Mercurial > p > roundup > code
view doc/CVE.txt @ 8411:ef1ea918b07a reauth-confirm_id
feat(security): Add user confirmation/reauth for sensitive changes
Auditors can raise Reauth(reason) exception to require the user to
enter a token (e.g. account password) to verify the user is performing
the change.
Naming is subject to change.
actions.py: New ReauthAction class handler and verifyPassword() method
for overriding if needed.
client.py: Handle Reauth exception by calling Client:reauth() method.
Default client:reauth method. Add 'reauth' action declaration.
exceptions.py: Define and document Reauth exception as a subclass of
RoundupCGIException.
templating.py: Define method utils.embed_form_fields().
The original form making a change to the database has a lot of form
fields. These need to be resubmitted to Roundup as part of the form
submission that verifies the user's password.
This method turns all non file form fields into type=hidden inputs.
It escapes the names and values to prevent XSS.
For file form fields, it base64 encodes the contents and puts them
in hidden pre blocks. The pre blocks have data attributes for the
filename, filetype and the original field name. (Note the original
field name is not used.)
This stops the file content data (maybe binary e.g. jpegs) from
breaking the html page. The reauth template runs JavaScript that
turns the encoded data inside the pre tags back into a file. Then
it adds a multiple file input control to the page and attaches all
the files to it. This file input is submitted with the rest of the
fields.
_generic.reauth.html (multiple tracker templates): Generates a form
with id=reauth_form to:
display any message from the Reauth exception to the user (e.g. why
user is asked to auth).
get the user's password
submit the form
embed all the form data that triggered the reauth
recreate any file data that was submitted as part of the form and
generate a new file input to push the data to the back end
It has the JavaScript routine (as an IIFE) that regenerates a file
input without user intervention.
All the TAL based tracker templates use the same form. There is also
one for the jinja2 template. The JavaScript for both is the same.
reference.txt: document embed_form_fields utility method.
upgrading.txt: initial upgrading docs.
TODO:
Finalize naming. I am leaning toward ConfirmID rather than Reauth.
Still looking for a standard name for this workflow.
Externalize the javascript in _generic.reauth.html to a seperate file
and use utils.readfile() to embed it or change the script to load it
from a @@file url.
Clean up upgrading.txt with just steps to implement and less feature
detail/internals.
Document internals/troubleshooting in reference.txt.
Add tests using live server.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 11 Aug 2025 14:01:12 -0400 |
| parents | d6b447de4f59 |
| children |
line wrap: on
line source
.. comments: This file is a temporary way to post CVE notifications before a release. Document the CVE fix info in upgrading.txt. We extract the sections from upgrading.txt that deal with the CVE into a separate CVE.html. An updated docs/security.html and docs/CVE.html provide the details on a between release CVE announcment. Publishing upgrading.txt would include info on the to be released roundup software and wouldn't match the rest of the release docs. To extract the info from upgrading.txt to use in CVE.html, add a commented out a reference anchor in upgrading.txt. Then in CVE.txt we use an include directive with start-after and end-before options to exract the sections from upgrading.txt into CVE.html. The extracted section in CVE.txt gets the same anchor that is in upgrading.txt, but is is not commented out. This allows us to swap out CVE.txt and uncomment the reference in upgrading.txt. Then rerunning sphinx-build will make security.html point to the sections in upgrading.html. For example, in upgrading.txt add a .. comment: _CVE-2024-39124: before the section for the CVE (use the real CVE number). At the end of the CVE section add an end comment: .. comment: end of CVE include marker Update security.txt with a :ref: to the CVE section. E.G. a security.txt references look like: * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing tracker homes. where <CVE-2024-39124> is the reference. The same reference anchor is present (commented out) in upgrading.txt. In CVE.txt you replicate the existing anchor and include to extract the content section from upgrading.txt. E.G. .. _CVE-2024-39124: .. include:: upgrading.txt :start-after: .. comment: _CVE-2024-39124: :end-before: .. comment: end of CVE After building the docs, install docs/security.html and docs/CVE.html on the web site. Reference: https://www.roundup-tracker.org/docs/security.html in the CVE announcement from Mitre. When the release is ready, replace 'comment: _CVE' with '_CVE' in upgrading.txt. This makes the anchors in upgrading.txt live. Then disable CVE.txt by removing CVE.txt from contents.txt in the toctree hidden section. Also add docs/CVE.txt to exclude_patterns in conf.py. No change needs to happen to security.txt as it's using a :ref: and we just changed the location for the ref so sphinx will get the links correct. Now build the docs and publish to the web site. =========== Roundup CVE =========== This is a list of remediation for CVE's that are not fixed in the latest release. When the latest release fixes the CVE, see `the upgrading doc <upgrading.html>`_ for these details. .. contents:: :local: :depth: 2 .. _CVE-2024-39124: .. note:: Prior to the release of Roundup 2.4.0, you can access updated tracker templates that address CVE-2024-39124 from `CVE-2024-39124-templates.zip <../CVE-2024-39124-templates.zip>`_. Download and extract the zip file to generate a templates subdirectory containing the classic, minimal and other tracker templates. .. include:: upgrading.txt :start-after: .. comment: _CVE-2024-39124: :end-before: .. comment: .. _CVE-2024-39125: .. include:: upgrading.txt :start-after: .. comment: _CVE-2024-39125: :end-before: .. comment: .. _CVE-2024-39126: .. include:: upgrading.txt :start-after: .. comment: _CVE-2024-39126: :end-before: .. comment: end of CVE include marker