Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 435067

Summary:

Orion should provide protection from cross-site request forgery

Product:

[ECD] Orion

Reporter:

Erwin Margewitsch <erwin.margewitsch>

Component:

Server

Assignee:

Erwin Margewitsch <erwin.margewitsch>

Status:

RESOLVED FIXED

QA Contact:

Severity:

normal

Priority:

CC:

ahunter.eclipse, john.arthorne, mamacdon, matthias.sohn, Michael_Rennie, simon_kaegi

Version:

unspecified

Flags:

ahunter.eclipse: iplog+

Target Milestone:

7.0

Hardware:

OS:

Mac OS X

Whiteboard:

Attachments:

Description	Flags
log file from orion.eclipse.org	none

Description Erwin Margewitsch

2014-05-16 09:38:40 EDT

Orion should provide protection from cross-site request forgery (description can be found under [1])

I'm going to push a patch to Gerrit.


[1] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29

Comment 1 Erwin Margewitsch

2014-05-16 11:24:29 EDT

Change in the server: https://git.eclipse.org/r/#/c/26730/

Change in the client: https://git.eclipse.org/r/26742

Comment 2 John Arthorne

2014-05-16 16:19:20 EDT

Very cool, thanks for the contribution Erwin!

Comment 3 Erwin Margewitsch

2014-05-28 11:15:17 EDT

I uploaded new patchsets which are implementing the double submit cookie approach [1]

[1]:  https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Double_Submit_Cookies

Comment 4 Simon Kaegi

2014-06-26 16:23:19 EDT

Sorry Erwin -- I ran out of time to take this further. Moving to 7.0

Comment 5 Anthony Hunter

2014-08-13 15:01:45 EDT

(In reply to Simon Kaegi from comment #4)
> Sorry Erwin -- I ran out of time to take this further. Moving to 7.0

Do not forget to review this change in Gerrit so we can cleanup the open list for Orion.

Comment 6 Erwin Margewitsch

2014-09-02 08:18:17 EDT

(In reply to Anthony Hunter from comment #5)
> (In reply to Simon Kaegi from comment #4)
> > Sorry Erwin -- I ran out of time to take this further. Moving to 7.0
> 
> Do not forget to review this change in Gerrit so we can cleanup the open
> list for Orion.

I also rebased and retested the changes on the current master branch.

Comment 7 Erwin Margewitsch

2014-09-25 11:40:25 EDT

Will the proposed change make it into 7.0?

Comment 8 Erwin Margewitsch

2014-09-29 10:05:02 EDT

With the newest patchset on the server the XSRFProtectionFilter can be disabled with a configuration property.

Change in the server: https://git.eclipse.org/r/#/c/26730/

Comment 9 Matthias Sohn

2014-10-10 10:19:17 EDT

Please review, I tested Erwin's changes and all looks good for me but we'd like another opinion from one of the Orion gurus.

Comment 10 Anthony Hunter

2014-10-20 10:31:32 EDT

We pushed this fix to master but now users are complaining that things are broken on http://orion.eclipse.org when we pushed the build containing this fix.

There are tons of errors in the logs:

ERROR o.e.o.s.s.XSRFPreventionFilter - PUT /site/insoo-A on behalf of user 'insoo': missing CSRF token in header.

Not sure we are ready to push these changes if there is client adoption required.

Comment 11 Anthony Hunter

2014-10-20 10:38:08 EDT

Self hosting is broken because of this change. 

You get the error:

"User name not specified"

Comment 12 Erwin Margewitsch

2014-10-20 10:49:07 EDT

(In reply to Anthony Hunter from comment #10)
> We pushed this fix to master but now users are complaining that things are
> broken on http://orion.eclipse.org when we pushed the build containing this
> fix.
> 
> There are tons of errors in the logs:
> 
> ERROR o.e.o.s.s.XSRFPreventionFilter - PUT /site/insoo-A on behalf of user
> 'insoo': missing CSRF token in header.
> 
> Not sure we are ready to push these changes if there is client adoption
> required.

Where can I find the logs?

Comment 13 Anthony Hunter

2014-10-20 10:59:12 EDT

Created attachment 248017 [details]
log file from orion.eclipse.org

Here is the log file from orion.eclipse.org

Comment 14 Anthony Hunter

2014-10-20 11:42:39 EDT

This change also breaks all the server JUnit tests that use Basic authentication and not the Form based authentication used on orion.eclipse.org. 355 out of 511 tests fail.

Comment 15 Mark Macdonald

2014-10-20 12:21:55 EDT

(In reply to Anthony Hunter from comment #11)
> Self hosting is broken because of this change. 
> 
> You get the error:
> 
> "User name not specified"

When XSRF filter checks the request against the endpoint and exception lists, it didn't account for the fact that in the self hosting case, the path name contains some additional segments:
> /hosted/foo/login
> /hosted/foo/login/form
> /hosted/foo/login/canaddusers
> ...

I added a check, so those errors should be gone now: http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?id=d22a780

Comment 16 Anthony Hunter

2014-10-20 12:32:07 EDT

(In reply to Erwin Margewitsch from comment #8)
> With the newest patchset on the server the XSRFProtectionFilter can be
> disabled with a configuration property.
> 
> Change in the server: https://git.eclipse.org/r/#/c/26730/

Missed this comment. I have added this property to to the tests so the JUnits will pass:
http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?id=da70ba0d52484ec8dc4367a1b97708d6c882707b

Comment 17 Mark Macdonald

2014-10-20 14:04:45 EDT

One more change: in some servers (*cough* WebSphere *cough*) getCookies() may return null, so we need a check to prevent NPE
http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?id=b8a0469

Comment 18 Anthony Hunter

2014-10-20 16:23:15 EDT

(In reply to Mark Macdonald from comment #17)
> One more change: in some servers (*cough* WebSphere *cough*) getCookies()
> may return null, so we need a check to prevent NPE
> http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/
> ?id=b8a0469

This NPE problem also occurs when running Orion from a WAR on Tomcat.

Comment 19 Mark Macdonald

2014-10-20 16:28:58 EDT

I think we can close this bug again. Marking RESOLVED.