for now this is probably best.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 18 Mar 2017 16:59:01 -0400 |
| parents | e0732fd6a6c7 |
| children | d4cc71beb102 |
comparison
equal
deleted
inserted
replaced
| 5200:16a8a3f0772c | 5201:a9ace22e0a2f |
|---|---|
| 20 .. contents:: | 20 .. contents:: |
| 21 :local: | 21 :local: |
| 22 | 22 |
| 23 Migrating from 1.5.1 to 1.6.0 | 23 Migrating from 1.5.1 to 1.6.0 |
| 24 ============================= | 24 ============================= |
| 25 | |
| 26 Cross Site Request Forgery Detection Added | |
| 27 ------------------------------------------ | |
| 28 | |
| 29 Roundup 1.6. supports a number of defenses against CSRF. | |
| 30 | |
| 31 Http header verification against the tracker's ``web`` | |
| 32 setting in the ``[tracker]`` section of config.ini for the | |
| 33 following headers: | |
| 34 | |
| 35 # Analyze the ``Referer`` HTTP header to make sure it | |
| 36 includes the web setting. | |
| 37 # Analyse the ``Origin`` HTTP header to make sure the | |
| 38 schema://host matches the web setting. | |
| 39 # Analyze the ``X-Forwarded-Host`` header set by a proxy | |
| 40 running in front of roundup to make sure it agrees with | |
| 41 the host part of the web setting. | |
| 42 # Analyze the ``Host`` header to make sure it agrees with | |
| 43 the host part of the web setting. This is not done if | |
| 44 ``X-Forwarded-Host`` is set. | |
| 45 | |
| 46 By default roundup 1.6 does not require any specific header | |
| 47 to be present. However at least one of the headers above | |
| 48 *must* pass validation checks (usually ``Host`` or | |
| 49 ``Referer``) or the submission is rejected with an error. | |
| 50 If any header fails validation, the submission is | |
| 51 rejected. (Note the user's form keeps all the data they | |
| 52 entered if it was rejected.) | |
| 53 | |
| 54 Also the admin can include unique csrf tokens for all forms | |
| 55 submitted via post (delete and put methods are also | |
| 56 included, but not currently used by roundup)). The csrf | |
| 57 token (nonce) is tied to the user's session. When the user | |
| 58 submits the form and nonce, the nonce is checked to make | |
| 59 sure it was issued to the user and the same session. If this | |
| 60 is not true the post is rejected and the user is notified. | |
| 61 | |
| 62 The standard context/submit templating item creates CSRF | |
| 63 tokens by default. If you have forms that are not using the | |
| 64 standard submit routine, you should add the following field | |
| 65 to all forms: | |
| 66 | |
| 67 <input name="@csrf" type="hidden" | |
| 68 tal:attributes="value python:utils.anti_csrf_nonce()"> | |
| 69 | |
| 70 A unique random token is generated by every call to | |
| 71 utils.anti_csrf_nonce() and is put in a database to be | |
| 72 retreived if the token is used. Token lifetimes are 2 weeks | |
| 73 by default but can be configured in config.ini. Roundup will | |
| 74 automatically prune old tokens. Calling anti_csrf_nonce with | |
| 75 an integer lifetime, for example | |
| 76 | |
| 77 <input name="@csrf" type="hidden" | |
| 78 tal:attributes="value python:utils.anti_csrf_nonce(lifetime=10)"> | |
| 79 | |
| 80 sets the lifetime of that nonce to 10 minutes. | |
| 81 | |
| 82 If you want to change the default settings, you have to | |
| 83 update the web section in your tracker's config.ini's. To do | |
| 84 this backup your existing config.ini. Run: | |
| 85 | |
| 86 roundup-admin -i /path/to/tracker genconfig config.ini.new | |
| 87 | |
| 88 to create a new config.ini in the file config.ini.new. Then | |
| 89 merge the new csrf settings into your tracker's config. | |
| 90 Look for settings that start with csrf. The config.ini.new | |
| 91 file includes detailed descriptions of the settings. | |
| 92 | |
| 93 In general one of four values can be set for these | |
| 94 settings. The default is ``yes``, which validates the header | |
| 95 or nonce and blocks access if the validation fails. If the | |
| 96 field/header is missing it allows access. Setting these | |
| 97 fields to ``required`` blocks access if the header/nonce is | |
| 98 missing. | |
| 99 | |
| 100 It is suggested that you change your templates so every form | |
| 101 has an @csrf field and change the setting to 'required' for | |
| 102 the csrf_enforce_token. | |
| 25 | 103 |
| 26 Fix for path traversal changes template resolution | 104 Fix for path traversal changes template resolution |
| 27 -------------------------------------------------- | 105 -------------------------------------------------- |
| 28 | 106 |
| 29 The templates in the tracker's html subdirectory must not be | 107 The templates in the tracker's html subdirectory must not be |