Merge pull request #188 from matthewbelisle-wf/RED-5108

rmconsole5-wk · web-flow · commit 179af8cb9430 · 2022-07-05T15:42:29.000-05:00
RED-5108 - Check taskqueue ip
diff --git a/furious/__init__.py b/furious/__init__.py
@@ -13,3 +13,21 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+
+import logging
+
+import webapp2
+
+
+def csrf_check(request):
+    """
+    Throws an HTTP 403 error if a CSRF attack is detected, same logic as the deferred module.
+
+    https://cloud.google.com/appengine/docs/standard/python/refdocs/modules/google/appengine/ext/deferred/deferred
+    """
+    in_prod = (
+        not request.environ.get("SERVER_SOFTWARE").startswith("Devel"))
+    if in_prod and request.environ.get("REMOTE_ADDR") != "0.1.0.2":
+      logging.error("Detected an attempted CSRF attack from {}. This request did "
+                    "not originate from Task Queue.".format(request.environ.get("REMOTE_ADDR")))
+      webapp2.abort(403)
diff --git a/furious/_pkg_meta.py b/furious/_pkg_meta.py
@@ -1,2 +1,2 @@
-version_info = (1, 6, 3)
+version_info = (1, 6, 4)
 version = '.'.join(map(str, version_info))
diff --git a/furious/config.py b/furious/config.py
@@ -71,6 +71,15 @@ def get_completion_cleanup_delay():
     return config.get('cleanupdelay')
 
 
+def get_csrf_check():
+    """Get the CSRF check function, which takes one arg (webapp2.Reqeust)
+    and returns None, throwing an exception if a CSRF attack is detected.
+    """
+    from furious.job_utils import path_to_reference
+
+    return path_to_reference(get_config().get('csrf_check'))
+
+
 def _get_configured_module(option_name, known_modules=None):
     """Get the module specified by the value of option_name. The value of the
     configuration option will be used to load the module by name from the known
@@ -155,7 +164,8 @@ def default_config():
             'cleanupqueue': 'default',
             'cleanupdelay': 7600,
             'defaultqueue': 'default',
-            'task_system': 'appengine_taskqueue'}
+            'task_system': 'appengine_taskqueue',
+            'csrf_check': 'furious.csrf_check'}
 
 
 def _load_yaml_config(path=None):
diff --git a/furious/handlers/webapp.py b/furious/handlers/webapp.py
@@ -17,7 +17,7 @@
 
 from furious.handlers import process_async_task
 from furious.errors import AbortAndRestart
-
+from furious.config import get_csrf_check
 
 class AsyncJobHandler(webapp2.RequestHandler):
     """Handles requests for the webapp framework."""
@@ -29,6 +29,9 @@ def post(self):
 
     def _handle_task(self):
         """Pass request info to the async framework."""
+        # Check for CSRF
+        get_csrf_check()(self.request)
+
         headers = self.request.headers
 
         message = None

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-version_info = (1, 6, 3)`
	`1`	`+version_info = (1, 6, 4)`
`2`	`2`	`version = '.'.join(map(str, version_info))`