Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

csrf protection in job_agent #47710

Open
wants to merge 19 commits into
base: master
Choose a base branch
from
Open

Conversation

richo-anyscale
Copy link
Contributor

r? @alanwguo

Why are these changes needed?

Prevent confused deputy attacks on the job_agent

Checks

  • I've signed off every commit(by using the -s flag, i.e., git commit -s) in this PR.
  • I've run scripts/format.sh to lint the changes in this PR.
  • I've included any doc changes needed for https://docs.ray.io/en/master/.
    • I've added any new APIs to the API Reference. For example, if I added a
      method in Tune, I've added it in doc/source/tune/api/ under the
      corresponding .rst file.
  • I've made sure the tests are passing. Note that there might be a few flaky tests, see the recent failures at https://flakey-tests.ray.io/
  • Testing Strategy
    • Unit tests
    • Release tests
    • This PR is not tested :(

(Working on the checks!)

Comment on lines 271 to 274
return Response(
text="Method not allowed",
status=aiohttp.web.HTTPNotAllowed.status_code,
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we tell people that browser requests are not supported? Or do we purposely not expose this detail?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think there's meaningful value to hiding it although you are so far from a supported path if you wind up there. I can adjust the message.

@richo-anyscale
Copy link
Contributor Author

@alanwguo could you have another look? The implementation wound up changing quite a bit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants