Changeset - ef392737c203
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Mads Kiilerich - 10 years ago 2015-09-26 02:34:37
madski@unity3d.com
auth: validate that the token protecting from CSRF attacks never is leaked

This will partly give some protection if it should happen, partly make sure the
leak doesn't go unnoticed but is found so it can be fixed.
1 file changed with 10 insertions and 1 deletions:
kallithea/lib/auth.py
10
1
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -13,49 +13,49 @@
 
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
"""
 
kallithea.lib.auth
 
~~~~~~~~~~~~~~~~~~
 

			




	
	
	
		
 
authentication and permission libraries

			




	
	
	
		
 

			




	
	
	
		
 
This file was forked by the Kallithea project in July 2014.

			




	
	
	
		
 
Original author and date, and relevant copyright and licensing information is below:

			




	
	
	
		
 
:created_on: Apr 4, 2010

			




	
	
	
		
 
:author: marcink

			




	
	
	
		
 
:copyright: (c) 2013 RhodeCode GmbH, and others.

			




	
	
	
		
 
:license: GPLv3, see LICENSE.md for more details.

			




	
	
	
		
 
"""

			




	
	
	
		
 
import time

			




	
	
	
		
 
import os

			




	
	
	
		
 
import logging

			




	
	
	
		
 
import traceback

			




	
	
	
		
 
import hashlib

			




	
	
	
		
 
import itertools

			




	
	
	
		
 
import collections

			




	
	
	
		
 

			




	
	
	
		
 
from decorator import decorator

			




	
	
	
		
 

			




	
	
	
		
 
from pylons import url, request

			




	
	
	
		
 
from pylons import url, request, session

			




	
	
	
		
 
from pylons.controllers.util import abort, redirect

			




	
	
	
		
 
from pylons.i18n.translation import _

			




	
	
	
		
 
from webhelpers.pylonslib import secure_form

			




	
	
	
		
 
from sqlalchemy import or_

			




	
	
	
		
 
from sqlalchemy.orm.exc import ObjectDeletedError

			




	
	
	
		
 
from sqlalchemy.orm import joinedload

			




	
	
	
		
 

			




	
	
	
		
 
from kallithea import __platform__, is_windows, is_unix

			




	
	
	
		
 
from kallithea.lib.vcs.utils.lazy import LazyProperty

			




	
	
	
		
 
from kallithea.model import meta

			




	
	
	
		
 
from kallithea.model.meta import Session

			




	
	
	
		
 
from kallithea.model.user import UserModel

			




	
	
	
		
 
from kallithea.model.db import User, Repository, Permission, \

			




	
	
	
		
 
    UserToPerm, UserGroupRepoToPerm, UserGroupToPerm, UserGroupMember, \

			




	
	
	
		
 
    RepoGroup, UserGroupRepoGroupToPerm, UserIpMap, UserGroupUserGroupToPerm, \

			




	
	
	
		
 
    UserGroup, UserApiKeys

			




	
	
	
		
 

			




	
	
	
		
 
from kallithea.lib.utils2 import safe_unicode, aslist

			




	
	
	
		
 
from kallithea.lib.utils import get_repo_slug, get_repo_group_slug, \

			




	
	
	
		
 
    get_user_group_slug, conditional_cache

			




	
	
	
		
 
from kallithea.lib.caching_query import FromCache

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
log = logging.getLogger(__name__)

			




	
	
		
 
@@ -745,48 +745,57 @@ class LoginRequired(object):

			




	
	
	
		
 

			




	
	
	
		
 
        # check if we used an API key and it's a valid one

			




	
	
	
		
 
        api_key = request.GET.get('api_key')

			




	
	
	
		
 
        if api_key is not None:

			




	
	
	
		
 
            # explicit controller is enabled or API is in our whitelist

			




	
	
	
		
 
            if self.api_access or allowed_api_access(loc, api_key=api_key):

			




	
	
	
		
 
                if api_key in user.api_keys:

			




	
	
	
		
 
                    log.info('user %s authenticated with API key ****%s @ %s',

			




	
	
	
		
 
                             user, api_key[-4:], loc)

			




	
	
	
		
 
                    return func(*fargs, **fkwargs)

			




	
	
	
		
 
                else:

			




	
	
	
		
 
                    log.warning('API key ****%s is NOT valid', api_key[-4:])

			




	
	
	
		
 
                    return redirect_to_login(_('Invalid API key'))

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                # controller does not allow API access

			




	
	
	
		
 
                log.warning('API access to %s is not allowed', loc)

			




	
	
	
		
 
                return abort(403)

			




	
	
	
		
 

			




	
	
	
		
 
        # Only allow the following HTTP request methods. (We sometimes use POST

			




	
	
	
		
 
        # requests with a '_method' set to 'PUT' or 'DELETE'; but that is only

			




	
	
	
		
 
        # used for the route lookup, and does not affect request.method.)

			




	
	
	
		
 
        if request.method not in ['GET', 'HEAD', 'POST', 'PUT']:

			




	
	
	
		
 
            return abort(405)

			




	
	
	
		
 

			




	
	
	
		
 
        # Make sure CSRF token never appears in the URL. If so, invalidate it.

			




	
	
	
		
 
        if secure_form.token_key in request.GET:

			




	
	
	
		
 
            log.error('CSRF key leak detected')

			




	
	
	
		
 
            session.pop(secure_form.token_key, None)

			




	
	
	
		
 
            session.save()

			




	
	
	
		
 
            from kallithea.lib import helpers as h

			




	
	
	
		
 
            h.flash(_("CSRF token leak has been detected - all form tokens have been expired"),

			




	
	
	
		
 
                    category='error')

			




	
	
	
		
 

			




	
	
	
		
 
        # CSRF protection: Whenever a request has ambient authority (whether

			




	
	
	
		
 
        # through a session cookie or its origin IP address), it must include

			




	
	
	
		
 
        # the correct token, unless the HTTP method is GET or HEAD (and thus

			




	
	
	
		
 
        # guaranteed to be side effect free. In practice, the only situation

			




	
	
	
		
 
        # where we allow side effects without ambient authority is when the

			




	
	
	
		
 
        # authority comes from an API key; and that is handled above.

			




	
	
	
		
 
        if request.method not in ['GET', 'HEAD']:

			




	
	
	
		
 
            token = request.POST.get(secure_form.token_key)

			




	
	
	
		
 
            if not token or token != secure_form.authentication_token():

			




	
	
	
		
 
                log.error('CSRF check failed')

			




	
	
	
		
 
                return abort(403)

			




	
	
	
		
 

			




	
	
	
		
 
        # WebOb already ignores request payload parameters for anything other

			




	
	
	
		
 
        # than POST/PUT, but double-check since other Kallithea code relies on

			




	
	
	
		
 
        # this assumption.

			




	
	
	
		
 
        if request.method not in ['POST', 'PUT'] and request.POST:

			




	
	
	
		
 
            log.error('%r request with payload parameters; WebOb should have stopped this', request.method)

			




	
	
	
		
 
            return abort(400)

			




	
	
	
		
 

			




	
	
	
		
 
        # regular user authentication

			




	
	
	
		
 
        if user.is_authenticated:

			




	
	
	
		
 
            log.info('user %s authenticated with regular auth @ %s', user, loc)

			




	
	
	
		
 
            return func(*fargs, **fkwargs)

			




	
	
	
		
 
        else:

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.