Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running in GitHub Codespaces #1542

Open
8 of 11 tasks
GromNaN opened this issue Dec 5, 2024 · 11 comments
Open
8 of 11 tasks

Running in GitHub Codespaces #1542

GromNaN opened this issue Dec 5, 2024 · 11 comments

Comments

@GromNaN
Copy link
Member

GromNaN commented Dec 5, 2024

GitHub Codespaces is a good solution to run and try modifying the application without installing anything the desktop. Part of the support was added by #1369

But it doesn't work anymore, we get the following message when starting a codespace.

This codespace is currently running in recovery mode due to a configuration error. Please review the creation logs, update your dev container configuration as needed, and run the "Rebuild Container" command to rectify.

What we need to achieve with codespace:

@GromNaN GromNaN added the help wanted Issues and PRs which are looking for volunteers to complete them. label Dec 5, 2024
@maxgrundnig
Copy link
Contributor

maxgrundnig commented Dec 7, 2024

I am working on this for #SymfonyHackday

maxgrundnig added a commit to maxgrundnig/demo that referenced this issue Dec 8, 2024
If it is executed as part of the updateContentCommand step, the container creation fails.
importmap:install is executed by composer install though (part of the auto-scripts), which executes just fine in Codespaces.

Fixes symfony#1542

Co-authored-by: Wolfgang Weintritt <[email protected]>
@maxgrundnig
Copy link
Contributor

PR #1544 fixes the crash when starting a Codespace.

But there is another issue in Codespace: The Router generates absolute URLs with the port number included, which doesn't work in Codespace. I am not that familiar wit the Routing component, maybe somebody else can take a look at it?

@GromNaN
Copy link
Member Author

GromNaN commented Dec 9, 2024

But there is another issue in Codespace: The Router generates absolute URLs with the port number included, which doesn't work in Codespace. I am not that familiar wit the Routing component, maybe somebody else can take a look at it?

It's to be due to the proxy provided by Codespace. This can be solved by setting one the trusted proxies:

framework:
    # shortcut for private IP address ranges of your proxy
    trusted_proxies: 'private_ranges'
    # trust *all* "X-Forwarded-*" headers
    trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port', 'x-forwarded-prefix']

I'm not sure what would be the best for this project:

After that, there is still an issue with CSRF protection.

javiereguiluz added a commit that referenced this issue Dec 10, 2024
…xgrundnig)

This PR was merged into the main branch.

Discussion
----------

Remove importmap:install command from devcontainer.json

If it is executed as part of the updateContentCommand step, the container creation fails.

importmap:install is executed by composer install though (part of the auto-scripts), which executes just fine in Codespaces.

Part of #1542

Commits
-------

7271753 Remove importmap:install command from devcontainer.json
@GromNaN GromNaN reopened this Dec 10, 2024
@GromNaN
Copy link
Member Author

GromNaN commented Dec 16, 2024

@nicolas-grekas after fixing trusted proxies in #1550, I did not find how to fix CSRF protection. The attribute csrf-token is not set when the login form is submitted.

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Dec 19, 2024

can you try adding this to the login form?

-<input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}"/>
+<input type="hidden" name="_csrf_token" data-controller="csrf-protection" value="{{ csrf_token('authenticate') }}"/>

@GromNaN
Copy link
Member Author

GromNaN commented Dec 19, 2024

can you try adding this to the login form?

That doesn't work.
image

GromNaN added a commit that referenced this issue Dec 19, 2024
This PR was squashed before being merged into the main branch.

Discussion
----------

Set trusted proxies for running in Codespace

Part of #1542

GitHub Codespaces runs the application behind a proxy. In order to get correctly generated URLs, proxy headers must be allowed.

Also update to PHP 8.4

Commits
-------

d09b66a Set trusted proxies for running in Codespace
@GromNaN
Copy link
Member Author

GromNaN commented Dec 19, 2024

The CSRF error logged is request.WARNING: CSRF validation failed: origin info doesn't match.

The Referer value is correct, but the Origin header that is used contains the local server address.

Referer: https://orange-space-palm-tree-rwp96p7p7f57j9-8000.app.github.dev/fr/login
Origin: http://localhost:8000"

It works if I change the SameOriginCsrfTokenManager to read only the Referer header. The form HTML don't need to be changed.

- $source = $request->headers->get('Origin') ?? $request->headers->get('Referer') ?? 'null';
+ $source = $request->headers->get('Referer') ?? 'null';

@stof
Copy link
Member

stof commented Dec 19, 2024

@GromNaN are your trusted proxies configured properly ?

@GromNaN
Copy link
Member Author

GromNaN commented Dec 19, 2024

Yes, they have been configured in #1550

@GromNaN
Copy link
Member Author

GromNaN commented Dec 19, 2024

It seems to be an issue with Codespace: https://github.com/orgs/community/discussions/147513

@GromNaN
Copy link
Member Author

GromNaN commented Dec 20, 2024

GitHub Codespaces port-forwarding proxy as a specific behavior regarding the Origin header.
If the Origin header is set, and its value matches the request URL, then it is replaced by the local server protocol, host and port (http://localhost:8000).

I made this basic page for testing:

<form method="POST"><input type=submit></form>
<pre><?php print_r($_SERVER); ?></pre>

And running in Codespaces:

php -S 127.0.0.1:8003 index.php

Making the port forwarding public for testing easily with curl.

Testing with the correct Origin

curl -X POST https://orange-space-palm-tree-rwp96p7p7f57j9-8003.app.github.dev/ -H "Origin: https://orange-space-palm-tree-rwp96p7p7f57j9-8003.app.github.dev" -s|grep HTTP_ORIGIN

    [HTTP_ORIGIN] => http://localhost:8003

Testing with an other Origin

curl -X POST https://orange-space-palm-tree-rwp96p7p7f57j9-8003.app.github.dev/ -H "Origin: http://example.com" -s|grep HTTP_ORIGIN

    [HTTP_ORIGIN] => http://example.com

If I set the Origin with http instead or https, it's also transformed (but the browser will never produce that since http requests are redirected to https by the proxy).

curl -X POST https://orange-space-palm-tree-rwp96p7p7f57j9-8003.app.github.dev/ -H "Origin: https://orange-space-palm-tree-rwp96p7p7f57j9-8003.app.github.dev" -s|grep HTTP_ORIGIN

    [HTTP_ORIGIN] => http://localhost:8003

Rails and Django have the same issue and the solution is to skip CSRF protection 😕 or configure a trusted origin.

I think we should add an option to "trust the proxy" for the Origin header and assume <SERVER_NAME>:<SERVER_PORT> is a valid value for the Origin header in SameOriginCsrfTokenManager

GromNaN added a commit to symfony/symfony that referenced this issue Dec 22, 2024
…in" (nicolas-grekas)

This PR was merged into the 7.2 branch.

Discussion
----------

[Security/Csrf] Trust "Referer" at the same level as "Origin"

| Q             | A
| ------------- | ---
| Branch?       | 7.2
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | symfony/demo#1542
| License       | MIT

As hinted by `@GromNaN` in symfony/demo#1542 (comment), there are proxies that mess up with the `Origin` header, but forward a valid `Referer` header. Since both headers have the same level of trust, I'm proposing to trust them both equally. At the moment, `Origin` overrides `Referer`. With this PR, we check both and accept if just `Referer` matches.

Commits
-------

6cd974b [Security/Csrf] Trust "Referer" at the same level as "Origin"
@GromNaN GromNaN removed the help wanted Issues and PRs which are looking for volunteers to complete them. label Dec 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants