Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explicitly fail if EXCLUDE_URL_PREFIXES is a string #249

Open
okkays opened this issue Dec 4, 2024 · 2 comments
Open

Explicitly fail if EXCLUDE_URL_PREFIXES is a string #249

okkays opened this issue Dec 4, 2024 · 2 comments

Comments

@okkays
Copy link

okkays commented Dec 4, 2024

Context

After updating to 4.0b2, configuration values stored as tuple are silently ignored.

We use a security scanner (zap) which had started failing due to missing CSP headers. The docs mention that Many settings require a tuple or list. You may get very strange policies and even errors when mistakenly configuring them as a string.

After migrating to 4.0-compatible configuration, all of our values were tuple - changing them to list caused the header to appear again (this commit)

Suggestions

  • It'd be nice if incorrect configuration failed explicitly, rather than effectively skipping CSP. It's hard to notice the missing CSP header without a scanner, and it was difficult to debug why it wasn't being added. This was also how we noticed we needed to change our config for 4.0 - the security scanner caught it; our app ran without exception.
  • Re-support tuple or drop support for it from the documentation. All examples and tests appear to expect lists, anyway 🤷

This is low priority for us personally since we've figured it out and made the change, but I figured I'd bring this to your attention since it can silently disable CSP for config that conforms to the docs 😅

@robhudson
Copy link
Member

I appreciate that the specific commit was shared which help debug this more quickly.

The issue was this line:

    'EXCLUDE_URL_PREFIXES': ('/admin'),

This is missing the trailing comma to make it a tuple type. For example:

>>> type( ("/admin") )
<class 'str'>

>>> type( ("/admin",) )
<class 'tuple'>

In the middleware this value gets cast to a tuple for checking if the request path starts with a value defined in EXCLUDE_URL_PREFIXES. Since this came through as a string, it was essentially testing that these values matched the request path:

>>> tuple("/admin")
('/', 'a', 'd', 'm', 'i', 'n')

Since the first one / matches pretty much all paths, the CSP header was then excluded.

If this settings value was converted to a tuple everything else works as expected.

It'd be nice if incorrect configuration failed explicitly, rather than effectively skipping CSP.

I agree. We could likely add a check to ensure this particular setting is a tuple or a list because as a string it will definitely "get very strange policies and even errors". :)

Thanks for the report!

@robhudson robhudson changed the title tuple no longer supported Explicitly fail if EXCLUDE_URL_PREFIXES is a string Dec 4, 2024
@okkays
Copy link
Author

okkays commented Dec 4, 2024

d'oh, you are totally right - thanks for taking a look! Sorry for the misdiagnosis!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants