[Koha-devel] Koha CSRF protection
Tomas Cohen Arazi
tomascohen at gmail.com
Sat Apr 13 10:24:41 CEST 2024
The thing is we don't have a spec for each endpoint as we do for the API.
So people could be tricked to send a GET with a similar form, to an
endpoint (the .pl script) and bypass the generic CSRF check we do.
Also, this ways programmers and the QA team have a simpler way to detect
state-changing workflows that are unprotected: changes something? It needs
to be a POST with cus-, otherwise Koha will let you know you missed
something.
Hope it clarifies.
El sáb, 13 abr 2024 10:18, Julian Maurice via Koha-devel <
koha-devel at lists.koha-community.org> escribió:
> My point is: since all POST (and other unsafe methods) requests are
> protected and require a CSRF token, why does Koha have a requirement on
> the 'op' parameter for those requests ? It seems redundant and can cause
> unnecessary failure (I can't POST with 'op=search' even with a valid
> CSRF token, I don't understand why)
>
> And for safe methods (GET, HEAD, OPTIONS, TRACE), if someone identifies
> that it's doing a CUD operation, why modify the 'op' parameter since you
> need to also change the method to POST anyway ?
> This can be reworded as: How can we end up in a situation where 'op' has
> been fixed ("cud-" prefix added) but not the HTTP method ?
>
> Le 2024-04-12 20:41, Jonathan Druart a écrit :
> > We want to know which requests to protect (ie. Requiring a csrf token):
> > those having a op starting with cud-
> > Otherwise you could GET something that should be POSTed.
> > I've tried to describe this change as best as I could on the wiki,
> > please
> > adjust if it's not clear enough.
> > https://wiki.koha-community.org/wiki/Coding_Guidelines#CSRF_protection
> >
> > On Fri, 12 Apr 2024, 15:00 Julian Maurice via Koha-devel, <
> > koha-devel at lists.koha-community.org> wrote:
> >
> >> Hi,
> >>
> >> I'm a bit late on the topic but I had a look at the different bugs and
> >> patches during hackfest (mainly because it didn't work for me, I will
> >> open a new bug report for that).
> >>
> >> There is something in it that seems to cause bugs and I don't see a
> >> reason for it: it's the "cud-" thing.
> >>
> >> As I understand it, now every request that create/update/delete
> >> something should be POST (or PUT/DELETE/PATCH) requests and have an
> >> 'op'
> >> parameter whose value start with 'cud-' and all other requests should
> >> be
> >> GET (or OPTIONS/TRACE/HEAD) requests and if they have an 'op'
> >> parameter
> >> it should not start with "cud-".
> >> Why do we need the "cud-" prefix if we can use the HTTP method for
> >> detecting which requests need to be protected ?
> >>
> >> What seems strange is that the current implementation will allow a
> >> POST
> >> request without an 'op' parameter, but will block a POST request with
> >> an
> >> 'op' parameter that does not start with 'cud-'.
> >> It looks like we could get rid of this prefix check without losing
> >> anything. What did I miss ?
> >>
> >> Le 04/03/2024 à 08:37, Marcel de Rooy via Koha-devel a écrit :
> >> > Great work!
> >> >
> >> > *From:*Koha-devel <koha-devel-bounces at lists.koha-community.org> *On
> >> > Behalf Of *Nick Clemens via Koha-devel
> >> > *Sent:* Friday, March 1, 2024 2:26 PM
> >> > *To:* Koha Devel <koha-devel at lists.koha-community.org>; Koha
> >> > <koha at lists.katipo.co.nz>
> >> > *Subject:* [Koha-devel] Koha CSRF protection
> >> >
> >> > Hello all!
> >> >
> >> > We have pushed the CSRF work from 34478 and related bugs today. We
> know
> >> > there are more follow-ups needed, and have filed a series of bugs
> under
> >> > an omnibus:
> >> >
> >> > https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192
> >> > <https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192>
> >> >
> >> > We have a framapad where issues can be reported/found:
> >> >
> >> > https://annuel.framapad.org/p/koha_34478_remaining
> >> > <https://annuel.framapad.org/p/koha_34478_remaining>
> >> >
> >> > And we have bugs for each of the sections of the document. We need all
> >> > developers to submit patches when they encounter issues, and for other
> >> > users testing master to report found issues on the pad. Testers can
> >> > report issues on the pad as well.
> >> >
> >> > There is a new coding guideline - all POSTs to forms in Koha will need
> >> > to include a csrf token:
> >> >
> >> > https://wiki.koha-community.org/wiki/Coding_Guidelines#Security
> >> > <https://wiki.koha-community.org/wiki/Coding_Guidelines#Security>
> >> >
> >> > This has been a big work, many thanks to all involved, and there is
> >> > still work to be done, but this is an important fix that we must do.
> >> >
> >> > You can reach out to me on IRC (kidclamp) or via email and I will do
> my
> >> > best to help anyone contribute.
> >> >
> >> > Thanks,
> >> >
> >> > Nick
> >> >
> >> >
> >> > --
> >> >
> >> > Nick Clemens
> >> >
> >> > ByWater Solutions
> >> >
> >> > bywatersolutions.com <http://bywatersolutions.com/>
> >> >
> >> > Phone: (888) 900-8944
> >> >
> >> > Pronouns: (he/him/his)
> >> > Timezone: Eastern
> >> >
> >> > Follow us:
> >> >
> >> > <https://www.facebook.com/ByWaterSolutions/>
> >> > <https://www.instagram.com/bywatersolutions/>
> >> > <https://www.youtube.com/user/bywatersolutions>
> >> > <https://twitter.com/ByWaterSolution>
> >> >
> >> >
> >> > _______________________________________________
> >> > Koha-devel mailing list
> >> > Koha-devel at lists.koha-community.org
> >> > https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> >> > website : https://www.koha-community.org/
> >> > git : https://git.koha-community.org/
> >> > bugs : https://bugs.koha-community.org/
> >> _______________________________________________
> >> Koha-devel mailing list
> >> Koha-devel at lists.koha-community.org
> >> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> >> website : https://www.koha-community.org/
> >> git : https://git.koha-community.org/
> >> bugs : https://bugs.koha-community.org/
> >>
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : https://www.koha-community.org/
> git : https://git.koha-community.org/
> bugs : https://bugs.koha-community.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20240413/3c183f50/attachment.htm>
More information about the Koha-devel
mailing list