Mercurial > p > roundup > code
comparison roundup/configuration.py @ 5201:a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
and
https://seclab.stanford.edu/websec/csrf/csrf.pdf
Basically implement Synchronizer (CSRF) Tokens per form on a page.
Single use (destroyed once used). Random input data for the token
includes:
system random implementation in python using /dev/urandom
(fallback to random based on timestamp as the seed. Not
as good, but should be ok for the short lifetime of the
token??)
the id (in cpython it's the memory address) of the object
requesting a token. In theory this depends on memory layout, the
history of the process (how many previous objects have been
allocated from the heap etc.) I claim without any proof that for
long running processes this is another source of randomness. For
short running processes with little activity it could be guessed.
last the floating point time.time() value is added. This may
only have 1 second resolution so may be guessable.
Hopefully for a short lived (2 week by default) token this is
sufficient. Also in the current implementation the user is notified when
validation fails and is told why. This allows the roundup admin to find
the log entry (at error level) and try to resolve the issue. In the
future user notification may change but for now this is probably best.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 18 Mar 2017 16:59:01 -0400 |
| parents | 7aebd892b600 |
| children | d4cc71beb102 |
comparison
equal
deleted
inserted
replaced
| 5200:16a8a3f0772c | 5201:a9ace22e0a2f |
|---|---|
| 287 class_description = "Allowed values: yes, no, new" | 287 class_description = "Allowed values: yes, no, new" |
| 288 | 288 |
| 289 def str2value(self, value): | 289 def str2value(self, value): |
| 290 _val = value.lower() | 290 _val = value.lower() |
| 291 if _val in ("yes", "no", "new"): | 291 if _val in ("yes", "no", "new"): |
| 292 return _val | |
| 293 else: | |
| 294 raise OptionValueError(self, value, self.class_description) | |
| 295 | |
| 296 class CsrfSettingOption(Option): | |
| 297 | |
| 298 """How should a csrf measure be enforced: required, yes, logfailure, no""" | |
| 299 | |
| 300 class_description = "Allowed values: required, yes, logfailure, no" | |
| 301 | |
| 302 def str2value(self, value): | |
| 303 _val = value.lower() | |
| 304 if _val in ("required", "yes", "logfailure", "no"): | |
| 292 return _val | 305 return _val |
| 293 else: | 306 else: |
| 294 raise OptionValueError(self, value, self.class_description) | 307 raise OptionValueError(self, value, self.class_description) |
| 295 | 308 |
| 296 class EmailBodyOption(Option): | 309 class EmailBodyOption(Option): |
| 631 "Whether to use HTTP Basic Authentication, if present.\n" | 644 "Whether to use HTTP Basic Authentication, if present.\n" |
| 632 "Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION\n" | 645 "Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION\n" |
| 633 "variables supplied by your web server (in that order).\n" | 646 "variables supplied by your web server (in that order).\n" |
| 634 "Set this option to 'no' if you do not wish to use HTTP Basic\n" | 647 "Set this option to 'no' if you do not wish to use HTTP Basic\n" |
| 635 "Authentication in your web interface."), | 648 "Authentication in your web interface."), |
| 649 (CsrfSettingOption, 'csrf_enforce_token', "yes", | |
| 650 """How do we deal with @csrf fields in posted forms. | |
| 651 Set this to 'required' to block the post and notify | |
| 652 the user if the field is missing or invalid. | |
| 653 Set this to 'yes' to block the post and notify the user | |
| 654 if the token is invalid, but accept the form if | |
| 655 the field is missing | |
| 656 Set this to 'logfailure' to log a notice to the roundup | |
| 657 log if the field is invalid or missing, but accept | |
| 658 the post. | |
| 659 Set this to 'no' to ignore the field and accept the post. | |
| 660 """), | |
| 661 (IntegerNumberOption, 'csrf_token_lifetime', "20160", | |
| 662 """csrf_tokens have a limited lifetime. If they are not | |
| 663 used they are purged from the database after this | |
| 664 number of minutes. Default (20160) is 2 weeks."""), | |
| 665 (CsrfSettingOption, 'csrf_enforce_token', "yes", | |
| 666 """How do we deal with @csrf fields in posted forms. | |
| 667 Set this to 'required' to block the post and notify | |
| 668 the user if the field is missing or invalid. | |
| 669 Set this to 'yes' to block the post and notify the user | |
