openbmc REST API has too permissive CORS policy

openbmc REST API has too permissive CORS policy

[Nishanth S]

[-- Attachment #1: Type: text/plain, Size: 1025 bytes --]

Hi All,

     The BMC REST API effectively allows cross-origin requests from any
domain to almost all URLs. If a user accesses the API from a browser, then
any other malicious website visited in that browser will be able to access
the REST API without the user's knowledge.

At line 1329 of rest_dbus.py [1], if the request contains an Origin header,
the
REST server adds that origin to the "Access-Control-Allow-Origin" of the
response:

    def process_origin():
        origin = request.headers.get('Origin')
        if origin:

*            response.add_header('Access-Control-Allow-Origin', origin)
        response.add_header('Access-Control-Allow-Credentials', 'true')*

Browsers use the Access-Control-Allow-Origin header to determine which
other origins are allowed to send cross-origin requests to the REST API.
This
effectively allows all origins to send cross-origin requests. This header
is
applied to all property and method accesses through the API.

    What is the significance of this?

Thank you,
Nishanth

[-- Attachment #2: Type: text/html, Size: 1446 bytes --]

Re: openbmc REST API has too permissive CORS policy

[Joseph Reynolds]

On 1/22/20 7:50 PM, Nishanth S wrote:
> Hi All,
>
>      The BMC REST API effectively allows cross-origin requests from 
> any domain to almost all URLs. If a user accesses the API from a 
> browser, then any other malicious website visited in that browser will 
> be able to access the REST API without the user's knowledge.
>
> At line 1329 of rest_dbus.py [1], if the request contains an Origin 
> header, the
> REST server adds that origin to the "Access-Control-Allow-Origin" of the
> response:
>
>     def process_origin():
>         origin = request.headers.get('Origin')
>         if origin:
> *response.add_header('Access-Control-Allow-Origin', origin)
> response.add_header('Access-Control-Allow-Credentials', 'true')*
>
> Browsers use the Access-Control-Allow-Origin header to determine which 
> other origins are allowed to send cross-origin requests to the REST 
> API. This
> effectively allows all origins to send cross-origin requests. This 
> header is
> applied to all property and method accesses through the API.
>
>     What is the significance of this?

Thanks for your email!  You are referring to older web server.  You 
included a reference ("[1]") but I didn't see a link.  I assume:
https://github.com/openbmc/phosphor-rest-server/blob/bec10c202e2484fd36070ae4be26ddc2bd7267d1/module/obmc/wsgi/apps/rest_dbus.py#L1220

The OpenBMC project has moved to BMCWeb (https://github.com/openbmc/bmcweb).
BMCWeb uses OWASP recommendations for HTTP request and response 
headers.  See: 
https://github.com/openbmc/bmcweb/blob/master/include/security_headers_middleware.hpp

In particular, the default BMCWeb Content-Security-Policyincludes 
default-src 'none', so CORS is not allowed.  You can build BMCweb with 
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION if you want to host your BMC's 
website off of the BMC (as some folks do for testing) or perform CORS in 
your secure environment.  For other uses, you're free to change the 
headers in your downstream implementation or discuss in the mailing list.

If you are using the old REST server, I would encourage you to move up 
to BMCWeb.  I am not aware of any maintenance on the phosphor rest server.

- Joseph

>
> Thank you,
> Nishanth
>
>
>