mirror of
https://github.com/kopia/kopia.git
synced 2026-01-23 05:47:57 -05:00
3d58566644
* fix(security): prevent cross-site request forgery in the UI website This fixes a [cross-site request forgery (CSRF)](https://en.wikipedia.org/wiki/Cross-site_request_forgery) vulnerability in self-hosted UI for Kopia server. The vulnerability allows potential attacker to make unauthorized API calls against a running Kopia server. It requires an attacker to trick the user into visiting a malicious website while also logged into a Kopia website. The vulnerability only affected self-hosted Kopia servers with UI. The following configurations were not vulnerable: * Kopia Repository Server without UI * KopiaUI (desktop app) * command-line usage of `kopia` All users are strongly recommended to upgrade at the earliest convenience. * pr feedback
35 lines
959 B
Go
35 lines
959 B
Go
package server_test
|
|
|
|
import (
|
|
"os"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/kopia/kopia/internal/apiclient"
|
|
"github.com/kopia/kopia/internal/repotesting"
|
|
"github.com/kopia/kopia/internal/serverapi"
|
|
)
|
|
|
|
func TestCLIAPI(t *testing.T) {
|
|
ctx, env := repotesting.NewEnvironment(t, repotesting.FormatNotImportant)
|
|
srvInfo := startServer(t, env, false)
|
|
|
|
cli, err := apiclient.NewKopiaAPIClient(apiclient.Options{
|
|
BaseURL: srvInfo.BaseURL,
|
|
TrustedServerCertificateFingerprint: srvInfo.TrustedServerCertificateFingerprint,
|
|
Username: testUIUsername,
|
|
Password: testUIPassword,
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
require.NoError(t, cli.FetchCSRFTokenForTesting(ctx))
|
|
|
|
resp := &serverapi.CLIInfo{}
|
|
require.NoError(t, cli.Get(ctx, "cli", nil, resp))
|
|
|
|
exe, _ := os.Executable()
|
|
|
|
require.Equal(t, exe+" --config-file="+env.ConfigFile(), resp.Executable)
|
|
}
|