[ARVADOS] created: 57155061189f477aa8c99797a56fda39dc67153e

git at public.curoverse.com git at public.curoverse.com
Mon Jan 18 00:06:02 EST 2016 

        at  57155061189f477aa8c99797a56fda39dc67153e (commit)


commit 57155061189f477aa8c99797a56fda39dc67153e
Author: radhika <radhika at curoverse.com>
Date:   Mon Jan 18 00:04:48 2016 -0500

    8177: add trust_all_content config to Workbench.

diff --git a/apps/workbench/app/controllers/collections_controller.rb b/apps/workbench/app/controllers/collections_controller.rb
index f8b359c..63af828 100644
--- a/apps/workbench/app/controllers/collections_controller.rb
+++ b/apps/workbench/app/controllers/collections_controller.rb
@@ -347,7 +347,9 @@ class CollectionsController < ApplicationController
         # We're about to pass a token in the query string, but
         # keep-web can't accept that safely at a single-origin URL
         # template (unless it's -attachment-only-host).
-        tmpl = Rails.configuration.keep_web_download_url
+        unless (Rails.configuration.trust_all_content and tmpl)
+          tmpl = Rails.configuration.keep_web_download_url
+        end
         if not tmpl
           raise ArgumentError, "Download precluded by site configuration"
         end
diff --git a/apps/workbench/config/application.default.yml b/apps/workbench/config/application.default.yml
index 63c2975..7e8c3aa 100644
--- a/apps/workbench/config/application.default.yml
+++ b/apps/workbench/config/application.default.yml
@@ -257,3 +257,10 @@ common:
   # Example:
   # keep_web_download_url: https://download.uuid_prefix.arvadosapi.com/c=%{uuid_or_pdh}
   keep_web_download_url: false
+
+  # In "trust all content" mode, Workbench will redirect users to
+  # keep-web even when that exposes XSS vulnerabilities.
+  #
+  # When enabling this setting, the corresponding setting on the
+  # keep-web server must also be enabled.
+  trust_all_content: false
diff --git a/apps/workbench/test/controllers/collections_controller_test.rb b/apps/workbench/test/controllers/collections_controller_test.rb
index 978a513..0cd747e 100644
--- a/apps/workbench/test/controllers/collections_controller_test.rb
+++ b/apps/workbench/test/controllers/collections_controller_test.rb
@@ -577,6 +577,17 @@ class CollectionsControllerTest < ActionController::TestCase
       assert_response :redirect
       assert_equal "https://download.example/c=#{id.sub '+', '-'}/_/w%20a%20z?api_token=#{tok}", @response.redirect_url
     end
+
+    test "Redirect to keep_web_download_url via #{id_type} when trust_all_content enabled" do
+      Rails.configuration.trust_all_content = true
+      setup_for_keep_web('https://collections.example/c=%{uuid_or_pdh}',
+                         'https://download.example/c=%{uuid_or_pdh}')
+      tok = api_fixture('api_client_authorizations')['active']['api_token']
+      id = api_fixture('collections')['w_a_z_file'][id_type]
+      get :show_file, {uuid: id, file: "w a z"}, session_for(:active)
+      assert_response :redirect
+      assert_equal "https://collections.example/c=#{id.sub '+', '-'}/_/w%20a%20z?api_token=#{tok}", @response.redirect_url
+    end
   end
 
   [false, true].each do |anon|
@@ -617,12 +628,15 @@ class CollectionsControllerTest < ActionController::TestCase
     assert_response 422
   end
 
-  test "Redirect preview to keep_web_download_url when preview is disabled" do
-    setup_for_keep_web false, 'https://download.example/c=%{uuid_or_pdh}'
-    tok = api_fixture('api_client_authorizations')['active']['api_token']
-    id = api_fixture('collections')['w_a_z_file']['uuid']
-    get :show_file, {uuid: id, file: "w a z"}, session_for(:active)
-    assert_response :redirect
-    assert_equal "https://download.example/c=#{id.sub '+', '-'}/_/w%20a%20z?api_token=#{tok}", @response.redirect_url
+  [false, true].each do |trust_all_content|
+    test "Redirect preview to keep_web_download_url when preview is disabled and trust_all_content is #{trust_all_content}" do
+      Rails.configuration.trust_all_content = trust_all_content
+      setup_for_keep_web false, 'https://download.example/c=%{uuid_or_pdh}'
+      tok = api_fixture('api_client_authorizations')['active']['api_token']
+      id = api_fixture('collections')['w_a_z_file']['uuid']
+      get :show_file, {uuid: id, file: "w a z"}, session_for(:active)
+      assert_response :redirect
+      assert_equal "https://download.example/c=#{id.sub '+', '-'}/_/w%20a%20z?api_token=#{tok}", @response.redirect_url
+    end
   end
 end
diff --git a/services/keep-web/doc.go b/services/keep-web/doc.go
index 4207d7b..5a66d86 100644
--- a/services/keep-web/doc.go
+++ b/services/keep-web/doc.go
@@ -232,4 +232,7 @@
 //
 //   keep-web -listen :9999 -attachment-only-host domain.example:9999 -trust-all-content
 //
+// Depending on your site configuration, you might also want to enable
+// "trust all content" setting on Workbench, in which case Workbench will
+// redirect users to keep-web even when that exposes XSS vulnerabilities.
 package main

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list