Changeset - d402d1e4aed4
Parent rev.
Child rev.
[Not reviewed]
default
0 2 0
Søren Løvborg - 10 years ago 2015-09-03 23:49:27
sorenl@unity3d.com
security: HTTP method sanity checks

This serves to document and verify some implicit constraints on the
HTTP method.
2 files changed with 14 insertions and 1 deletions:
kallithea/lib/auth.py
13
kallithea/tests/functional/test_admin_defaults.py
1
1
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -751,36 +751,49 @@ class LoginRequired(object):
 
                if api_key in user.api_keys:
 
                    log.info('user %s authenticated with API key ****%s @ %s',
 
                             user, api_key[-4:], loc)
 
                    return func(*fargs, **fkwargs)
 
                else:
 
                    log.warning('API key ****%s is NOT valid', api_key[-4:])
 
                    return redirect_to_login(_('Invalid API key'))
 
            else:
 
                # controller does not allow API access
 
                log.warning('API access to %s is not allowed', loc)
 
                return abort(403)
 

			




	
	
	
		
 
        # Only allow the following HTTP request methods. (We sometimes use POST

			




	
	
	
		
 
        # requests with a '_method' set to 'PUT' or 'DELETE'; but that is only

			




	
	
	
		
 
        # used for the route lookup, and does not affect request.method.)

			




	
	
	
		
 
        if request.method not in ['GET', 'HEAD', 'POST', 'PUT']:

			




	
	
	
		
 
            return abort(405)

			




	
	
	
		
 

			




	
	
	
		
 
        # CSRF protection: Whenever a request has ambient authority (whether

			




	
	
	
		
 
        # through a session cookie or its origin IP address), it must include

			




	
	
	
		
 
        # the correct token, unless the HTTP method is GET or HEAD (and thus

			




	
	
	
		
 
        # guaranteed to be side effect free. In practice, the only situation

			




	
	
	
		
 
        # where we allow side effects without ambient authority is when the

			




	
	
	
		
 
        # authority comes from an API key; and that is handled above.

			




	
	
	
		
 
        if request.method not in ['GET', 'HEAD']:

			




	
	
	
		
 
            token = request.POST.get(secure_form.token_key)

			




	
	
	
		
 
            if not token or token != secure_form.authentication_token():

			




	
	
	
		
 
                log.error('CSRF check failed')

			




	
	
	
		
 
                return abort(403)

			




	
	
	
		
 

			




	
	
	
		
 
        # WebOb already ignores request payload parameters for anything other

			




	
	
	
		
 
        # than POST/PUT, but double-check since other Kallithea code relies on

			




	
	
	
		
 
        # this assumption.

			




	
	
	
		
 
        if request.method not in ['POST', 'PUT'] and request.POST:

			




	
	
	
		
 
            log.error('%r request with payload parameters; WebOb should have stopped this', request.method)

			




	
	
	
		
 
            return abort(400)

			




	
	
	
		
 

			




	
	
	
		
 
        # regular user authentication

			




	
	
	
		
 
        if user.is_authenticated:

			




	
	
	
		
 
            log.info('user %s authenticated with regular auth @ %s', user, loc)

			




	
	
	
		
 
            return func(*fargs, **fkwargs)

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            log.warning('user %s NOT authenticated with regular auth @ %s', user, loc)

			




	
	
	
		
 
            return redirect_to_login()

			




	
	
	
		
 

			




	
	
	
		
 
class NotAnonymous(object):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Must be logged in to execute this function else

			




	
	
	
		
 
    redirect to login page"""

			




        

    


    
    

    

        

                

                    kallithea/tests/functional/test_admin_defaults.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -55,25 +55,25 @@ class TestDefaultsController(TestControl

			




	
	
	
		
 
        response = self.app.put(url('default', id='default'), params=params)

			




	
	
	
		
 
        self.checkSessionFlash(response, 'Default settings updated successfully')

			




	
	
	
		
 

			




	
	
	
		
 
        params.pop('_authentication_token')

			




	
	
	
		
 
        defs = Setting.get_default_repo_settings()

			




	
	
	
		
 
        self.assertEqual(params, defs)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_update_browser_fakeout(self):

			




	
	
	
		
 
        response = self.app.post(url('default', id=1), params=dict(_method='put', _authentication_token=self.authentication_token()))

			




	
	
	
		
 

			




	
	
	
		
 
    def test_delete(self):

			




	
	
	
		
 
        # Not possible due to CSRF protection.

			




	
	
	
		
 
        response = self.app.delete(url('default', id=1), status=403)

			




	
	
	
		
 
        response = self.app.delete(url('default', id=1), status=405)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_delete_browser_fakeout(self):

			




	
	
	
		
 
        response = self.app.post(url('default', id=1), params=dict(_method='delete', _authentication_token=self.authentication_token()))

			




	
	
	
		
 

			




	
	
	
		
 
    def test_show(self):

			




	
	
	
		
 
        response = self.app.get(url('default', id=1))

			




	
	
	
		
 

			




	
	
	
		
 
    def test_show_as_xml(self):

			




	
	
	
		
 
        response = self.app.get(url('formatted_default', id=1, format='xml'))

			




	
	
	
		
 

			




	
	
	
		
 
    def test_edit(self):

			




	
	
	
		
 
        response = self.app.get(url('edit_default', id=1))

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.