New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When verifying a nonce, an empty referrer should be allowed. even though expectedReferrerHost is specified #20061
Conversation
Expected referrer would fail a nonce-check, if the referrer was empty or local. Introduced in 715ded1/matomo-org#17228. This fix "reverts" to a pure nonce-check, if referrer is empty or local. Issue encountered using the the GoogleAnalyticsImporter, also referred to in matomo-org#17228.
Previous fix would allow localhost, even though expectedReferrerHost specified something else. If a referrer is present, it must fail if it is not localhost or expectedReferrerHost.
Hi @kl-he I'm not 100% sure about possible security implications of removing that check. In theory that would now allow to simply bypass the expected referrer check by suppressing the referrer header. @tsteur Any thoughts or objections on that one? |
@kl-he could you maybe explain the use case a bit more why you need the change? This will help understand things. |
We are in the opposite situation as diosmosis was in, when #17228 was submitted. We are not seeing a referrer being sent (tried with different browsers and distros), when authenticating the Google Analytics Importer plugin, resulting in a failed authorization attempt. Without #17228 we would not have had a problem, as it allowed empty referrers, as @sgiehl correctly points out. This pull-request will allow the empty referrers again, but still do the domain-check, if a referrer is passed. If you go ahead with this pull-request, it might make sense to rename $expectedReferrerHost to $allowedReferrerHost. |
If you don't want this PR to be closed automatically in 28 days then you need to assign the label 'Do not close'. |
@tsteur any further notes on this one? I'm otherwise tempted to merge it. |
@sgiehl figured it's best to do a search on OWASP's thoughts on this so checked https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers and https://owasp.org/www-community/attacks/csrf Maybe there's a redirect that gets rid of the referrer. |
@kl-he could you maybe apply those suggestions |
Renamed expectedReferrerHost to allowedReferrerHost. Also updated doc-blocks and comments, to reflect the changes.
@sgiehl Done |
If you don't want this PR to be closed automatically in 28 days then you need to assign the label 'Do not close'. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a comment regarding a failing test. Otherwise this looks good to me
@kl-he could you adjust the test and resolve the conflicts with or branches, then I'll try to merge this one before the next release.
|
||
public function testVerifyNonceWithErrorMessage_validNonceAndLocalReferrerWithNoAllowedReferrer_expectEmptyString() | ||
{ | ||
$this->setReferrer('http://app'); // The "local" host when running via CLI. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this test is meant to test with the configured hostname as referrer. Might be better to fetch the host with Config::getHostname()
so it works on all instances.
$this->setReferrer('http://app'); // The "local" host when running via CLI. | |
$this->setReferrer('http://' . \Piwik\Config::getHostname()); // The "local" host when running via CLI. |
This pull request has been mentioned on Matomo forums. There might be relevant details there: https://forum.matomo.org/t/google-analytics-importer/48279/2 |
If you don't want this PR to be closed automatically in 28 days then you need to assign the label 'Do not close'. |
Not mergable anymore due to conflicts. Created #20479 to replace this PR. |
Description:
if an expectedReferrerHost is passed, the nonce-check will fail, if there is no referrer. This was introduced in #17228, as a fix when using GoogleAnalyticsImporter.
While using GoogleAnalyticsImporter, we are seeing a referrer being sent by the browser, so this this will cause the check to fail, as the empty referrer doesn't match google.com.
This fix allows empty referrers again, while also doing expectedReferrerHost and/or localhost, when referrer is specified.
Tests added as integration tests.
./console tests:run --testsuite integration --filter NonceTest
Review