Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [che-dev] Changes in CORS configuration for Eclipse Che.

Since there is not much activity here.

My plan.
1. Upgrade Tomcat with the latest version + removing CORS at all from the master.
2. Initiate "deprecate and remove" procedure of "export to the private cloud" feature.

If anyone has any concerns or comments please let me know here in email or on next Che call that suppose to happen next Monday.
I'm going to execute described plan starting from next Tuesday, Nov 27.

On Tue, Nov 20, 2018 at 1:36 PM Sergii Kabashniuk <skabashn@xxxxxxxxxx> wrote:

Hello Florent.
On Mon, Nov 19, 2018 at 12:31 PM Florent Benoit <florent@xxxxxxxxxx> wrote:
Hello Sergii,

> There is no functionality in upstream that uses CORS on workspace master and CORS on workspace agent are used only for IDE. 

Hello, I don't know how you checked functionalities, but AFAIK the export to private cloud feature of dashboard is using CORS (as it needs to connect to another remote workspace master endpoint)

Yes. You are right. There is such functionality. We missed it because there is no integration test for it.
Another sad thing is that this functionality last time worked with Che5 + Codenvy. Because it uses 
authentification methods that are no longer exist in Che6/7 era.

What we can do:

With CORS filter on workspace master.

1. Do not upgrade tomcat with the latest security fixes.  Does anybody think that this is a good idea?
2. Allow configuring "origins" from the configuration. Quite useless since we don't know all the possible locations.
3. Disable auth on CORS. Limits functionality to public methods only.
4. Remove CORS at all from the master. In this way, we remove potential CORS vulnerabilities on ws-master from the agenda.

My preference: 4 or 3.

With "export to private cloud" - functionality.

1. Just create a bug about not working functionality and forget.
2. Deprecate and remove. We have alternatives: Export as a file. copy/paster json. devfile is coming https://github.com/eclipse/che/issues/11549
3. Fix this functionality in the combination of some sort of OAuth + server-side service method to be able safely sent authorization data.

I think 3 can quickly look like as 1. That is why I think 2 is the best way.

Thoughts?
 
image.png

Also maybe there is other stuff using CORS from dashboard
 
The dashboard is not an issue if we talking about the same host.
With ws-master, they are on the same domain. With agent: we are going to allow the request from dashboard's host.
 

Florent

On Sat, Nov 17, 2018 at 3:56 PM Sergii Kabashniuk <skabashn@xxxxxxxxxx> wrote:
Hello
Recently we decided to review our CORS configuration to make sure that it's satisfying modern security requirements. 

There is no functionality in upstream that uses CORS on workspace master
and CORS on workspace agent are used only for IDE. 

To make Che more secure, we want to remove CORS filter from the workspace master at all.
On ws-agent side, we want to limit Allow-Origin to the host from which IDE was loaded.

If you see any problems with that please let me know.
Useful links


Some similar security issues:

Some related blog posts:

--

Sergii Kabashniuk

Principal Software Engineer, DevTools 

Red Hat Ukraine

skabashniuk@xxxxxxxxxx    



--

Sergii Kabashniuk

Principal Software Engineer, DevTools 

Red Hat Ukraine

skabashniuk@xxxxxxxxxx    



--

Sergii Kabashniuk

Principal Software Engineer, DevTools 

Red Hat Ukraine

skabashniuk@xxxxxxxxxx    


Back to the top