You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by "thor533 (via GitHub)" <gi...@apache.org> on 2023/04/26 08:46:21 UTC
[GitHub] [apisix] thor533 opened a new issue, #9373: The key of CSRF is fixed
thor533 opened a new issue, #9373:
URL: https://github.com/apache/apisix/issues/9373
### Current Behavior
When I used the CSRF plugin, I found that there was a big problem with the algorithm that generated the token. I found that when the generated token had % in it, the checksum would not pass.
{"error_msg":"csrf token mismatch"}
### Expected Behavior
The generated token can pass the verification
### Error Logs
{"error_msg":"csrf token mismatch"}
### Steps to Reproduce
1.set the route:
```
{
"id": "457923292771123904",
"create_time": 1682473152,
"update_time": 1682498301,
"uri": "/test/*",
"name": "least-conn2",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"plugins": {
"csrf": {
"disable": false,
"key": "edd1c9f034335f136f87ad84b625c8f1"
}
},
"upstream": {
"nodes": [
{
"host": "192.168.88.66",
"port": 9001,
"weight": 1
}
],
"retries": 1,
"timeout": {
"connect": 6,
"send": 6,
"read": 6
},
"type": "roundrobin",
"scheme": "http",
"pass_host": "pass",
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
},
"retry_timeout": 2
},
"status": 1
}
```
2.request the GET method get the token:
”eyJleHBpcmVzIjoxNjgyNDk4OTIwLCJyYW5kb20iOjAuMjcyNjI0NTA2MzUxNjYsInNpZ24iOiJhYmNlYmJkM2M3Y2YyYjA2N2Y1ZWZiZDliN2ViODdhNGFmMWVmN2YxYWY2MGNjMTkzNmJkMzExZmRjOWRmZGIzIn0%3D“
3.request the post method request:
ps:When the generated token does not contain %, the request can pass:
eyJleHBpcmVzIjoxNjgyNDk5MDA5LCJyYW5kb20iOjAuMDU1MDkyMjQ5NTkwMDAxLCJzaWduIjoiOGU5OWRmOGQyNWJjZjMwM2I3Yzg4MzAyYWQ2ODZhYWQ4N2NiNzY0YWU4M2YwY2YwNzRiOTI3NzczNDE5ODA5ZiJ9
### Environment
- APISIX version (run `apisix 2.15-alpine`):
- Operating system (run `uname -a`):
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] The name of CSRF is error [apisix]
Posted by "sheharyaar (via GitHub)" <gi...@apache.org>.
sheharyaar commented on issue #9373:
URL: https://github.com/apache/apisix/issues/9373#issuecomment-1851558584
Can you please try to reproduce it again and attach apisix logs too ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] The name of CSRF is error [apisix]
Posted by "monkeyDluffy6017 (via GitHub)" <gi...@apache.org>.
monkeyDluffy6017 closed issue #9373: The name of CSRF is error
URL: https://github.com/apache/apisix/issues/9373
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] The name of CSRF is error [apisix]
Posted by "sheharyaar (via GitHub)" <gi...@apache.org>.
sheharyaar commented on issue #9373:
URL: https://github.com/apache/apisix/issues/9373#issuecomment-1851555866
Hi @thor533 , I tried to reproduce this issue, but for me even the second and subsequent requests pass successfully.
I tried the same `apisix- 2.15-alpine` docker image.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Revolyssup commented on issue #9373: The name of CSRF is error
Posted by "Revolyssup (via GitHub)" <gi...@apache.org>.
Revolyssup commented on issue #9373:
URL: https://github.com/apache/apisix/issues/9373#issuecomment-1695295779
@thor533 Can you also show the cookies in the subsequent request that was sent?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 closed issue #9373: The key of CSRF is fixed
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 closed issue #9373: The key of CSRF is fixed
URL: https://github.com/apache/apisix/issues/9373
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] The name of CSRF is error [apisix]
Posted by "sheharyaar (via GitHub)" <gi...@apache.org>.
sheharyaar commented on issue #9373:
URL: https://github.com/apache/apisix/issues/9373#issuecomment-1851387812
@shreemaan-abhishek , I would like to look into this
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] The name of CSRF is error [apisix]
Posted by "monkeyDluffy6017 (via GitHub)" <gi...@apache.org>.
monkeyDluffy6017 commented on issue #9373:
URL: https://github.com/apache/apisix/issues/9373#issuecomment-1851714250
considered resolved. please feel free to reopen it
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] The name of CSRF is error [apisix]
Posted by "monkeyDluffy6017 (via GitHub)" <gi...@apache.org>.
monkeyDluffy6017 commented on issue #9373:
URL: https://github.com/apache/apisix/issues/9373#issuecomment-1851714993
@sheharyaar thanks for your contribution
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] The name of CSRF is error [apisix]
Posted by "sheharyaar (via GitHub)" <gi...@apache.org>.
sheharyaar commented on issue #9373:
URL: https://github.com/apache/apisix/issues/9373#issuecomment-1851680374
@thor533 , i tested with the same image `apisix 2.15-alpine`, for me even with the default name, the second request gives "csrf token mismatch". This is because for every request, a new token is generated and sent via `Set-Cookie` header. Hence for every request you must read the token from the cookie. Since you are using the same `test` cookie, it blocks your request.
The docs mention that clearly : https://apisix.apache.org/docs/apisix/plugins/csrf/#enable-plugin
Moreover, in the image you attached, the Cookie set by postman is different from the `test` value :
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org