Mercurial > p > roundup > code
view test/tx_Source_detector.py @ 5201:a9ace22e0a2f
issue 2550690 - Adding anti-csrf measures to roundup following
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
and
https://seclab.stanford.edu/websec/csrf/csrf.pdf
Basically implement Synchronizer (CSRF) Tokens per form on a page.
Single use (destroyed once used). Random input data for the token
includes:
system random implementation in python using /dev/urandom
(fallback to random based on timestamp as the seed. Not
as good, but should be ok for the short lifetime of the
token??)
the id (in cpython it's the memory address) of the object
requesting a token. In theory this depends on memory layout, the
history of the process (how many previous objects have been
allocated from the heap etc.) I claim without any proof that for
long running processes this is another source of randomness. For
short running processes with little activity it could be guessed.
last the floating point time.time() value is added. This may
only have 1 second resolution so may be guessable.
Hopefully for a short lived (2 week by default) token this is
sufficient. Also in the current implementation the user is notified when
validation fails and is told why. This allows the roundup admin to find
the log entry (at error level) and try to resolve the issue. In the
future user notification may change but for now this is probably best.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 18 Mar 2017 16:59:01 -0400 |
| parents | 6e9b9743de89 |
| children | 64b05e24dbd8 |
line wrap: on
line source
# # Example output when the web interface changes item 3 and the email # (non pgp) interface changes item 4: # # tx_SourceCheckAudit(3) pre db.tx_Source: cgi # tx_SourceCheckAudit(4) pre db.tx_Source: email # tx_SourceCheckAudit(3) post db.tx_Source: cgi # tx_SourceCheckAudit(4) post db.tx_Source: email # tx_SourceCheckReact(4) pre db.tx_Source: email # tx_SourceCheckReact(4) post db.tx_Source: email # tx_SourceCheckReact(3) pre db.tx_Source: cgi # tx_SourceCheckReact(3) post db.tx_Source: cgi # # Note that the calls are interleaved, but the proper # tx_Source is associated with the same ticket. import time as time def tx_SourceCheckAudit(db, cl, nodeid, newvalues): ''' An auditor to print the value of the source of the transaction that trigger this change. The sleep call is used to delay the transaction so that multiple changes will overlap. The expected output from this detector are 2 lines with the same value for tx_Source. Tx source is: None - Reported when using a script or it is an error if the change arrives by another method. "cli" - reported when using roundup-admin "web" - reported when using any web based technique "email" - reported when using an unautheticated email based technique "email-sig-openpgp" - reported when email with a valid pgp signature is used ''' if __debug__ and False: print "\n tx_SourceCheckAudit(%s) db.tx_Source: %s"%(nodeid, db.tx_Source) newvalues['tx_Source'] = db.tx_Source # example use for real to prevent a change from happening if it's # submited via email # # if db.tx_Source == "email": # raise Reject, 'Change not allowed via email' def tx_SourceCheckReact(db, cl, nodeid, oldvalues): ''' An reactor to print the value of the source of the transaction that trigger this change. The sleep call is used to delay the transaction so that multiple changes will overlap. The expected output from this detector are 2 lines with the same value for tx_Source. Tx source is: None - Reported when using a script or it is an error if the change arrives by another method. "cli" - reported when using roundup-admin "web" - reported when using any web based technique "email" - reported when using an unautheticated email based technique "email-sig-openpgp" - reported when email with a valid pgp signature is used ''' if __debug__ and False: print " tx_SourceCheckReact(%s) db.tx_Source: %s"%(nodeid, db.tx_Source) def init(db): db.issue.audit('create', tx_SourceCheckAudit) db.issue.audit('set', tx_SourceCheckAudit) db.issue.react('set', tx_SourceCheckReact) db.issue.react('create', tx_SourceCheckReact) db.msg.audit('create', tx_SourceCheckAudit)