From d29165be586f63aa3e5ae6a2c7428c750076098d Mon Sep 17 00:00:00 2001 From: Peter Taoussanis Date: Sat, 12 Jan 2019 09:07:24 +0100 Subject: [PATCH] v1.14.0-RC2 --- CHANGELOG.md | 47 +++++++++++++++++++++++++++++++++++++ README.md | 4 ++-- example-project/project.clj | 4 ++-- project.clj | 2 +- 4 files changed, 52 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e6b261..3a20cce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,52 @@ > This project uses [Break Versioning](https://github.com/ptaoussanis/encore/blob/master/BREAK-VERSIONING.md) as of **Aug 16, 2014**. +## v1.14.0-RC2 - 2019 Jan 12 + +```clojure +[com.taoensso/sente "1.14.0-RC2"] +``` + +> This is a **CRITICAL** bugfix release, please upgrade ASAP + +* [#137] **SECURITY FIX, BREAKING**: fix badly broken CSRF protection (@danielcompton, @awkay, @eerohele), more info below + +> My sincere apologies for this mistake. Please write if I can provide more details or any other assistance. Further testing/auditing/input very much welcome! - @ptaoussanis + +### Security bug details + +- All previous versions of Sente (< v1.14.0) contain a critical security design bug identified and reported by @danielcompton, @awkay, @eerohele. (Thank you to them for the report!). +- **Bug**: Previous versions of Sente were leaking the server-side CSRF token to the client during the (unauthenticated) WebSocket handshake process. +- **Impact**: An attacker could initiate a WebSocket handshake against the Sente server to discover a logged-in user's CSRF token. With the token, the attacker could then issue cross-site requests against Sente's endpoints. Worse, since Sente often shares a CSRF token with the rest of the web server, it may be possible for an attacker to issue **cross-site requests against the rest of the web server** (not just Sente's endpoints). + +### Security fix details + +- The fix [commit](https://github.com/ptaoussanis/sente/commit/ae3afd5cf92591c9f756c3177142bee7cccb8b6b) stops the CSRF token leak, introducing a **BREAKING API CHANGE** (details below). +- Sente will now (by default) refuse to service any requests unless a CSRF token is detected (e.g. via `ring-anti-forgery`). + +### Breaking changes + +#### `make-channel-socket-client!` now takes an extra mandatory argment + +It now takes an explicit `csrf-token` that you must provide. The value for the token can be manually extracted from the page HTML ([example](https://github.com/ptaoussanis/sente/blob/548af55c5eb13a53e451b5214f58ecd45f20b0a5/example-project/src/example/client.cljs#L33)). + +In most cases the change will involve three steps: + +1. You need to include the server's CSRF token somewhere in your page HTML: [example](https://github.com/ptaoussanis/sente/blob/548af55c5eb13a53e451b5214f58ecd45f20b0a5/example-project/src/example/server.clj#L69). +2. You need to extract the CSRF token from your page HTML: [example](https://github.com/ptaoussanis/sente/blob/548af55c5eb13a53e451b5214f58ecd45f20b0a5/example-project/src/example/client.cljs#L33). +3. You'll then use the extracted CSRF token as an argument when calling `make-channel-socket-client!`: [example](https://github.com/ptaoussanis/sente/blob/548af55c5eb13a53e451b5214f58ecd45f20b0a5/example-project/src/example/client.cljs#L52). + +#### Client-side `:chsk/handshake` event has changed + +It now always has `nil` where it once provided the csrf-token provided by the server. + +``` + I.e. before: [:chsk/handshake [ ]] + after: [:chsk/handshake [ nil ]] +``` + +Most users won't be affected by this change. + + ## v1.13.1 - 2018 Aug 22 ```clojure diff --git a/README.md b/README.md index 7d8b3fa..435eecc 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ **[CHANGELOG]** | [API] | current [Break Version]: ```clojure -[com.taoensso/sente "1.13.1"] ; See CHANGELOG for details +[com.taoensso/sente "1.14.0-RC2"] ; NB Critical security update, see CHANGELOG for details ``` [![Dependencies Status](https://versions.deps.co/ptaoussanis/sente/status.svg)](https://versions.deps.co/ptaoussanis/sente) @@ -61,7 +61,7 @@ So you can ignore the underlying protocol and deal directly with Sente's unified Add the necessary dependency to your project: ```clojure -[com.taoensso/sente "1.13.1"] +[com.taoensso/sente "1.14.0-RC2"] ``` ### On the server (Clojure) side diff --git a/example-project/project.clj b/example-project/project.clj index 42766a5..6c29121 100644 --- a/example-project/project.clj +++ b/example-project/project.clj @@ -1,4 +1,4 @@ -(defproject com.taoensso.examples/sente "1.14.0-SNAPSHOT" +(defproject com.taoensso.examples/sente "1.14.0-RC1" :description "Sente, reference web-app example project" :url "https://github.com/ptaoussanis/sente" :license {:name "Eclipse Public License" @@ -15,7 +15,7 @@ [org.clojure/core.async "0.4.490"] [org.clojure/tools.nrepl "0.2.13"] ; Optional, for Cider - [com.taoensso/sente "1.14.0-SNAPSHOT"] ; <--- Sente + [com.taoensso/sente "1.14.0-RC1"] ; <--- Sente [com.taoensso/timbre "4.10.0"] ;;; TODO Choose (uncomment) a supported web server ----------------------- diff --git a/project.clj b/project.clj index 6f504f9..08fb72f 100644 --- a/project.clj +++ b/project.clj @@ -1,4 +1,4 @@ -(defproject com.taoensso/sente "1.14.0-SNAPSHOT" +(defproject com.taoensso/sente "1.14.0-RC2" :author "Peter Taoussanis " :description "Realtime web comms for Clojure/Script" :url "https://github.com/ptaoussanis/sente"