Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change the key from a query paramter to a HEADER #328

Merged
merged 1 commit into from
Mar 3, 2024
Merged

Change the key from a query paramter to a HEADER #328

merged 1 commit into from
Mar 3, 2024

Conversation

misilot
Copy link
Contributor

@misilot misilot commented Aug 11, 2023

Instead of having the Key being a query parameter in the url (which can shows up in webserver access logs), move it to the header.

https://www.redmine.org/projects/redmine/wiki/Rest_api#Authentication

@maxtepkeev
Copy link
Owner

Thanks for the PR, but I don't see the real benefit to be honest, because normally a Redmine and webserver are on the same server, meaning under the control of the same admin, if we imagine that the server is hacked and the attacker gained control on the server, then, probably yes, but having a key in the logs will be the least serious problem of the server admin in this case.

What bothers me more is that with this change we can break lots of Redmine servers that are behind the webserver like nginx and others, because in most cases those customs headers are required to be in the web server configuration files to be proxied to Redmine.

And the reason I went with the key and not the header in the first place, was because a header was only introduced in Redmine 1.1.0.

Thoughts ?

@ricardobranco777
Copy link

Thoughts ?

I opened #330 because the API key may leak in publicly available CI's like Github Actions, etc. when logging exceptions. At least we should mitigate this even if there's a workaround.

@misilot
Copy link
Contributor Author

misilot commented Sep 19, 2023

Would adding this behind a feature flag be an acceptable change? If you were to make it the default, I think a v3.0.0 of the library would make sense as it could be a breaking change for systems that do not pass the header. Though, we run redmine behind Apache and I have other webservices using the HEADER without having to do anything special to pass the header to the backend.

@ricardobranco777
Copy link

ricardobranco777 commented Sep 20, 2023
edited
Loading

I ended up using this workaround thanks to this PR:

client = Redmine(url=url, raise_attr_exception=False, **creds)
key = client.engine.requests['params'].get('key')
if key is not None:
    client.engine.requests['headers']['X-Redmine-API-Key'] = key
    del client.engine.requests['params']['key']

Our server is also behind Apache and no issues.

@ricardobranco777
Copy link

ricardobranco777 commented Sep 26, 2023
edited
Loading

Patch included in openSUSE's python3-redmine:

https://build.opensuse.org/package/view_file/devel:languages:python/python-python-redmine/328.patch?expand=1

bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request Oct 2, 2023
@bmwiedemann
Update python-python-redmine to version 2.4.0 / rev 7 via SR 1114261
da243f4 
https://build.opensuse.org/request/show/1114261
by user dirkmueller + anag+factory
- Add 328.patch to workaround "API key leakage on exception"
  described in boo#1215722
  maxtepkeev/python-redmine#330
  maxtepkeev/python-redmine#328
@maxtepkeev maxtepkeev self-requested a review March 3, 2024 10:05
@maxtepkeev maxtepkeev self-assigned this Mar 3, 2024
@maxtepkeev maxtepkeev assigned misilot and unassigned maxtepkeev Mar 3, 2024
@maxtepkeev
Copy link
Owner

After investigating this a bit more I found out that nginx (which I was worried about as Apache does the header forwarding by default) also has the header forwarding turned on by default for quite a while (proxy_pass_request_headers setting) so we should be pretty safe introducing this change as is without breaking backwards compatibility for most of the setups.

Sorry about the delay.

@maxtepkeev maxtepkeev merged commit c656cd9 into maxtepkeev:master Mar 3, 2024
@maxtepkeev maxtepkeev mentioned this pull request Mar 3, 2024
Closed
@ricardobranco777
Copy link

Thank you! Will you make a new release?

@maxtepkeev
Copy link
Owner

@ricardobranco777 Absolutely, I just wanted to check a few things here and there first, but will surely do a release this month.

maxtepkeev added a commit that referenced this pull request Mar 3, 2024
@maxtepkeev
changelog and tests for issue #328
79ef42b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxtepkeev maxtepkeev maxtepkeev approved these changes

Assignees

@misilot misilot

Labels
improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@misilot @maxtepkeev @ricardobranco777