Deprecate query string auth tokens #28390
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GiteaBot
added
the
lgtm/need 2
pull-request-size
bot
added
the
size/M
github-actions
bot
added
the
modifies/api
techknowlogick
added
pr/breaking
kdumontnu
suggested changes
Dec 7, 2023
GiteaBot
added
lgtm/blocked
|
This PR aims to solve a security vulnerability in which auth tokens in URL query parameters are leaked to middleware applications that log URL information, including access logs, browser history, and analytics services (such as Google Analytics). More information here: https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url It is a major functional change, as token auth is likely the most common method for authentication. However, a migration to token in headers should be fairly straightforward for users. The target is to provide deprecation warnings for users starting in 1.22 (along with a gitea config setting that can be used to disable the setting immediately). The default setting will be to disable query-based authentication in 1.23, and then remove the setting in 1.24. |
delvh
reviewed
Dec 7, 2023
|
Should we perhaps backport this to 1.21? |
delvh
added
topic/security
Yeah, I think that's a great idea. |
|
I can create a PR which removes the token usage from the integration tests. There we use the parameter a lot. |
Co-authored-by: delvh <dev.lh@web.de>
delvh
approved these changes
Dec 8, 2023
techknowlogick
approved these changes
Dec 10, 2023
delvh
changed the title
|
Maybe we can have a warning, the support will be removed at some version, like 1.23. We can removed the support entirely at that time but not not opt-out. |
|
Doesn't make any difference. |
kdumontnu
approved these changes
Dec 11, 2023
GiteaBot
removed
the
lgtm/blocked
GiteaBot
removed
the
reviewed/wait-merge
lunny
pushed a commit
that referenced
this pull request
Dec 12, 2023
Backport #28390 by @jackHay22 ## Changes - Add deprecation warning to `Token` and `AccessToken` authentication methods in swagger. - Add deprecation warning header to API response. Example: ``` HTTP/1.1 200 OK ... Warning: token and access_token API authentication is deprecated ... ``` - Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth tokens entirely. Default is `false` ## Next steps - `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and the methods should be removed in swagger - `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of the auth methods in question should be removed ## Open questions - Should there be further changes to the swagger documentation? Deprecation is not yet supported for security definitions (coming in [OpenAPI Spec version 3.2.0](OAI/OpenAPI-Specification#2506)) - Should the API router logger sanitize urls that use `token` or `access_token`? (This is obviously an insufficient solution on its own) Co-authored-by: Jack Hay <jack@allspice.io> Co-authored-by: delvh <dev.lh@web.de>
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Dec 13, 2023
* giteaofficial/main: [skip ci] Updated translations via Crowdin Fix possible nil pointer access (go-gitea#28428) Don't show unnecessary citation JS error on UI (go-gitea#28433) Do some missing checks (go-gitea#28423) Deprecate query string auth tokens (go-gitea#28390)
|
Maybe we shoud update the configuration cheat sheet? I noticed the warning log and tried to check more on https://docs.gitea.com/administration/config-cheat-sheet, but I found nothing and I had to read the code. |
Yeah, that was an oversite. I can patch that. |
techknowlogick
pushed a commit
that referenced
this pull request
Dec 16, 2023
As described [here](#28390 (comment)).
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this pull request
Dec 16, 2023
As described [here](go-gitea#28390 (comment)).
techknowlogick
pushed a commit
that referenced
this pull request
Dec 16, 2023
Backport #28485 by @kdumontnu As described [here](#28390 (comment)). Co-authored-by: Kyle D <kdumontnu@gmail.com>
|
Just for ref: this caused an issue in the helm-chart: https://gitea.com/gitea/helm-chart/pulls/590 |
lunny
pushed a commit
that referenced
this pull request
Dec 22, 2023
techknowlogick
pushed a commit
to techknowlogick/gitea
that referenced
this pull request
Dec 23, 2023
yardenshoham
added
the
type/deprecation
fuxiaohei
pushed a commit
to fuxiaohei/gitea
that referenced
this pull request
Jan 17, 2024
## Changes - Add deprecation warning to `Token` and `AccessToken` authentication methods in swagger. - Add deprecation warning header to API response. Example: ``` HTTP/1.1 200 OK ... Warning: token and access_token API authentication is deprecated ... ``` - Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth tokens entirely. Default is `false` ## Next steps - `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and the methods should be removed in swagger - `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of the auth methods in question should be removed ## Open questions - Should there be further changes to the swagger documentation? Deprecation is not yet supported for security definitions (coming in [OpenAPI Spec version 3.2.0](OAI/OpenAPI-Specification#2506)) - Should the API router logger sanitize urls that use `token` or `access_token`? (This is obviously an insufficient solution on its own) --------- Co-authored-by: delvh <dev.lh@web.de>
fuxiaohei
pushed a commit
to fuxiaohei/gitea
that referenced
this pull request
Jan 17, 2024
As described [here](go-gitea#28390 (comment)).
fuxiaohei
pushed a commit
to fuxiaohei/gitea
that referenced
this pull request
Jan 17, 2024
fuxiaohei
pushed a commit
to fuxiaohei/gitea
that referenced
this pull request
Jan 17, 2024
… defined (go-gitea#28783) So we don't warn on default behavior - Fixes go-gitea#28758 - Follows go-gitea#28390 Signed-off-by: Yarden Shoham <git@yardenshoham.com>
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this pull request
Jan 20, 2024
… defined (go-gitea#28783) So we don't warn on default behavior - Fixes go-gitea#28758 - Follows go-gitea#28390 Signed-off-by: Yarden Shoham <git@yardenshoham.com>
mbaldessari
pushed a commit
to mbaldessari/gitea-helm-chart
that referenced
this pull request
Feb 10, 2024
### Description of the change With go-gitea/gitea#28390, Gitea 1.21.2 introduced warning log output within the result of `gitea admin <subcommand>` and therefore affects the current provisioning script. That script previously assumed a clean result set and was therefore doomed to fail at _some_ point. This introduces output sanitizing to trim such logs above the actual result table. ### Applicable issues - fixes #589 ### Additional information The non-sanitized output were only an issue for admin account provisioning, and only when the username matched one of these words (in case of #589 it was `gitea`): ```text .../setting/security.go:168:loadSecurityFrom() [W] Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24. ``` LDAP and OAuth sources were not affected by this particular log line, but also processed non-sanitized result sets. Changing their code is a precaution. Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/590 Reviewed-by: pat-s <pat-s@noreply.gitea.com> Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com> Co-committed-by: justusbunsi <sk.bunsenbrenner@gmail.com>
silverwind
pushed a commit
to silverwind/gitea
that referenced
this pull request
Feb 20, 2024
## Changes - Add deprecation warning to `Token` and `AccessToken` authentication methods in swagger. - Add deprecation warning header to API response. Example: ``` HTTP/1.1 200 OK ... Warning: token and access_token API authentication is deprecated ... ``` - Add setting `DISABLE_QUERY_AUTH_TOKEN` to reject query string auth tokens entirely. Default is `false` ## Next steps - `DISABLE_QUERY_AUTH_TOKEN` should be true in a subsequent release and the methods should be removed in swagger - `DISABLE_QUERY_AUTH_TOKEN` should be removed and the implementation of the auth methods in question should be removed ## Open questions - Should there be further changes to the swagger documentation? Deprecation is not yet supported for security definitions (coming in [OpenAPI Spec version 3.2.0](OAI/OpenAPI-Specification#2506)) - Should the API router logger sanitize urls that use `token` or `access_token`? (This is obviously an insufficient solution on its own) --------- Co-authored-by: delvh <dev.lh@web.de>
silverwind
pushed a commit
to silverwind/gitea
that referenced
this pull request
Feb 20, 2024
As described [here](go-gitea#28390 (comment)).
silverwind
pushed a commit
to silverwind/gitea
that referenced
this pull request
Feb 20, 2024
silverwind
pushed a commit
to silverwind/gitea
that referenced
this pull request
Feb 20, 2024
… defined (go-gitea#28783) So we don't warn on default behavior - Fixes go-gitea#28758 - Follows go-gitea#28390 Signed-off-by: Yarden Shoham <git@yardenshoham.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
TokenandAccessTokenauthentication methods in swagger.DISABLE_QUERY_AUTH_TOKENto reject query string auth tokens entirely. Default isfalseNext steps
DISABLE_QUERY_AUTH_TOKENshould be true in a subsequent release and the methods should be removed in swaggerDISABLE_QUERY_AUTH_TOKENshould be removed and the implementation of the auth methods in question should be removedOpen questions
tokenoraccess_token? (This is obviously an insufficient solution on its own)