openbmc REST API has too permissive CORS policy

Joseph Reynolds jrey at linux.ibm.com
Fri Jan 24 04:42:47 AEDT 2020


On 1/22/20 7:50 PM, Nishanth S wrote:
> Hi All,
>
>      The BMC REST API effectively allows cross-origin requests from 
> any domain to almost all URLs. If a user accesses the API from a 
> browser, then any other malicious website visited in that browser will 
> be able to access the REST API without the user's knowledge.
>
> At line 1329 of rest_dbus.py [1], if the request contains an Origin 
> header, the
> REST server adds that origin to the "Access-Control-Allow-Origin" of the
> response:
>
>     def process_origin():
>         origin = request.headers.get('Origin')
>         if origin:
> *response.add_header('Access-Control-Allow-Origin', origin)
> response.add_header('Access-Control-Allow-Credentials', 'true')*
>
> Browsers use the Access-Control-Allow-Origin header to determine which 
> other origins are allowed to send cross-origin requests to the REST 
> API. This
> effectively allows all origins to send cross-origin requests. This 
> header is
> applied to all property and method accesses through the API.
>
>     What is the significance of this?

Thanks for your email!  You are referring to older web server.  You 
included a reference ("[1]") but I didn't see a link.  I assume:
https://github.com/openbmc/phosphor-rest-server/blob/bec10c202e2484fd36070ae4be26ddc2bd7267d1/module/obmc/wsgi/apps/rest_dbus.py#L1220

The OpenBMC project has moved to BMCWeb (https://github.com/openbmc/bmcweb).
BMCWeb uses OWASP recommendations for HTTP request and response 
headers.  See: 
https://github.com/openbmc/bmcweb/blob/master/include/security_headers_middleware.hpp

In particular, the default BMCWeb Content-Security-Policyincludes 
default-src 'none', so CORS is not allowed.  You can build BMCweb with 
BMCWEB_INSECURE_DISABLE_XSS_PREVENTION if you want to host your BMC's 
website off of the BMC (as some folks do for testing) or perform CORS in 
your secure environment.  For other uses, you're free to change the 
headers in your downstream implementation or discuss in the mailing list.

If you are using the old REST server, I would encourage you to move up 
to BMCWeb.  I am not aware of any maintenance on the phosphor rest server.

- Joseph

>
> Thank you,
> Nishanth
>
>
>



More information about the openbmc mailing list