Issue 2551205: Add support for specifying valid origins for api: xmlrpc/rest - Roundup tracker

classification

Title:	Add support for specifying valid origins for api: xmlrpc/rest
Type:	security	Severity:	normal
Components:	API	Versions:

process

Status:	fixed	Resolution:	fixed
Dependencies		Superseder:
Assigned To:	rouilj	Nosy List:	marcus.priesch, rouilj
Priority:	high	Keywords:

Created on 2022-05-17 15:33 by rouilj, last changed 2025-01-19 21:23 by rouilj.

Messages
msg7534	Author: [hidden] (rouilj)	Date: 2022-05-17 15:33
When using roundup's rest or xmlrpc api interfaces from an application not at the same origin as the roundup tracker, CORS and CORS preflight are used (see issue2551203). This scenario looks like it requires disabling csrf_enforce_header_origin in config.ini for html and api requests. To stop this add an config.ini option: allowed_origins_for_api = that can take a comma separated list of url prefixes (ending with /) or the character '', The origin header when evaluating xmlrpc or rest requests must begin with: tracker.web (base element so scheme:://host/) any value on the allowed_origins_for_api If the allowed_original_for_api is the origin is allowed. For preflight requests, the returned value for Access-Control-Allow-Origin should be the client supplied origin value. This test should be extracted to a method on the client class (check_origin_header(self, api=False)) and called in handle_csrf(self, xmlrpc=False) replacing the existing origin check code. If handle_csrf is called with xmlrpc=True, call check_origin_header with api=True. (Consider replacing the name xmlrpc with api.) It should also be used in client.py::handle_rest() (with api=True) to verify the origin header for preflight requests. If the Origin header check fails for preflight return 401 with no CORS preflight headers.
msg7535	Author: [hidden] (rouilj)	Date: 2022-05-17 21:21
First pass at implementation. Changes from spec: confi.ini param is allowed_api_origins (shorter name). Origin values are space (not comma) separated and must exactly equal the origin header value. So https://foo.edu is not the same as https://Foo.edu. It seems to me that these should be a case insensitive match, but the original CORS spec says case sensitive and the newer spec has nothing to say on it. check_origin_header(self, api=False) renamed as is_origin_header_ok(self, api=false) Swapped out xmlrpc parm for api param. Updated comments. The code to handle preflight requests isn't done yet, so those items are still open. Also until CORS preflight support is implemented for xmlrpc, I am not adding origin filter there. Docs updated. changeset: 6681:ab2ed11c021e

History
Date	User	Action	Args
2025-01-19 21:23:18	rouilj	set	status: open -> fixed resolution: fixed
2023-03-14 03:46:48	rouilj	set	type: security components: + API
2022-05-17 21:22:05	rouilj	set	status: new -> open priority: high
2022-05-17 21:21:22	rouilj	set	messages: + msg7535
2022-05-17 15:33:20	rouilj	create