Mercurial > p > roundup > code
view roundup/cgi/KeywordsExpr.py @ 8575:b1024bf0d9f7
feature: add nonceless/tokenless CSRF protection
Add tokenless CSRF protection following:
https://words.filippo.io/csrf/
Must be enabled using use_tokenless_csrf_protection in config.ini. By
default it's off. If enabled the older csrf_* settings are ignored.
The allowed_api_origins setting is still used for Origin comparisons.
This should also improve performance as a nonce isn't required so
generating random nonce and saving it to the otks database is
eliminated.
doc/admin_guide.txt, doc/reference.txt doc/upgrading.txt
doc updates.
roundup/configuration.py
add use_tokenless_csrf_protection setting.
move allowed_api_origins directly after
use_tokenless_csrf_protection and before the older csrf_* settings.
It's used by both of them.
Rewrite description of allowed_api_origins as its applied to all
URLs with tokenless protection, not just API URLs.
roundup/anypy/urllib_.py
import urlsplit, it is used in new code.
urlparse() is less efficient and splits params out of the path
component.
Since Roundup doesn't require that params be split from the path. I
expect future patch will replace urlparse() with urlsplit() globally
and not need urlparse().
roundup/cgi/client.py
add handle_csrf_tokenless() and call from handle_csrf() if
use_tokenless_csrf_protection is enabled.
refactor code that expires csrf tokens when used with the wrong
methods (i.e. GET) into expire_exposed_keys(). Call same from
handle_csrf and handle_csrf_tokenless. Also improve logging if this
happens including both Referer and Origin headers if available.
Arguably we dont care about CSRF tokens exposed via
GET/HEAD/OPTIONS in the tokenless case, but this cleans them up in
case the admin has to switch back. At some future date we can
delete all the nonce based CSRF from 2018.
Update handle_csrf() docstring about calling/returning
handle_csrf_tokenless() when enabled. Call
expire_exposed_keys(method) if token is supplied with wrong method.
roundup/cgi/templating.py
disable nonce generation/save and always return "0" when
use_tokenless_csrf_protection enabled.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 19 Apr 2026 20:50:07 -0400 |
| parents | 07ce4e4110f5 |
| children |
line wrap: on
line source
# This module is free software, you may redistribute it # and/or modify under the same terms as Python. WINDOW_CONTENT = r''' <h3>Keyword Expression Editor:</h3> <hr/> <div id="content"></div> <script nonce="%(nonce)s" type="text/javascript"> <!-- var NOT_OP = "-2"; var AND_OP = "-3"; var OR_OP = "-4"; var original = "%(original)s"; var current = original; var undo = []; var KEYWORDS = [ %(keywords)s ]; function find_keyword(x) { for (var i = 0; i < KEYWORDS.length; ++i) { if (KEYWORDS[i][0] == x) { return KEYWORDS[i][1]; } } return "unknown"; } function Equals(x) { this.x = x; this.brackets = false; this.infix = function() { return find_keyword(this.x); } this.postfix = function() { return this.x; } } function Not(x) { this.x = x; this.brackets = false; this.infix = function() { return this.x.brackets ? "NOT(" + this.x.infix() + ")" : "NOT " + this.x.infix(); } this.postfix = function() { return this.x.postfix() + "," + NOT_OP; } } function And(x, y) { this.x = x; this.y = y; this.brackets = true; this.infix = function() { var a = this.x.brackets ? "(" + this.x.infix() + ")" : this.x.infix(); var b = this.y.brackets ? "(" + this.y.infix() + ")" : this.y.infix(); return a + " AND " + b; } this.postfix = function() { return this.x.postfix() + "," + this.y.postfix() + "," + AND_OP; } } function Or(x, y) { this.x = x; this.y = y; this.brackets = true; this.infix = function() { var a = this.x.brackets ? "(" + this.x.infix() + ")" : this.x.infix(); var b = this.y.brackets ? "(" + this.y.infix() + ")" : this.y.infix(); return a + " OR " + b; } this.postfix = function() { return this.x.postfix() + "," + this.y.postfix() + "," + OR_OP; } } function trim(s) { return s.replace (/^\s+/, '').replace(/\s+$/, ''); } function parse(s) { var operators = s.split(","); var stack = []; for (var i = 0; i < operators.length; ++i) { var operator = trim(operators[i]); if (operator == "") continue; if (operator == NOT_OP) { stack.push(new Not(stack.pop())); } else if (operator == AND_OP) { var a = stack.pop(); var b = stack.pop(); stack.push(new And(b, a)); } else if (operator == OR_OP) { var a = stack.pop(); var b = stack.pop(); stack.push(new Or(b, a)); } else { stack.push(new Equals(operator)); } } return stack.length > 0 ? stack.pop() : null; } function render_select(handler) { var out = '<select name="keyword" id="keyword"'; if (handler != null) { out += ' onchange="' + handler + '"'; } out += '>'; out += '<option value="-1"><\/option>'; for (var i = 0; i < KEYWORDS.length; ++i) { out += '<option value="' + KEYWORDS[i][0] + '">' + KEYWORDS[i][1] + "<\/option>"; } out += '<\/select>'; return out; } function first_select() { var value = document.getElementById("keyword").value; current = value; set_content(); } function not_clicked() { var expr = parse(current); if (expr == null) return; undo.push(current); current = expr instanceof Not ? expr.x.postfix() : new Not(expr).postfix(); set_content(); } function not_b_wrap(expr) { var value = document.getElementById("not_b").checked; return value ? new Not(expr) : expr; } function and_clicked() { var expr = parse(current); if (expr == null) return; var value = document.getElementById("keyword").value; if (value == "-1") return; undo.push(current); current = new And(expr, not_b_wrap(new Equals(value))).postfix(); set_content(); } function or_clicked() { var expr = parse(current); if (expr == null) return; var value = document.getElementById("keyword").value; if (value == "-1") return; undo.push(current); current = new Or(expr, not_b_wrap(new Equals(value))).postfix(); set_content(); } function undo_clicked() { current = undo.length > 0 ? undo.pop() : original; set_content(); } function enable_and_or() { var value = document.getElementById("keyword").value; value = value == "-1"; document.getElementById("and").disabled = value; document.getElementById("or").disabled = value; document.getElementById("not_b").disabled = value; } function create() { var expr = parse(current); var out = ""; if (expr == null) { out += "Keyword: "; out += render_select("first_select();"); } else { out += '<table><tr>' out += '<td><input type="button" name="not" onclick="not_clicked();" value="NOT"\/><\/td>'; out += "<td><tt><strong>" + expr.infix() + "<\/strong><\/tt><\/td>"; out += '<td><table>'; out += '<tr><td><input type="button" id="and" name="and" onclick="and_clicked();"' + ' value="AND" disabled="disabled"\/><\/td><\/tr>'; out += '<tr><td><input type="button" id="or" name="or" onclick="or_clicked();"' + ' value="OR" disabled="disabled"\/><\/td><\/tr>'; out += '<\/table><\/td>'; out += '<td><label for="not_b">NOT<\/label><br/>' + '<input type="checkbox" name="not_b" id="not_b" disabled="disabled"\/><\/td>'; out += '<td>' + render_select("enable_and_or();") + '<\/td>'; out += '<\/tr><\/table>' } out += '<hr\/>'; if (undo.length > 0 || (undo.length == 0 && current != original)) { out += '<input type="button" onclick="undo_clicked();" value="Undo"\/>'; } out += '<input type="button" onclick="modify_main();" value="Apply"\/>' + '<input type="button" onclick="window.close();" value="Close Window"\/>'; return out; } function main_display() { var out = ''; out += '<span id="display_%(prop)s">' + parse(current).infix() + '<\/span>'; return out; } function main_input() { var out = ''; out += '<input type="hidden" name="%(prop)s" value="' + current + '"\/>'; return out; } function modify_main() { /* if display form of expression exists, overwrite */ display = window.opener.document.getElementById('display_%(prop)s'); if ( display ) { display.outerHTML = main_display(); } /* overwrite select if present, otherwise overwrite the hidden input */ input = window.opener.document.querySelector('select[name="%(prop)s"]'); if (! input) { input = window.opener.document.querySelector('input[name="%(prop)s"]'); } /* if display exists, only update hidden input. If display doesn't exist, inject both hidden input and display. */ if ( display ) { content = main_input(); } else { content = main_input() + main_display(); } input.outerHTML = content; } function set_content() { document.getElementById("content").innerHTML = create(); } set_content(); //--> </script> ''' def list_nodes(request): prop = request.form.getfirst("property") cls = request.client.db.getclass(prop) items = [] for nodeid in cls.getnodeids(retired=0): l = cls.getnode(nodeid).items() l = dict([x for x in l if len(x) == 2]) try: items.append((l['id'], l['name'])) except KeyError: pass items.sort(key=lambda x: int(x[0])) return items def items_to_keywords(items): return ',\n '.join(['["%s", "%s"]' % x for x in items]) def render_keywords_expression_editor(request): prop = request.form.getfirst("property") window_content = WINDOW_CONTENT % { 'prop': prop, 'keywords': items_to_keywords(list_nodes(request)), 'original': '', 'nonce': request.client.client_nonce } return window_content # vim: set et sts=4 sw=4 :