u/ewong/rhodecode-enterprise-ce-fork Commit - r1817:7df55c97

security: use 404 instead of 403 code on permission decorator to prevent resource discovery attacks.

ergo -

r1817:7df55c97 default

parent child

rhodecode/lib/auth.py

0 +3 -3

              from functools import wraps
              import ipaddress
-             from pyramid.httpexceptions import HTTPForbidden, HTTPFound
+             from pyramid.httpexceptions import HTTPForbidden, HTTPFound, HTTPNotFound
              from pylons.i18n.translation import _
              # NOTE(marcink): this has to be removed only after pyramid migration,
              # replace with _ = request.translate
                                  h.route_path('login', _query={'came_from': came_from}))
                          else:
-                             # redirect with forbidden ret code
-                             raise HTTPForbidden()
+                             # redirect with 404 to prevent resource discovery
+                             raise HTTPNotFound()
                  def check_permissions(self, user):
                      """Dummy function for overriding"""

rhodecode/tests/functional/test_admin_settings.py

0 +3 -3

                          '.panel-heading', 'Licenses of Third Party Packages')
                  def test_forbidden_when_normal_user(self, autologin_regular_user):
-                     self.app.get(self._get_url(), status=403)
+                     self.app.get(self._get_url(), status=404)
              @pytest.mark.usefixtures('app')
                      }[name]
                  def test_forbidden_when_normal_user(self, autologin_regular_user):
-                     self.app.get(self._get_url(), status=403)
+                     self.app.get(self._get_url(), status=404)
                  def test_show_sessions_page(self, autologin_user):
                      response = self.app.get(self._get_url(), status=200)
                      }[name]
                  def test_forbidden_when_normal_user(self, autologin_regular_user):
-                     self.app.get(self._get_url(), status=403)
+                     self.app.get(self._get_url(), status=404)
                  def test_system_info_page(self, autologin_user):
                      response = self.app.get(self._get_url())

rhodecode/tests/functional/test_forks.py

0 +1 -1

                      repo_name = self.REPO
                      self.app.post(
                          url(controller='forks', action='fork_create', repo_name=repo_name),
-                         {'csrf_token': self.csrf_token}, status=403)
+                         {'csrf_token': self.csrf_token}, status=404)
                  def test_index_with_fork(self):
                      self.log_user()

rhodecode/tests/functional/test_integrations.py

0 +1 -1

                  checks if the redirect url is correct.
                  """
-                 app.post(url, params={}, status=403) # missing csrf check
+                 app.post(url, params={}, status=403)  # missing csrf check
                  response = app.post(url, params={'csrf_token': csrf_token})
                  assert response.status_code == 200
                  assert 'Errors exist' in response.body

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages