Add new decorator to prevent reflected text attacks
Instead of disabling repo names with periods in them, we simply disallow calls to the API when they are GET requests, whose path ends in a dot, and that do not have a referrer from the frontend.
This commit is contained in:
Joseph Schorr
parent
b342111edb
commit
188ea98441
8 changed files with 82 additions and 12 deletions
|
|
@ -1,5 +1,7 @@
|
|||
""" Various decorators for endpoint and API handlers. """
|
||||
|
||||
import logging
|
||||
|
||||
from functools import wraps
|
||||
from flask import abort, request, make_response
|
||||
|
||||
|
|
@ -8,6 +10,9 @@ import features
|
|||
from app import app
|
||||
from auth.auth_context import get_authenticated_context
|
||||
from util.names import parse_namespace_repository
|
||||
from util.http import abort
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def parse_repository_name(include_tag=False,
|
||||
|
|
@ -92,3 +97,22 @@ def route_show_if(value):
|
|||
return f(*args, **kwargs)
|
||||
return decorated_function
|
||||
return decorator
|
||||
|
||||
|
||||
def require_xhr_from_browser(func):
|
||||
""" Requires that API GET calls made from browsers are made via XHR, in order to prevent
|
||||
reflected text attacks.
|
||||
"""
|
||||
|
||||
@wraps(func)
|
||||
def wrapper(*args, **kwargs):
|
||||
if app.config.get('BROWSER_API_CALLS_XHR_ONLY', False):
|
||||
if request.method == 'GET' and request.user_agent.browser:
|
||||
has_xhr_header = request.headers.get('X-Requested-With') == 'XMLHttpRequest'
|
||||
if not has_xhr_header:
|
||||
logger.warning('Disallowed possible RTA to URL %s with user agent %s',
|
||||
request.path, request.user_agent)
|
||||
abort(400)
|
||||
|
||||
return func(*args, **kwargs)
|
||||
return wrapper
|
||||
|
|
|
|||
Reference in a new issue