Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for CSRF tokens #5055

Merged
merged 17 commits into from
Aug 9, 2020
Merged

Add support for CSRF tokens #5055

merged 17 commits into from
Aug 9, 2020

Conversation

rauchy
Copy link
Contributor

@rauchy rauchy commented Jul 20, 2020

What type of PR is this? (check all applicable)

  • Feature

Description

This PR adds CSRF protection for all forms and API calls. CSRF protection is turned off by default and can be turned on in settings.ENFORCE_CSRF.

If CSRF enforcement is turned on, it will protect:

  1. Unauthenticated requests.
  2. Requests authenticated using a classic web session (including XHR calls).

It does not apply to requests authenticated using an api key.

@restyled-io restyled-io bot mentioned this pull request Jul 20, 2020
Merged
@rauchy rauchy requested a review from arikfr July 20, 2020 08:59
@rauchy rauchy marked this pull request as ready for review July 20, 2020 08:59
@restyled-io @restyled-commits
Restyled by prettier (#5056)
0b9d494 
Co-authored-by: Restyled.io <commits@restyled.io>
arikfr
arikfr reviewed Jul 27, 2020
View reviewed changes
client/app/services/axios.js Outdated
@@ -14,6 +15,8 @@ axios.interceptors.request.use(config => {
const apiKey = Auth.getApiKey();
if (apiKey) {
config.headers.Authorization = `Key ${apiKey}`;
} else {
config.headers.common["X-CSRF-TOKEN"] = Cookies.get("csrf_token");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably:

  1. Encapsulate the logic to get the CSRF token, so we can replace it.
  2. Not set anything if no csrf_token available?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. flask_wtf handles the generation and verifications. I'm not sure it can be replaced (nor should it be?)
  2. 8babdd0

tests/__init__.py
@@ -20,6 +20,8 @@
# Make sure rate limit is enabled
os.environ["REDASH_RATELIMIT_ENABLED"] = "true"

os.environ["REDASH_ENFORCE_CSRF"] = "false"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't we want to have some tests with CSRF? Or it's covered by Cypress?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It felt like a behaviour that should be evaluated in an E2E perspective, so Cypress does the trick.

docker-compose.yml
@@ -15,6 +15,7 @@ x-redash-environment: &redash-environment
REDASH_RATELIMIT_ENABLED: "false"
REDASH_MAIL_DEFAULT_SENDER: "redash@example.com"
REDASH_MAIL_SERVER: "email"
REDASH_ENFORCE_CSRF: "true"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't you need to do the same in Cypress' docker-compose?

@rauchy rauchy requested a review from arikfr August 3, 2020 12:03
@arikfr
Copy link
Member

arikfr commented Aug 5, 2020

I thought the Cypress failure is temporary so triggered another build, but it failed in the same way. Maybe somehow related to the changes?

@arikfr arikfr merged commit 5afd055 into master Aug 9, 2020
@arikfr arikfr deleted the csrf branch August 9, 2020 12:47
@rauchy rauchy mentioned this pull request Aug 16, 2020
Merged
1 task
@rauchy rauchy mentioned this pull request Sep 16, 2020
Merged
1 task
andrewdever pushed a commit to andrewdever/redash that referenced this pull request Oct 5, 2020
@restyled-io @restyled-commits @andrewdever
Add support for CSRF tokens (getredash#5055)
5f3a5c5 
* add flask-wtf

* add CSRF tokens to all static forms

* add CSRF tokens to all axios requests

* disable CSRF validation in unit tests

* support CSRF-protected requests in *most* cypress tests

* don't enfroce CSRF checks by default

* avoid CSRF enforcement in unit tests

* remove redundant spread

* some camel casing hiccups

* always yield the CSRF cookie, but avoid enforcing it if CSRF toggle is off

* Restyled by prettier (getredash#5056)

Co-authored-by: Restyled.io <commits@restyled.io>

* set a CSRF header only if cookie is present

* enforce CSRF in CI

* install lodash directly for Cypress

* install request-cookies directly for Cypress. We should probably start loading package.json deps

* enable CSRF support when logout and login happen within the same spec

Co-authored-by: restyled-io[bot] <32688539+restyled-io[bot]@users.noreply.github.com>
Co-authored-by: Restyled.io <commits@restyled.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arikfr arikfr Awaiting requested review from arikfr

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rauchy @arikfr