apache
[ZEPPELIN-6142] Apply synchronizer token pattern to terminal interpreter for CSWSH protection
What is this PR for?
This PR applies synchronizer token pattern to terminal interpreter for CSWSH protection. The terminal interpreter is reported with a CSWSH(Cross-Site WebSocket Hijacking) vulnerability. An earlier PR partially addressed this issue by implementing an origin check. However, this measure does not provide full protection, as it can't prevent attacks from scripts running within the same origin.
To enhance security, I implemented the synchronizer token pattern as an additional layer of protection. I modified the terminal HTML to be rendered with a Jinja template, allowing a CSRF token to be injected. This CSRF token is then validated on receiving the first WebSocket message, providing robust protection against CSWSH attacks.
References:
- Spring Security WebSocket Same-Origin Policy
- OWASP CSRF Prevention Cheat Sheet - Synchronizer Token Pattern
What type of PR is it?
Improvement
Todos
What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-6142
How should this be tested?
- After removing the origin check(by making the checkOrigin method always return true), connect to the terminal WebSocket and send a message without a valid CSRF token.
- Check that the connection is promptly closed and that an error is logged on the server.
Screenshots (if appropriate)
Questions:
- Does the license files need to update? No
- Is there breaking changes for older versions? No
- Does this needs documentation? No
@tbonelee Thank you for the review. I’m going to give some more thought to the CSRF token theft issue that you mentioned, and add a commit for it.