# HG changeset patch # User John Rouillard # Date 1736433008 18000 # Node ID 35beff3168834a58b57bea4ac44ac499ba7942ab # Parent 09e8d1a4c796f8d2f363a02cec012b3a06d16d83 fix(api): issue2551384. Verify REST authorization earlier To reduce the ability of bad actors to spam (DOS) the REST endpoint with bad data and generate logs meant for debugging, modify the flow in client.py's REST handler to verify authorization earlier. If the anonymous user is allowed to use REST, this won't make a difference for a DOS attempt. The templates don't enable REST for the anonymous user by default. Most admins don't change this. The validation order for REST requests has been changed. CORS identfied an handled User authorization to use REST (return 403 on failure) REST request validated (Origin header valid etc.) (return 400 for bad request) Incorrectly formatted CORS preflight requests (e.g. missing Origin header) that are not recogized as a CORS request can now return HTTP status 403 as well as status 400 (when anonymous is allowed access). Note all CORS preflights are sent without authentication so appear as anonymous requests. The tests were updated to compensate, but it is not obvious to me from specs what the proper evaulation order/return codes should be for this case. Both 403/400 are failures and cause CORS to fail so there should be no difference but... diff -r 09e8d1a4c796 -r 35beff316883 CHANGES.txt --- a/CHANGES.txt Wed Jan 08 11:39:54 2025 -0500 +++ b/CHANGES.txt Thu Jan 09 09:30:08 2025 -0500 @@ -60,6 +60,13 @@ on command line. (John Rouillard) - issue2551374 - Add error handling for filter expressions. Filter expression errors are now reported. (John Rouillard) +- issue2551384: Modify flow in client.py's REST handler to verify + authorization earlier. The validation order for REST requests + has been changed. Checking user authorization to use the REST + interface is done before validating the Origin header. As a + result, incorrectly formatted CORS preflight requests + (e.g. missing Origin header) can now return HTTP status 403 as + well as status 400. (John Rouillard) Features: diff -r 09e8d1a4c796 -r 35beff316883 doc/upgrading.txt --- a/doc/upgrading.txt Wed Jan 08 11:39:54 2025 -0500 +++ b/doc/upgrading.txt Thu Jan 09 09:30:08 2025 -0500 @@ -224,6 +224,17 @@ .. _defusedxml: https://pypi.org/project/defusedxml/ +Change in REST response for invalid CORS requests (info) +-------------------------------------------------------- + +CORS_ preflight requests that are missing required headers can +now result in either a 403 or 400 error code. If you permit +anonymous users to access the REST interface, a 400 error may +still occur. Previously, only a 400 error was given. This change +is not expected to create issues since the client will recognize +both codes it as an error response, and the CORS request will +still fail. + More secure session cookie handling (info) ------------------------------------------ diff -r 09e8d1a4c796 -r 35beff316883 roundup/cgi/client.py --- a/roundup/cgi/client.py Wed Jan 08 11:39:54 2025 -0500 +++ b/roundup/cgi/client.py Thu Jan 09 09:30:08 2025 -0500 @@ -677,8 +677,11 @@ def is_cors_preflight(self): return ( self.env['REQUEST_METHOD'] == "OPTIONS" + and self.request.headers.get("Access-Control-Request-Method") + # technically Access-Control-Request-Headers (ACRH) is + # optional, but we require the header x-requested-with, + # so ACRH will be present. and self.request.headers.get("Access-Control-Request-Headers") - and self.request.headers.get("Access-Control-Request-Method") and self.request.headers.get("Origin")) def handle_preflight(self): @@ -721,6 +724,30 @@ status=http_.client.TOO_MANY_REQUESTS) return + # Handle CORS preflight request. We know rest is enabled + # because handle_rest is called. Preflight requests + # are unauthenticated, so no need to check permissions. + if (self.is_cors_preflight()): + # Origin header must be defined to get here + if self.is_origin_header_ok(api=True): + self.handle_preflight() + else: + # origin is not authorized for REST + msg = self._("Client is not allowed to use Rest Interface.") + output = s2b( + '{ "error": { "status": 400, "msg": "%s" } }' % msg) + self.reject_request(output, + message_type="application/json", + status=400) + return + + if not self.db.security.hasPermission('Rest Access', self.userid): + output = s2b('{ "error": { "status": 403, "msg": "Forbidden." } }') + self.reject_request(output, + message_type="application/json", + status=403) + return + # verify Origin is allowed on all requests including GET. # If a GET, missing origin is allowed (i.e. same site GET request) if not self.is_origin_header_ok(api=True): @@ -753,20 +780,6 @@ "origin": self.env.get('HTTP_ORIGIN', None)}) return - # Handle CORS preflight request. We know rest is enabled - # because handle_rest is called. Preflight requests - # are unauthenticated, so no need to check permissions. - if (self.is_cors_preflight()): - self.handle_preflight() - return - - if not self.db.security.hasPermission('Rest Access', self.userid): - output = s2b('{ "error": { "status": 403, "msg": "Forbidden." } }') - self.reject_request(output, - message_type="application/json", - status=403) - return - self.check_anonymous_access() try: diff -r 09e8d1a4c796 -r 35beff316883 test/test_cgi.py --- a/test/test_cgi.py Wed Jan 08 11:39:54 2025 -0500 +++ b/test/test_cgi.py Thu Jan 09 09:30:08 2025 -0500 @@ -1360,7 +1360,7 @@ cl.additional_headers ) - self.assertEqual(cl.response_code, 400) + self.assertEqual(cl.response_code, 403) del(out[0]) # origin not set to allowed value diff -r 09e8d1a4c796 -r 35beff316883 test/test_liveserver.py --- a/test/test_liveserver.py Wed Jan 08 11:39:54 2025 -0500 +++ b/test/test_liveserver.py Thu Jan 09 09:30:08 2025 -0500 @@ -711,10 +711,9 @@ "x-requested-with", 'Access-Control-Request-Method': "PUT",}) - self.assertEqual(f.status_code, 400) + self.assertEqual(f.status_code, 403) - expected = ('{ "error": { "status": 400, "msg": "Required' - ' Header Missing" } }') + expected = ('{ "error": { "status": 403, "msg": "Forbidden." } }') self.assertEqual(b2s(f.content), expected)