Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security fixes #1216

Closed
wants to merge 6 commits into from
Closed

Security fixes #1216

wants to merge 6 commits into from

Conversation

tprynn
Copy link

@tprynn tprynn commented May 26, 2022
edited
Loading

Ref #1209, #1217 and https://tprynn.github.io/2022/05/26/flower-vulns.html

  • Disable API by default if authentication is not configured
  • Update --auth flag handling to fix email validation bypasses
  • Document and test config flag changes

@tprynn
Remove extraneous CORS headers
719490a 
These CORS headers set here are not needed and ineffective - the specific methods which are allowed are not actually used in the app, so these will have no effect. CORS headers should not be set without an explicit purpose, because it could introduce additional vulnerabilities.
@tprynn
Disable APIs and websockets unless authentication is configured, and …
d7bd96d 
…require authentication for websocket
@tprynn
Add --dangerous_allow_unauth_api flag, fix existing tests, add config…
fdb97c3 
… docs
@tprynn
Add tests for new auth flags
38e1714
@tprynn
update auth doc
f311d9c
@tprynn
Copy link
Author

tprynn commented May 26, 2022

It looks like a PR to add full CORS support was added in the meantime. I would recommend removing that PR as it significantly increases the exploitability of CSRF attacks against Flower.

@tprynn tprynn mentioned this pull request May 26, 2022
Closed
@tprynn
Copy link
Author

tprynn commented May 30, 2022

I've resolved the merge conflict relating to the CORS policy by setting the dangerous and unsafe CORS policy behind the same flag (dangerous_allow_unauth_api). Heads up @dave-flr for reference, or you have a different solution.

@caleb15
Copy link

caleb15 commented Jun 3, 2022

@auvipy @thedrow this could affect a large number of celery users. @mher FYI.

@auvipy
Copy link

auvipy commented Jun 4, 2022

this package is not maintained by any active core developers or we don't have commit access to this.

@EDM115 EDM115 mentioned this pull request Jun 4, 2022
Closed
@mher mher closed this Jul 15, 2022
@tprynn tprynn mentioned this pull request Dec 16, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tprynn @caleb15 @auvipy @underdarknl @mher