[SSI-468] Improve error message for SSRF host validation#24285
[SSI-468] Improve error message for SSRF host validation#24285shiroginne wants to merge 4 commits into
Conversation
| if addrs.empty? | ||
| raise ServerSideRequestForgeryError, | ||
| "#{@origin.host} resolves only to private IP addresses, blocked to prevent SSRF. " \ | ||
| "To allow this host, add its IP addresses to OPENPROJECT_SSRF_PROTECTION_IP_ALLOWLIST." |
There was a problem hiding this comment.
🔴 This whole class we are looking at here is intended to be deleted.
As I said, there is a new version of httpx that allows to directly allowlist ip addresses in the built-in SSRF filter. We intended to switch over to that.
This also means that we'll not be able to change the error that's raised directly.
There was a problem hiding this comment.
Oh ok, is there any date or release when we are planning to remove this class? We could have a temp solution as is, and then figure out the new httpx's things 🤔
There was a problem hiding this comment.
Sorry, I thought this was clear before.
tl;dr (most of this we discussed IRL today):
httpx1.8.0 introduces new options tossrf_filterthat make this class obsolete- this version is already released, but hasn't yet been picked up by Dependabot
- Any solution that works without touching this class here, should work after such an update as well
- I would not pursue the solution proposed here, because it's essentially a throw-away solution that would only persist for a short moment (and for that, the issue doesn't seem critical enough to me, personally)
There was a problem hiding this comment.
Ok, let's stay in this conversation even though the code has changed completely.
The new approach is to use httpx 1.8.0 with its new SSRF filter plugin.
As for the error message, we'll inject a "decorator", which catches and then re-raises the error with our message.
Fun fact: the creator of httpx suggested a similar approach 😅 (link)
There was a problem hiding this comment.
Update: In recent httpx updates, the method refresh_token on OAuthSession became private.
To make it work again, the private method is called. Not a great solution. To cover the next updates, a spec was created.
|
Caution The provided work package version does not match the core version Details:
Please make sure that:
|
To have the proper clean system and not reuse httpx's classes.
69c398f to
e3deb43
Compare
To make it work again, the private method shall be called. Not a great solution. To cover the next updates, a spec was created.
|
|
||
| super | ||
| rescue HTTPX::ServerSideRequestForgeryError | ||
| raise OpenProject::ServerSideRequestForgeryError, |
There was a problem hiding this comment.
🔴 Did you try out whether this works as intended?
I am surprised, because HTTPX catches this error internally and then reacts on it, eventually resulting in returning an error response (instead of raising the error to the outside world).
I guess this is also the reason why you couldn't add a rescue statement outside of HTTPX. The reason of my question is that you replace HTTPX::ServerSideRequestForgeryError with a different error class. Thus HTTPX is not able to catch this anymore. I'd expect that the changed code (as opposed to the original code) would raise the OpenProject::ServerSideRequestForgeryError into the face of the caller of an httpx.get instead of returning it as an error response.
edit: I just noticed that the OpenProject error inherits from the other one... Why do we do this at all then? This will never be visible to the outside?
edit 2: Okay, apparently it's accessible as result.error... I still don't know why we do it xD
| module AuthenticationStrategies | ||
| # httpx keeps refreshed tokens inside OAuthSession without public readers, | ||
| # so #update_token digs them out via #send. Pinned here so that an httpx | ||
| # upgrade that moves them fails this spec first. |
There was a problem hiding this comment.
💚
I am still convinced that we should not use the HTTPX implementation of OAuth at all, because it's not intended to be used the way that we use it.
(But that's wildly out of scope for your PR)
|
Warning Flaky specs
🤖 Ask Copilot to investigateCopy the prompt below into a new comment on this PR to delegate the investigation to GitHub Copilot. It will look into the flakiness and open a separate pull request with you as reviewer. |
Ticket
SSI-468
What are you trying to accomplish?
Self-titled.
Merge checklist