Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set cookie policy to SameSite=lax and httpOnly (partial mitigation for #2496) #2498

Merged
merged 4 commits into from
Oct 17, 2019

Conversation

jannfis
Copy link
Member

@jannfis jannfis commented Oct 15, 2019

Checklist:

This PR sets the attributes SameSite=lax and httpOnly for the authentication cookie used by the web UI. It partially mitigates the CSRF vulnerability reported in #2496. It will work with most more or less up-to-date browsers in the wild, but not with all (IE 10 and IE11 on some platforms, most notably).

I chose lax as SameSite policy so that links to ArgoCD (i.e. from a company internal documentation or bookmark page) will still work when the user accidentally closed the tab without logging out, and opening ArgoCD via href link. I tested basic reproduction steps as mentioned in #2496 and found the solution protects against this scenario (although giving 401 response, not 403, which I consider fine and appropriate).

Cross-site requests using GET, HEAD, TRACE and OPTIONS methods will also still work, but since we obey REST principles everywhere (no data manipulation using those methods), this should be "fine".

Also as mentioned in discussion in #2496, this is no complete CSRF protection but only a "quick win" that we should also keep when thinking about things like CSRF tokens for all data manipulating HTTP methods.

@jannfis
Copy link
Member Author

jannfis commented Oct 15, 2019

GolangCI step fails with error message:

$ GOLANGCI_COM_RUN=1 golangci-lint run --out-format=json --issues-exit-code=0 --timeout=5m --new=false --new-from-rev= --new-from-patch=../changes.patch
    Can't get config for command line: can't parse args: unknown flag: --timeout

@jannfis
Copy link
Member Author

jannfis commented Oct 15, 2019

It seems GolangCI changed the option --deadline for --timeout when calling golangci-lint, but didn't consider that the rather old version we use (and request via configuration) does not support --timeout option.

Wait for them to fix (hopefully), or update our version request of golangci-lint to something more recent?

@jannfis
Copy link
Member Author

jannfis commented Oct 15, 2019

Well, whatever we do, I have opened an issue with them: golangci/golangci#48

@jannfis
Copy link
Member Author

jannfis commented Oct 16, 2019

They fixed support for old versions, so this build turned green automatically.

@alexmt alexmt self-requested a review October 17, 2019 18:28
@alexmt
Copy link
Collaborator

alexmt commented Oct 17, 2019

Thank you @jannfis . Cherry-picking it into 1.3

@alexmt alexmt merged commit 8d5939f into argoproj:master Oct 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants