Proposal to make webui-vue the standard

Tue Sep 22 03:38:37 AEST 2020

On Mon, Sep 21, 2020 at 10:29 AM Derick Montague
<Derick.Montague at ibm.com> wrote:
>
> >> resulting in a decrease of development activity on phosphor-webui over the past six months.
>
>  > Ironically, you sent this out on the same day Vue 3.0 was announced;
>  > It looks like the next 2.X Vue release goes to 18 month support.
>  > Hopefully Vue 2.0->3.0 porting isn't the same thing as Angular 1.X ->
>  > 2.X.
>
> It will not require a complete rewrite. Google abandoned AngularJS and Angluar was a complete rewrite,
> which is one reason they renamed the framework from Angular to AngularJS. We can start planning for it
> now, but many of the supporting libraries are still in beta with a plan of being released by the end of
> 2020.

That's good to hear that's the case.  I'm in no way saying we should
go to Vue 3.0 today, just chuckling at the state of the Javascript
frameworks as a whole.

>
> >> Loading webui-vue from the BMC causes content-security-policy errors (#32)
>
>  > This is important, and having the UI load without errors or warnings
>  > speaks to the quality of the UI as a whole, and also allows finding
>  > regressions much easier.  Looking forward to when this lands.
>
> Agreed. I am researching this now.

Sweet.

>
> >> The last 2 identified issues, we are looking for community help but might take these up ourselves one day:
> >>
> >> Mutual TLS (#30)
>
>  > This is used, and I think important overall for the security posture
>  > of OpenBMC.  I would like to avoid regressing the default security of
>  > OpenBMC in this regard.
>
> Agreed, we will be adding the IsAuthenticated cookie check.
>
> >> CSRF allow list (#29)
>
>  > Do you think the person that checked in the code around the security
>  > bug could take a look at it?  It looks like Derick wrote the commit
>  > that needs fixed.
>  > https://github.com/openbmc/webui-vue/commit/e080a1a7593e83a49d623ffdd452fd0e1c617889#diff-d33bbe646af7d8d45caaeb27b20b4813
>
> Yes, we are looking into this. I am still not quite clear what the CSRF "allowlist"
> is can you point me in the right direction in phosphor-webui?
>
>
>
>

phosphor-webui just used the stock angularjs XSRF handling.  I'm
really surprised there isn't a similar module for Vue.

The short version is, you can't expose the CSRF key to any server that
isn't the BMC.  That would be a leak of private information, and while
not fatal (as you're still protected by the session key) could be
chained to implement a CSRF attack.

The important lines of code that you need to implement are:
https://github.com/angular/angular.js/blob/6706353a71e3c11c56c0b19be03600dac57aafe1/src/ng/http.js#L429
and
https://github.com/angular/angular.js/blob/6706353a71e3c11c56c0b19be03600dac57aafe1/src/ng/http.js#L1410
and
https://github.com/angular/angular.js/blob/b4e409bf6cd81307f57e51f2f1281b05ceb6cbf2/src/ng/urlUtils.js#L136

It should be noted, because we don't expect the bmc to be doing any
cross site scripting, you can simply implement the check against the
current origin, and don't need to maintain a list anywhere like
Angular does.