openbmc REST API has too permissive CORS policy
Joseph Reynolds
jrey at linux.ibm.com
Fri Jan 24 04:42:47 AEDT 2020
On 1/22/20 7:50 PM, Nishanth S wrote:
> Hi All,
>
> The BMC REST API effectively allows cross-origin requests from
> any domain to almost all URLs. If a user accesses the API from a
> browser, then any other malicious website visited in that browser will
> be able to access the REST API without the user's knowledge.
>
> At line 1329 of rest_dbus.py [1], if the request contains an Origin
> header, the
> REST server adds that origin to the "Access-Control-Allow-Origin" of the
> response:
>
> def process_origin():
> origin = request.headers.get('Origin')
> if origin:
> *response.add_header('Access-Control-Allow-Origin', origin)
> response.add_header('Access-Control-Allow-Credentials', 'true')*
>
> Browsers use the Access-Control-Allow-Origin header to determine which
> other origins are allowed to send cross-origin requests to the REST
> API. This
> effectively allows all origins to send cross-origin requests. This
> header is
> applied to all property and method accesses through the API.
>
> What is the significance of this?
Thanks for your email! You are referring to older web server. You
included a reference ("[1]") but I didn't see a link. I assume:
https://github.com/openbmc/phosphor-rest-server/blob/bec10c202e2484fd36070ae4be26ddc2bd7267d1/module/obmc/wsgi/apps/rest_dbus.py#L1220
The OpenBMC project has moved to BMCWeb (https://github.com/openbmc/bmcweb).
BMCWeb uses OWASP recommendations for HTTP request and response
headers. See:
https://github.com/openbmc/bmcweb/blob/master/include/security_headers_middleware.hpp
In particular, the default BMCWeb Content-Security-Policyincludes
default-src 'none', so CORS is not allowed. You can build BMCweb with
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION if you want to host your BMC's
website off of the BMC (as some folks do for testing) or perform CORS in
your secure environment. For other uses, you're free to change the
headers in your downstream implementation or discuss in the mailing list.
If you are using the old REST server, I would encourage you to move up
to BMCWeb. I am not aware of any maintenance on the phosphor rest server.
- Joseph
>
> Thank you,
> Nishanth
>
>
>
More information about the openbmc
mailing list