Skip to content

CSRF enforcement in v2.6.0 breaks RStudio IDE and other POST requests #11406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
JensHeise opened this issue Jan 4, 2024 · 8 comments · Fixed by #11430
Closed

CSRF enforcement in v2.6.0 breaks RStudio IDE and other POST requests #11406

JensHeise opened this issue Jan 4, 2024 · 8 comments · Fixed by #11430
Labels
need-help Assign this label prompts an engineer to check the issue. Only humans may set this.

Comments

@JensHeise
Copy link

Hello,

we have a template running code-server and RStudio as IDEs.
The v2.6.0 release seems to brake the RStudio IDE and all POST requests inside apps running in vscode.

We think we got it down to #11283 enforcing CSRF.
All requests to the Coder API are functional but inside the IDEs POST requests are not.
This is due to the X-CSRF-TOKEN header not being set on the other requests.

Is there some way to fix this on our side or should there maybe another exempt in coderd/httpmw/csrf.go for the URLs where apps are running, e.g. /@USER/test.instance/apps/?
Or maybe a switch to remove the enforcement of CSRF for now?
I'm not really experienced with CSRF so I'm looking forward to your help!

Expected Behavior

RStudio opens as usual, which it did before upgrading to v2.6.0.

Actual Behavior

RStudio does not start and throws the following error:
image

This can be backtraced to this POST call failing due to the coder CSRF protection kicking in.
Note that the rs-csrf-token and csrf-token cookies are from RStudio and the csrf_token cookie is from Coder

curl 'https://coder.example.com/@USER/test.instance/apps/rstudio/rpc/client_init' \
  -H 'authority: coder.example.com' \
  -H 'accept: application/json' \
  -H 'cookie: coder_signed_app_token=<REDACTED>; user-id=<REDACTED>; user-list-id=<REDACTED>; persist-auth=0; rs-csrf-token=853023c5-6fe8-428a-9984-547f927d34a0; csrf-token=853023c5-6fe8-428a-9984-547f927d34a0; csrf_token=jadP8iK3mcFW5T24bfmSPKGbiWEYzKxS8k4gc5HcVbo=; oauth_state=<REDACTED>; oauth_redirect=/; coder_session_token=<REDACTED>' \
  -H 'origin: https://coder.example.com' \
  -H 'referer: https://coder.example.com/@USER/test.instance/apps/rstudio/' \
  -H 'x-rs-csrf-token: 853023c5-6fe8-428a-9984-547f927d34a0' \
  -H 'x-rs-rid: -256097717' \
  --data-raw '{"method":"client_init", "params":["https://coder.example.com/@USER/test.instance/apps/rstudio/","unfj3yhzabbmh01252nbz5tmv6z1fl1k"], "kwparams":{"restore_workspace":2, "run_rprofile":2}, "clientVersion":""}' \
  --compressed

Response:
400 | Something is wrong with your CSRF token. Please refresh the page. If this error persists, try clearing your cookies.

When I set the X-CSRF-TOKEN header manually and resend the request, it gets through but RStudio still doesn't start...

Steps to Reproduce the Problem

  1. Setup template like described in documentation here
  2. Start workspace from template
  3. Start RStudio

Specifications

  • Version: v2.6.0
  • Platform: Linux
  • Subsystem: Ubuntu 22.04
@cdr-bot cdr-bot bot added the bug label Jan 4, 2024
@matifali matifali added the need-help Assign this label prompts an engineer to check the issue. Only humans may set this. label Jan 4, 2024
@Emyrk
Copy link
Member

Emyrk commented Jan 4, 2024

Thank you for reporting this. This is a bug and I will work on this.

I think this can be solved by exempting all path based application routes.

@Emyrk Emyrk mentioned this issue Jan 4, 2024
Merged
@Emyrk
Copy link
Member

Emyrk commented Jan 5, 2024

fix and test to ensure this does not happen again: #11430

@bfqrst
Copy link

bfqrst commented Jan 10, 2024

@Emyrk thanks for working on this issue and a belated Happy New Year while am at it! Since this CSRF situations really bites us in the back in some form or another in our apps, I wanted to ask if there's a timeline regarding cutting the next release?

Cheers

@bpmct
Copy link
Member

bpmct commented Jan 10, 2024

Hey! I can cut a release tomorrow :)

@bpmct
Copy link
Member

bpmct commented Jan 11, 2024

Update: we ran into several release blockers. Might have to wait until tomorrow or Monday.

@bfqrst
Copy link

bfqrst commented Jan 11, 2024

I see. Good luck! Thanks for the heads up...

@murr4y
Copy link

murr4y commented Jan 17, 2024

@bpmct Hey, stumbled across this resolved issue. Since that CSRF enforcement renders many of our apps unusable as well, I was wondering if those release blockers have been resolved? Appreciate it! :)

@ericpaulsen ericpaulsen mentioned this issue Jan 17, 2024
Closed
@bpmct
Copy link
Member

bpmct commented Jan 23, 2024

Yep - v2.7.1 includes the fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
need-help Assign this label prompts an engineer to check the issue. Only humans may set this.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: relax csrf to exclude path based apps coder/coder
6 participants
@murr4y @Emyrk @bfqrst @matifali @bpmct @JensHeise