Skip to content

Commit

Permalink
v1.14.0-RC2
Browse files Browse the repository at this point in the history
  • Loading branch information
ptaoussanis committed Jan 12, 2019
1 parent f2121e2 commit d29165b
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 5 deletions.
47 changes: 47 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,52 @@
> This project uses [Break Versioning](https://github.com/ptaoussanis/encore/blob/master/BREAK-VERSIONING.md) as of **Aug 16, 2014**.
## v1.14.0-RC2 - 2019 Jan 12

```clojure
[com.taoensso/sente "1.14.0-RC2"]
```

> This is a **CRITICAL** bugfix release, please upgrade ASAP
* [#137] **SECURITY FIX, BREAKING**: fix badly broken CSRF protection (@danielcompton, @awkay, @eerohele), more info below

> My sincere apologies for this mistake. Please write if I can provide more details or any other assistance. Further testing/auditing/input very much welcome! - @ptaoussanis
### Security bug details

- All previous versions of Sente (< v1.14.0) contain a critical security design bug identified and reported by @danielcompton, @awkay, @eerohele. (Thank you to them for the report!).
- **Bug**: Previous versions of Sente were leaking the server-side CSRF token to the client during the (unauthenticated) WebSocket handshake process.
- **Impact**: An attacker could initiate a WebSocket handshake against the Sente server to discover a logged-in user's CSRF token. With the token, the attacker could then issue cross-site requests against Sente's endpoints. Worse, since Sente often shares a CSRF token with the rest of the web server, it may be possible for an attacker to issue **cross-site requests against the rest of the web server** (not just Sente's endpoints).

### Security fix details

- The fix [commit](https://github.com/ptaoussanis/sente/commit/ae3afd5cf92591c9f756c3177142bee7cccb8b6b) stops the CSRF token leak, introducing a **BREAKING API CHANGE** (details below).
- Sente will now (by default) refuse to service any requests unless a CSRF token is detected (e.g. via `ring-anti-forgery`).

### Breaking changes

#### `make-channel-socket-client!` now takes an extra mandatory argment

It now takes an explicit `csrf-token` that you must provide. The value for the token can be manually extracted from the page HTML ([example](https://github.com/ptaoussanis/sente/blob/548af55c5eb13a53e451b5214f58ecd45f20b0a5/example-project/src/example/client.cljs#L33)).

In most cases the change will involve three steps:

1. You need to include the server's CSRF token somewhere in your page HTML: [example](https://github.com/ptaoussanis/sente/blob/548af55c5eb13a53e451b5214f58ecd45f20b0a5/example-project/src/example/server.clj#L69).
2. You need to extract the CSRF token from your page HTML: [example](https://github.com/ptaoussanis/sente/blob/548af55c5eb13a53e451b5214f58ecd45f20b0a5/example-project/src/example/client.cljs#L33).
3. You'll then use the extracted CSRF token as an argument when calling `make-channel-socket-client!`: [example](https://github.com/ptaoussanis/sente/blob/548af55c5eb13a53e451b5214f58ecd45f20b0a5/example-project/src/example/client.cljs#L52).

#### Client-side `:chsk/handshake` event has changed

It now always has `nil` where it once provided the csrf-token provided by the server.

```
I.e. before: [:chsk/handshake [<?uid> <csrf-token> <?handshake-data> <first-handshake?>]]
after: [:chsk/handshake [<?uid> nil <?handshake-data> <first-handshake?>]]
```

Most users won't be affected by this change.


## v1.13.1 - 2018 Aug 22

```clojure
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
**[CHANGELOG]** | [API] | current [Break Version]:

```clojure
[com.taoensso/sente "1.13.1"] ; See CHANGELOG for details
[com.taoensso/sente "1.14.0-RC2"] ; NB Critical security update, see CHANGELOG for details
```

[![Dependencies Status](https://versions.deps.co/ptaoussanis/sente/status.svg)](https://versions.deps.co/ptaoussanis/sente)
Expand Down Expand Up @@ -61,7 +61,7 @@ So you can ignore the underlying protocol and deal directly with Sente's unified
Add the necessary dependency to your project:

```clojure
[com.taoensso/sente "1.13.1"]
[com.taoensso/sente "1.14.0-RC2"]
```

### On the server (Clojure) side
Expand Down
4 changes: 2 additions & 2 deletions example-project/project.clj
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
(defproject com.taoensso.examples/sente "1.14.0-SNAPSHOT"
(defproject com.taoensso.examples/sente "1.14.0-RC1"
:description "Sente, reference web-app example project"
:url "https://github.com/ptaoussanis/sente"
:license {:name "Eclipse Public License"
Expand All @@ -15,7 +15,7 @@
[org.clojure/core.async "0.4.490"]
[org.clojure/tools.nrepl "0.2.13"] ; Optional, for Cider

[com.taoensso/sente "1.14.0-SNAPSHOT"] ; <--- Sente
[com.taoensso/sente "1.14.0-RC1"] ; <--- Sente
[com.taoensso/timbre "4.10.0"]

;;; TODO Choose (uncomment) a supported web server -----------------------
Expand Down
2 changes: 1 addition & 1 deletion project.clj
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
(defproject com.taoensso/sente "1.14.0-SNAPSHOT"
(defproject com.taoensso/sente "1.14.0-RC2"
:author "Peter Taoussanis <https://www.taoensso.com>"
:description "Realtime web comms for Clojure/Script"
:url "https://github.com/ptaoussanis/sente"
Expand Down

0 comments on commit d29165b

Please sign in to comment.