Skip to content

Outsource CSRF validation#38445

Closed
kesselb wants to merge 1 commit intomasterfrom
dept-remove-csrf-dependency-from-request
Closed

Outsource CSRF validation#38445
kesselb wants to merge 1 commit intomasterfrom
dept-remove-csrf-dependency-from-request

Conversation

@kesselb
Copy link
Contributor

@kesselb kesselb commented May 24, 2023
edited
Loading

Summary

To validate a CSRF token the Request object needs CsrfTokenManager.

CsrfTokenManager is a heavy dependency.

flowchart TD
    CsrfTokenManager
    CsrfTokenManager-->CsrfTokenGenerator-->ISecureRandom
    CsrfTokenManager-->SessionStorage-->ISession-->IUserSession
    IUserSession-->OC\User\Session
    OC\User\Session-->OC\User\Manager
    OC\User\Session-->OCP\ISession
    OC\User\Session-->ISecureRandom
    OC\User\Session-->LoggerInterface
    OC\User\Session-->IEventDispatcher
    OC\User\Manager-->ICacheFactory-->ICache
Loading

TODO

Checklist

@kesselb kesselb added the 2. developing Work in progress label May 24, 2023
github-advanced-security[bot]
github-advanced-security bot found potential problems May 24, 2023
View reviewed changes
@kesselb kesselb force-pushed the dept-remove-csrf-dependency-from-request branch from 66b78c5 to 67a7fab Compare May 24, 2023 19:56
@kesselb kesselb changed the title Dept remove csrf dependency from request Outsource CSRF validation May 24, 2023
tcitworld
tcitworld reviewed May 25, 2023
View reviewed changes
Copy link
Member

@tcitworld tcitworld left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would refactoring OC\AppFramework\Http\Request::passesCSRFCheck to use the new CsrfValidator create more dependency hell? It would avoid to have the logic in two different places.

@kesselb kesselb force-pushed the dept-remove-csrf-dependency-from-request branch from 67a7fab to ac0652e Compare May 25, 2023 16:56
@kesselb
Copy link
Contributor Author

kesselb commented May 25, 2023
edited
Loading

It would avoid to have the logic in two different places.

I agree, having the logic in two different places it not an improvement.

The goal is to remove passesCSRFCheck and the CSRFTokenManager from IRequest.
I deprecated it, but it's public api and has to stay for 3 years major releases.

@kesselb kesselb force-pushed the dept-remove-csrf-dependency-from-request branch from ac0652e to 3cb076e Compare May 25, 2023 20:33
@kesselb kesselb mentioned this pull request Jun 1, 2023
Merged
1 task
@kesselb kesselb force-pushed the dept-remove-csrf-dependency-from-request branch from 3cb076e to 6830563 Compare June 26, 2023 12:30
ChristophWurst
ChristophWurst reviewed Jun 26, 2023
View reviewed changes
@kesselb kesselb force-pushed the dept-remove-csrf-dependency-from-request branch from f806386 to 6f3ac85 Compare July 17, 2023 18:52
@kesselb kesselb self-assigned this Jul 17, 2023
@kesselb kesselb force-pushed the dept-remove-csrf-dependency-from-request branch 3 times, most recently from ca94de7 to 4ba5a0e Compare August 15, 2023 17:04
@kesselb kesselb added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Aug 15, 2023
@kesselb kesselb added this to the Nextcloud 28 milestone Aug 15, 2023
@nickvergessen
Copy link
Member

nickvergessen commented Aug 15, 2023

But now all the classes need CsrfValidator and that still needs CsrfTokenManager?
Or did I miss the point?

@kesselb
Copy link
Contributor Author

kesselb commented Aug 15, 2023

But now all the classes need CsrfValidator and that still needs CsrfTokenManager?

That's correct.

IRequest.passesCSRFCheck is only needed in a couple of places, but IRequest is injected in many more classes.
For Nextcloud 30, we can remove passesCSRFCheck and CsrfTokenManager from Request.

@kesselb
Copy link
Contributor Author

kesselb commented Aug 15, 2023

I'm having the idea of making IRequest lighter for a while now.

We are injecting an IRequest instance in a couple of places. For example, the logger. It makes sense, to include some details from the request object (e.g. request id, ip address, etc.) in our logs, but that requires a CsrfTokenManager instance and therefore a working database connection and cache. As soon as db or cache is unavailable, you can't use the logger anymore.

Examples:
#25770 (comment)
#37458 (comment)

@nickvergessen
Copy link
Member

nickvergessen commented Aug 15, 2023

For Nextcloud 30, we can remove passesCSRFCheck and CsrfTokenManager from Request.

3 years, not 3 versions xP so 36 😔

@nickvergessen
Copy link
Member

nickvergessen commented Aug 15, 2023

But okay, got it now and see how it improves.

Could also remove the dependency already and just depend on \OC::$server->get() for the time being? 😅

@kesselb kesselb force-pushed the dept-remove-csrf-dependency-from-request branch from 4ba5a0e to fe647d5 Compare August 17, 2023 13:47
@kesselb
Copy link
Contributor Author

kesselb commented Aug 17, 2023

3 years, not 3 versions xP so 36 😔

😭

Could also remove the dependency already and just depend on \OC::$server->get() for the time being? 😅

Good idea 👍
I would like to do this as a follow-up.

nickvergessen
nickvergessen reviewed Aug 17, 2023
View reviewed changes
@kesselb
Copy link
Contributor Author

kesselb commented Nov 14, 2023

Moving to 29

This was referenced Mar 12, 2024
Merged
Merged
Merged
This was referenced Mar 20, 2024
Merged
Merged
@skjnldsv skjnldsv mentioned this pull request Mar 28, 2024
Merged
81 tasks
@skjnldsv skjnldsv modified the milestones: Nextcloud 29, Nextcloud 30 Mar 28, 2024
@kesselb kesselb force-pushed the dept-remove-csrf-dependency-from-request branch 4 times, most recently from ed76c62 to f41e63e Compare May 29, 2024 15:40
@kesselb kesselb requested review from Altahrim and provokateurin May 29, 2024 15:40
@kesselb kesselb force-pushed the dept-remove-csrf-dependency-from-request branch from cbe00c4 to a0dd76d Compare May 29, 2024 17:19
@kesselb
feat: move csrf validation out of request
97f4357 
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
@kesselb kesselb force-pushed the dept-remove-csrf-dependency-from-request branch from a0dd76d to 97f4357 Compare May 29, 2024 17:36
This was referenced Jul 30, 2024
Merged
Merged
@Altahrim Altahrim mentioned this pull request Aug 5, 2024
Merged
@skjnldsv skjnldsv added 2. developing Work in progress stale Ticket or PR with no recent activity and removed 3. to review Waiting for reviews labels Aug 6, 2024
@Altahrim Altahrim mentioned this pull request Aug 7, 2024
Merged
@skjnldsv skjnldsv mentioned this pull request Aug 13, 2024
Merged
@skjnldsv skjnldsv closed this Aug 14, 2024
@skjnldsv skjnldsv removed this from the Nextcloud 30 milestone Aug 14, 2024
@skjnldsv skjnldsv removed pending documentation This pull request needs an associated documentation update stale Ticket or PR with no recent activity labels Mar 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickvergessen nickvergessen nickvergessen left review comments

@tcitworld tcitworld tcitworld left review comments

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@icewind1991 icewind1991 Awaiting requested review from icewind1991

@Altahrim Altahrim Awaiting requested review from Altahrim

@provokateurin provokateurin Awaiting requested review from provokateurin

Assignees

@kesselb kesselb

Labels

2. developing Work in progress technical debt

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kesselb @nickvergessen @ChristophWurst @tcitworld @skjnldsv