| 670 if the token is invalid, but accept the form if | |
| 671 the field is missing | |
| 672 Set this to 'logfailure' to log a notice to the roundup | |
| 673 log if the field is invalid or missing, but accept | |
| 674 the post. | |
| 675 Set this to 'no' to ignore the field and accept the post. | |
| 676 """), | |
| 677 (CsrfSettingOption, 'csrf_enforce_header_X-REQUESTED-WITH', "yes", | |
| 678 """This is only used for xmlrpc requests. This test is | |
| 679 done after Origin and Referer headers are checked. It only | |
| 680 verifies that the X-Requested-With header exists. The value | |
| 681 is ignored. | |
| 682 Set this to 'required' to block the post and notify | |
| 683 the user if the header is missing or invalid. | |
| 684 Set this to 'yes' is the same as required. | |
| 685 Set this to 'logfailure' is the same as 'no'. | |
| 686 Set this to 'no' to ignore the header and accept the post."""), | |
| 687 (CsrfSettingOption, 'csrf_enforce_header_referer', "yes", | |
| 688 """Verify that the Referer http header matches the | |
| 689 tracker.web setting in config.ini. | |
| 690 Set this to 'required' to block the post and notify | |
| 691 the user if the header is missing or invalid. | |
| 692 Set this to 'yes' to block the post and notify the user | |
| 693 if the header is invalid, but accept the form if | |
| 694 the field is missing | |
| 695 Set this to 'logfalure' to log a notice to the roundup | |
| 696 log if the header is invalid or missing, but accept | |
| 697 the post. | |
| 698 Set this to 'no' to ignore the header and accept the post."""), | |
| 699 (CsrfSettingOption, 'csrf_enforce_header_origin', "yes", | |
| 700 """Verify that the Origin http header matches the | |
| 701 tracker.web setting in config.ini. | |
| 702 Set this to 'required' to block the post and notify | |
| 703 the user if the header is missing or invalid. | |
| 704 Set this to 'yes' to block the post and notify the user | |
| 705 if the header is invalid, but accept the form if | |
| 706 the field is missing | |
| 707 Set this to 'logfailure' to log a notice to the roundup | |
| 708 log if the header is invalid or missing, but accept | |
| 709 the post. | |
| 710 Set this to 'no' to ignore the header and accept the post."""), | |
| 711 (CsrfSettingOption, 'csrf_enforce_header_x-forwarded-host', "yes", | |
| 712 """Verify that the X-Forwarded-Host http header matches | |
| 713 the host part of the tracker.web setting in config.ini. | |
| 714 Set this to 'required' to block the post and notify | |
| 715 the user if the header is missing or invalid. | |
| 716 Set this to 'yes' to block the post and notify the user | |
| 717 if the header is invalid, but accept the form if | |
| 718 the field is missing | |
| 719 Set this to 'logfailure' to log a notice to the roundup | |
| 720 log if the header is invalid or missing, but accept | |
| 721 the post. | |
| 722 Set this to 'no' to ignore the header and accept the post."""), | |
| 723 (CsrfSettingOption, 'csrf_enforce_header_host', "yes", | |
| 724 """"If there is no X-Forward-Host header, verify that | |
| 725 the Host http header matches the host part of the | |
| 726 tracker.web setting in config.ini. | |
| 727 Set this to 'required' to block the post and notify | |
| 728 the user if the header is missing or invalid. | |
| 729 Set this to 'yes' to block the post and notify the user | |
| 730 if the header is invalid, but accept the form if | |
| 731 the field is missing | |
| 732 Set this to 'logfailure' to log a notice to the roundup | |
| 733 log if the header is invalid or missing, but accept | |
| 734 the post. | |
| 735 Set this to 'no' to ignore the header and accept the post."""), | |
| 736 (IntegerNumberOption, 'csrf_header_min_count', "1", | |
| 737 """Minimum number of header checks that must pass | |
| 738 to accept the request. Set to 0 to accept post | |
| 739 even if no header checks pass. Usually the Host header check | |
| 740 always passes, so setting it less than 1 is not recommended."""), | |
| 636 (BooleanOption, 'use_browser_language', "yes", | 741 (BooleanOption, 'use_browser_language', "yes", |
| 637 "Whether to use HTTP Accept-Language, if present.\n" | 742 "Whether to use HTTP Accept-Language, if present.\n" |
| 638 "Browsers send a language-region preference list.\n" | 743 "Browsers send a language-region preference list.\n" |
| 639 "It's usually set in the client's browser or in their\n" | 744 "It's usually set in the client's browser or in their\n" |
| 640 "Operating System.\n" | 745 "Operating System.\n" |