sbp commented on code in PR #799:
URL:
https://github.com/apache/tooling-trusted-releases/pull/799#discussion_r2874371456
##########
atr/server.py:
##########
@@ -525,6 +525,18 @@ def _app_setup_security_headers(app: base.QuartApp) ->
None:
]
)
+ @app.before_request
+ async def validate_sec_fetch_headers() -> None:
+ if quart.request.path.startswith("/api"):
Review Comment:
This breaks `/api/docs`: I get a 403 with `Unauthorized` in a JSON body when
I navigate there in the browser. Same problem if browsing to
`/api/openapi.json`. The easiest solution would probably be to exempt these
paths.
##########
atr/server.py:
##########
@@ -525,6 +525,18 @@ def _app_setup_security_headers(app: base.QuartApp) ->
None:
]
)
+ @app.before_request
+ async def validate_sec_fetch_headers() -> None:
+ if quart.request.path.startswith("/api"):
+ sec_fetch_dest = quart.request.headers.get("Sec-Fetch-Dest", "")
+ if sec_fetch_dest in ("document", "embed", "object", "frame",
"iframe"):
+ raise base.ASFQuartException("Unauthorized", errorcode=403)
Review Comment:
We should probably put a `log.warning` before here, so that we can see when
it's happening and why. Also 401 is unauthorized; this is correctly 403, but
should say "Forbidden" to match. We might as well explain why too, e.g.
"Forbidden: browser navigation to API endpoints is not permitted".
##########
atr/server.py:
##########
@@ -525,6 +525,18 @@ def _app_setup_security_headers(app: base.QuartApp) ->
None:
]
)
+ @app.before_request
+ async def validate_sec_fetch_headers() -> None:
+ if quart.request.path.startswith("/api"):
+ sec_fetch_dest = quart.request.headers.get("Sec-Fetch-Dest", "")
+ if sec_fetch_dest in ("document", "embed", "object", "frame",
"iframe"):
+ raise base.ASFQuartException("Unauthorized", errorcode=403)
+
+ if quart.request.method in ("POST", "PUT", "DELETE", "PATCH"):
+ sec_fetch_site = quart.request.headers.get("Sec-Fetch-Site", "")
+ if sec_fetch_site not in ("same-origin", "none", ""):
+ raise base.ASFQuartException("Unauthorized", errorcode=403)
Review Comment:
Should say something like "Forbidden: non-GET external navigation to this
site is not permitted".
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
