Roundup Tracker - Issues

Issue 2551205

Add support for specifying valid origins for api: xmlrpc/rest
Type: security Severity: normal
Components: API Versions:
Status: open
: rouilj : marcus.priesch, rouilj
Priority: high :

Created on 2022-05-17 15:33 by rouilj, last changed 2023-03-14 03:46 by rouilj.

msg7534 Author: [hidden] (rouilj) Date: 2022-05-17 15:33
When using roundup's rest or xmlrpc api interfaces from an application
not at the same origin as the roundup tracker, CORS and CORS preflight
are used (see issue2551203).

This scenario looks like it requires disabling
csrf_enforce_header_origin in config.ini for html and api requests. To
stop this add an config.ini option:

  allowed_origins_for_api =

that can take a comma separated list of url prefixes (ending with /)
or the character '*',

The origin header when evaluating xmlrpc or rest requests must begin

  tracker.web (base element so scheme:://host/)
  any value on the allowed_origins_for_api

If the allowed_original_for_api is * the origin is allowed.

For preflight requests, the returned value for
Access-Control-Allow-Origin should be the client supplied origin

This test should be extracted to a method on the client class
(check_origin_header(self, api=False)) and called in handle_csrf(self,
xmlrpc=False) replacing the existing origin check code. If handle_csrf
is called with xmlrpc=True, call check_origin_header with
api=True. (Consider replacing the name xmlrpc with api.)

It should also be used in (with api=True) to
verify the origin header for preflight requests. If the Origin header
check fails for preflight return 401 with no CORS preflight headers.
msg7535 Author: [hidden] (rouilj) Date: 2022-05-17 21:21
First pass at implementation.

Changes from spec:

confi.ini param is allowed_api_origins (shorter name).
Origin values are space (not comma) separated and must exactly equal the origin header value. 
So is not the same as

It seems to me that these should be a case insensitive match, but the original CORS spec says 
case sensitive and the newer spec has nothing to say on it.

check_origin_header(self, api=False) renamed as is_origin_header_ok(self, api=false)

Swapped out xmlrpc parm for api param. Updated comments.

The code to handle preflight requests isn't done yet, so those items are still open.

Also until CORS preflight support is implemented for xmlrpc, I am not adding origin
filter there.

Docs updated.

changeset:   6681:ab2ed11c021e
Date User Action Args
2023-03-14 03:46:48rouiljsettype: security
components: + API
2022-05-17 21:22:05rouiljsetstatus: new -> open
priority: high
2022-05-17 21:21:22rouiljsetmessages: + msg7535
2022-05-17 15:33:20rouiljcreate