Mercurial > p > roundup > code
diff roundup/cgi/client.py @ 8265:35beff316883
fix(api): issue2551384. Verify REST authorization earlier
To reduce the ability of bad actors to spam (DOS) the REST endpoint
with bad data and generate logs meant for debugging, modify the flow
in client.py's REST handler to verify authorization earlier.
If the anonymous user is allowed to use REST, this won't make a
difference for a DOS attempt. The templates don't enable REST for the
anonymous user by default. Most admins don't change this.
The validation order for REST requests has been changed.
CORS identfied an handled
User authorization to use REST (return 403 on failure)
REST request validated (Origin header valid etc.) (return 400 for
bad request)
Incorrectly formatted CORS preflight requests (e.g. missing Origin
header) that are not recogized as a CORS request can now return HTTP
status 403 as well as status 400 (when anonymous is allowed
access). Note all CORS preflights are sent without authentication so
appear as anonymous requests.
The tests were updated to compensate, but it is not obvious to me from
specs what the proper evaulation order/return codes should be for this
case. Both 403/400 are failures and cause CORS to fail so there should
be no difference but...
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 09 Jan 2025 09:30:08 -0500 |
| parents | 28c5030757d3 |
| children | 7f0c7966d204 |
line wrap: on
line diff
--- a/roundup/cgi/client.py Wed Jan 08 11:39:54 2025 -0500 +++ b/roundup/cgi/client.py Thu Jan 09 09:30:08 2025 -0500 @@ -677,8 +677,11 @@ def is_cors_preflight(self): return ( self.env['REQUEST_METHOD'] == "OPTIONS" + and self.request.headers.get("Access-Control-Request-Method") + # technically Access-Control-Request-Headers (ACRH) is + # optional, but we require the header x-requested-with, + # so ACRH will be present. and self.request.headers.get("Access-Control-Request-Headers") - and self.request.headers.get("Access-Control-Request-Method") and self.request.headers.get("Origin")) def handle_preflight(self): @@ -721,6 +724,30 @@ status=http_.client.TOO_MANY_REQUESTS) return + # Handle CORS preflight request. We know rest is enabled + # because handle_rest is called. Preflight requests + # are unauthenticated, so no need to check permissions. + if (self.is_cors_preflight()): + # Origin header must be defined to get here + if self.is_origin_header_ok(api=True): + self.handle_preflight() + else: + # origin is not authorized for REST + msg = self._("Client is not allowed to use Rest Interface.") + output = s2b( + '{ "error": { "status": 400, "msg": "%s" } }' % msg) + self.reject_request(output, + message_type="application/json", + status=400) + return + + if not self.db.security.hasPermission('Rest Access', self.userid): + output = s2b('{ "error": { "status": 403, "msg": "Forbidden." } }') + self.reject_request(output, + message_type="application/json", + status=403) + return + # verify Origin is allowed on all requests including GET. # If a GET, missing origin is allowed (i.e. same site GET request) if not self.is_origin_header_ok(api=True): @@ -753,20 +780,6 @@ "origin": self.env.get('HTTP_ORIGIN', None)}) return - # Handle CORS preflight request. We know rest is enabled - # because handle_rest is called. Preflight requests - # are unauthenticated, so no need to check permissions. - if (self.is_cors_preflight()): - self.handle_preflight() - return - - if not self.db.security.hasPermission('Rest Access', self.userid): - output = s2b('{ "error": { "status": 403, "msg": "Forbidden." } }') - self.reject_request(output, - message_type="application/json", - status=403) - return - self.check_anonymous_access() try: