You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "exceptionfactory (via GitHub)" <gi...@apache.org> on 2023/12/07 02:58:47 UTC
[PR] NIFI-12487 Add CSRF Protection to Registry [nifi]
exceptionfactory opened a new pull request, #8136:
URL: https://github.com/apache/nifi/pull/8136
# Summary
[NIFI-12487](https://issues.apache.org/jira/browse/NIFI-12487) Adds Cross-Site Request Forgery protection to NiFi Registry using the Spring Security CSRF Filter and several components that follow the same approach currently implemented for NiFi CSRF protection.
NiFi Registry does not use cookies for passing Application Bearer Tokens, and instead relies on the HTTP Authorization header to be populated using a custom JavaScript request interceptor. This approach mitigates a number of potential threats. Introducing the CSRF Filter provides an additional layer of protection. Following a strategy similar to NiFi, the CSRF Request Matcher is based on the default Spring Security HTTP Method matching plus the presence of the Request Token cookie. This enables programmatic clients to continue working without reconfiguration, while requiring browser-based clients to pass the `Request-Token` header, as implemented through updates to the JavaScript request interceptor.
# Tracking
Please complete the following tracking steps prior to pull request creation.
### Issue Tracking
- [X] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created
### Pull Request Tracking
- [X] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-00000`
- [X] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-00000`
### Pull Request Formatting
- [X] Pull Request based on current revision of the `main` branch
- [X] Pull Request refers to a feature branch with one commit containing changes
# Verification
Please indicate the verification steps performed prior to pull request creation.
### Build
- [X] Build completed using `mvn clean install -P contrib-check`
- [X] JDK 21
### Licensing
- [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html)
- [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files
### Documentation
- [ ] Documentation formatting appears as expected in rendered files
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] NIFI-12487 Add CSRF Protection to Registry [nifi]
Posted by "exceptionfactory (via GitHub)" <gi...@apache.org>.
exceptionfactory commented on code in PR #8136:
URL: https://github.com/apache/nifi/pull/8136#discussion_r1424783483
##########
nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/csrf/CsrfRequestMatcher.java:
##########
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.web.security.authentication.csrf;
+
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.security.web.csrf.CsrfFilter;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+import static org.springframework.web.util.WebUtils.getCookie;
+
+/**
+ * Cross-Site Request Forgery Mitigation Request Matcher
+ */
+public class CsrfRequestMatcher implements RequestMatcher {
+
+ @Override
+ public boolean matches(final HttpServletRequest request) {
+ final boolean matches;
+
+ if (CsrfFilter.DEFAULT_CSRF_MATCHER.matches(request)) {
+ // Presence of Request Token Cookie requires invoking the CsrfFilter
+ final Cookie requestTokenCookie = getCookie(request, CsrfCookieName.REQUEST_TOKEN.getCookieName());
+ matches = requestTokenCookie != null;
+ } else {
+ matches = false;
+ }
+
+ return matches;
+ }
Review Comment:
> By default when declaring `boolean matches` it is already false. Setting to false I would think only clarifies its actual value. Hence the code could be simplified with
Thanks for the feedback. The `matches` variable is declared `final`, so that is the reason for the explicit `false` assignment, which would otherwise be disallowed unless the `final` keyword were removed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] NIFI-12487 Add CSRF Protection to Registry [nifi]
Posted by "exceptionfactory (via GitHub)" <gi...@apache.org>.
exceptionfactory commented on code in PR #8136:
URL: https://github.com/apache/nifi/pull/8136#discussion_r1425477157
##########
nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/csrf/CsrfRequestMatcher.java:
##########
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.web.security.authentication.csrf;
+
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.security.web.csrf.CsrfFilter;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+import static org.springframework.web.util.WebUtils.getCookie;
+
+/**
+ * Cross-Site Request Forgery Mitigation Request Matcher
+ */
+public class CsrfRequestMatcher implements RequestMatcher {
+
+ @Override
+ public boolean matches(final HttpServletRequest request) {
+ final boolean matches;
+
+ if (CsrfFilter.DEFAULT_CSRF_MATCHER.matches(request)) {
+ // Presence of Request Token Cookie requires invoking the CsrfFilter
+ final Cookie requestTokenCookie = getCookie(request, CsrfCookieName.REQUEST_TOKEN.getCookieName());
+ matches = requestTokenCookie != null;
+ } else {
+ matches = false;
+ }
+
+ return matches;
+ }
Review Comment:
There is not a great benefit in this particular case with a small method and minimal conditionals, but it is more of a general approach to use `final` as the standard, and only define re-assignable variables when absolutely necessary.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] NIFI-12487 Add CSRF Protection to Registry [nifi]
Posted by "exceptionfactory (via GitHub)" <gi...@apache.org>.
exceptionfactory commented on code in PR #8136:
URL: https://github.com/apache/nifi/pull/8136#discussion_r1424783911
##########
nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/csrf/StandardCsrfTokenRequestAttributeHandler.java:
##########
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.web.security.authentication.csrf;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
+import org.springframework.util.StringUtils;
+
+import java.util.function.Supplier;
+
+/**
+ * Cross-Site Request Forgery Mitigation Token Handler implementation supporting resolution using Request Header
+ */
+public class StandardCsrfTokenRequestAttributeHandler extends CsrfTokenRequestAttributeHandler {
+ private final XorCsrfTokenRequestAttributeHandler handler = new XorCsrfTokenRequestAttributeHandler();
+
+ /**
+ * Handle Request using standard Spring Security implementation
+ *
+ * @param request HTTP Servlet Request being handled
+ * @param response HTTP Servlet Response being handled
+ * @param csrfTokenSupplier Supplier for CSRF Token
+ */
+ @Override
+ public void handle(final HttpServletRequest request, final HttpServletResponse response, final Supplier<CsrfToken> csrfTokenSupplier) {
+ this.handler.handle(request, response, csrfTokenSupplier);
+ }
+
+ /**
+ * Resolve CSRF Token Value from HTTP Request Header
+ *
+ * @param request HTTP Servlet Request being processed
+ * @param csrfToken CSRF Token created from a CSRF Token Repository
+ * @return Token Value from Request Header or null when not found
+ */
+ @Override
+ public String resolveCsrfTokenValue(final HttpServletRequest request, final CsrfToken csrfToken) {
+ final String headerTokenValue = request.getHeader(csrfToken.getHeaderName());
+
+ final String resolvedToken;
+ if (StringUtils.hasText(headerTokenValue)) {
+ resolvedToken = super.resolveCsrfTokenValue(request, csrfToken);
+ } else {
+ resolvedToken = null;
+ }
+
+ return resolvedToken;
+ }
Review Comment:
Similar to the `matches` situation, the `resolvedToken` variable is declared `final`, so it needs to be assigned explicitly in the conditionals.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] NIFI-12487 Add CSRF Protection to Registry [nifi]
Posted by "dan-s1 (via GitHub)" <gi...@apache.org>.
dan-s1 commented on code in PR #8136:
URL: https://github.com/apache/nifi/pull/8136#discussion_r1424400190
##########
nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/csrf/CsrfRequestMatcher.java:
##########
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.web.security.authentication.csrf;
+
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.security.web.csrf.CsrfFilter;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+import static org.springframework.web.util.WebUtils.getCookie;
+
+/**
+ * Cross-Site Request Forgery Mitigation Request Matcher
+ */
+public class CsrfRequestMatcher implements RequestMatcher {
+
+ @Override
+ public boolean matches(final HttpServletRequest request) {
+ final boolean matches;
+
+ if (CsrfFilter.DEFAULT_CSRF_MATCHER.matches(request)) {
+ // Presence of Request Token Cookie requires invoking the CsrfFilter
+ final Cookie requestTokenCookie = getCookie(request, CsrfCookieName.REQUEST_TOKEN.getCookieName());
+ matches = requestTokenCookie != null;
+ } else {
+ matches = false;
+ }
+
+ return matches;
+ }
Review Comment:
By default when declaring `boolean matches` it is already false. Setting to false I would think only clarifies its actual value. Hence the code could be simplified with
```suggestion
final boolean matches = false;
if (CsrfFilter.DEFAULT_CSRF_MATCHER.matches(request)) {
// Presence of Request Token Cookie requires invoking the CsrfFilter
final Cookie requestTokenCookie = getCookie(request, CsrfCookieName.REQUEST_TOKEN.getCookieName());
matches = requestTokenCookie != null;
}
return matches;
}
```
##########
nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/csrf/StandardCsrfTokenRequestAttributeHandler.java:
##########
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.web.security.authentication.csrf;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
+import org.springframework.util.StringUtils;
+
+import java.util.function.Supplier;
+
+/**
+ * Cross-Site Request Forgery Mitigation Token Handler implementation supporting resolution using Request Header
+ */
+public class StandardCsrfTokenRequestAttributeHandler extends CsrfTokenRequestAttributeHandler {
+ private final XorCsrfTokenRequestAttributeHandler handler = new XorCsrfTokenRequestAttributeHandler();
+
+ /**
+ * Handle Request using standard Spring Security implementation
+ *
+ * @param request HTTP Servlet Request being handled
+ * @param response HTTP Servlet Response being handled
+ * @param csrfTokenSupplier Supplier for CSRF Token
+ */
+ @Override
+ public void handle(final HttpServletRequest request, final HttpServletResponse response, final Supplier<CsrfToken> csrfTokenSupplier) {
+ this.handler.handle(request, response, csrfTokenSupplier);
+ }
+
+ /**
+ * Resolve CSRF Token Value from HTTP Request Header
+ *
+ * @param request HTTP Servlet Request being processed
+ * @param csrfToken CSRF Token created from a CSRF Token Repository
+ * @return Token Value from Request Header or null when not found
+ */
+ @Override
+ public String resolveCsrfTokenValue(final HttpServletRequest request, final CsrfToken csrfToken) {
+ final String headerTokenValue = request.getHeader(csrfToken.getHeaderName());
+
+ final String resolvedToken;
+ if (StringUtils.hasText(headerTokenValue)) {
+ resolvedToken = super.resolveCsrfTokenValue(request, csrfToken);
+ } else {
+ resolvedToken = null;
+ }
+
+ return resolvedToken;
+ }
Review Comment:
The default value of `resolvedToken `is already null without even setting it to null when the variable is declared. Setting to null I would think only clarifies its actual value. Hence the code could be simplified with
```suggestion
final String resolvedToken = null;
if (StringUtils.hasText(headerTokenValue)) {
resolvedToken = super.resolveCsrfTokenValue(request, csrfToken);
}
return resolvedToken;
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] NIFI-12487 Add CSRF Protection to Registry [nifi]
Posted by "bbende (via GitHub)" <gi...@apache.org>.
bbende merged PR #8136:
URL: https://github.com/apache/nifi/pull/8136
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] NIFI-12487 Add CSRF Protection to Registry [nifi]
Posted by "dan-s1 (via GitHub)" <gi...@apache.org>.
dan-s1 commented on code in PR #8136:
URL: https://github.com/apache/nifi/pull/8136#discussion_r1425419827
##########
nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/csrf/CsrfRequestMatcher.java:
##########
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.registry.web.security.authentication.csrf;
+
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.security.web.csrf.CsrfFilter;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+import static org.springframework.web.util.WebUtils.getCookie;
+
+/**
+ * Cross-Site Request Forgery Mitigation Request Matcher
+ */
+public class CsrfRequestMatcher implements RequestMatcher {
+
+ @Override
+ public boolean matches(final HttpServletRequest request) {
+ final boolean matches;
+
+ if (CsrfFilter.DEFAULT_CSRF_MATCHER.matches(request)) {
+ // Presence of Request Token Cookie requires invoking the CsrfFilter
+ final Cookie requestTokenCookie = getCookie(request, CsrfCookieName.REQUEST_TOKEN.getCookieName());
+ matches = requestTokenCookie != null;
+ } else {
+ matches = false;
+ }
+
+ return matches;
+ }
Review Comment:
Thanks for clarifying that. Just curios, what is the advantage of using `final` here?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org