I am using discourse via docker containers in a local docker swarm. The installation went smoothly and we have been able to get a working prototype deployed within a super short period of time. Thanks for the great docs!
We then needed to get our business security scans run to be able to set up the proper proxies for getting discourse accessible via the outside world. All went well, except for a missing CSFR protection on /login. We have the local logins enabled and are being alerted that the /login url (looks like it is linked to the nice login window that is presented over the main page on login request) does not appear to have CSRF protection.
We are deployed behind a firewall, so access to Github to use the Git OAuth is not possible. That said, I have enabled it because we can watch the authentication attempt as the request hits Github and then see the failure logged in production.log (expected because Git has not access back to our discourse install). I mention this because the login attempt to GitHub includes CSRF protection, but the local login does not.
Local:
Started GET "/login.html?_=1545151335383" for xxx.xxx.xxx.xxx at 2018-12-18 16:42:15 +0000
Processing by StaticController#show as HTML
Parameters: {"_"=>"1545151335383", "id"=>"login"}
Rendering static/login.html.erb
Rendered static/login.html.erb (19.5ms)
GitHub:
Started GET "/auth/github" for xxx.xxx.xxx.xxx at 2018-12-18 18:34:32 +0000
(github) Setup endpoint detected, running now.
(github) Request phase initiated.
Started GET "/auth/github/callback?code=AUTHCODE" for xxx.xxx.xxx.xxx at 2018-12-18 18:34:52 +0000
(github) Setup endpoint detected, running now.
(github) Callback phase initiated.
(github) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
Started GET "/auth/failure?message=csrf_detected&strategy=github" for xxx.xxx.xxx.xxx at 2018-12-18 18:34:52 +0000
Processing by Users::OmniauthCallbacksController#failure as HTML
Parameters: {"message"=>"csrf_detected", "strategy"=>"github"}
Rendering users/omniauth_callbacks/failure.html.erb within layouts/no_ember
Rendered users/omniauth_callbacks/failure.html.erb within layouts/no_ember (0.7ms)
Rendered layouts/_head.html.erb (7.4ms)
Rendered common/_discourse_stylesheet.html.erb (0.2ms)
Rendered application/_header.html.erb (0.1ms)
Is /login missing CSRF protection or have we missed an installation step?
You mention that GitHub OAuth is not possible due to your firewall, so I’m not sure what the logs are supposed to be illustrating. The CSRF error on GitHub login would be expected if you have not configured it correctly.
What do you mean by this? If you’re being told this by an automated security scanner, then it is very likely to be a false positive.
@David Thanks. I suspected it might be a false positive. What I was trying to illustrate is that the Github login appears to have CSRF protection, while the local login does not. I do not see any csrf_detected notifications in the log when using the local login.
I need to prove to the security team that the /login page is actually protected.
@David Thanks! I have seen that documentation and forwarded along to the security team. I will dig into the source. I was surprised not see an csrf session logging into the production logs, but will look at the source to also forward the code block to them. Appreciated.
@David We did some more digging and monitoring of the requests and responses. It looks like the the CSRF token is not granted until the user logs in. When visiting the site the CSRF token is not being assigned. This is what our security folks are flagging - no CSRF token until logged in therefore, on initial visit we do not have a CSRF token. Is this intentional?
If we are logged in we see the following in the response: