mirror of
https://github.com/coder/coder.git
synced 2025-07-09 11:45:56 +00:00
fix(security)!: path-based app sharing changes (#5772)
This commit disables path-based app sharing by default. It is possible for a workspace app on a path (not a subdomain) to make API requests to the Coder API. When accessing your own workspace, this is not much of a problem. When accessing a shared workspace app, the workspace owner could include malicious javascript in the page that makes requests to the Coder API on behalf of the visitor. This vulnerability does not affect subdomain apps. - Disables path-based app sharing by default. Previous behavior can be restored using the `--dangerous-allow-path-app-sharing` flag which is not recommended. - Disables users with the site "owner" role from accessing path-based apps from workspaces they do not own. Previous behavior can be restored using the `--dangerous-allow-path-app-site-owner-access` flag which is not recommended. - Adds a flag `--disable-path-apps` which can be used by security-conscious admins to disable all path-based apps across the entire deployment. This check is enforced at app-access time, not at template-ingest time.
This commit is contained in:
30
cli/testdata/coder_server_--help.golden
vendored
30
cli/testdata/coder_server_--help.golden
vendored
@ -29,6 +29,28 @@ Flags:
|
||||
with systemd.
|
||||
Consumes $CODER_CACHE_DIRECTORY (default
|
||||
"/tmp/coder-cli-test-cache")
|
||||
--dangerous-allow-path-app-sharing Allow workspace apps that are not served
|
||||
from subdomains to be shared. Path-based
|
||||
app sharing is DISABLED by default for
|
||||
security purposes. Path-based apps can
|
||||
make requests to the Coder API and pose a
|
||||
security risk when the workspace serves
|
||||
malicious JavaScript. Path-based apps can
|
||||
be disabled entirely with
|
||||
--disable-path-apps for further security.
|
||||
Consumes
|
||||
$CODER_DANGEROUS_ALLOW_PATH_APP_SHARING
|
||||
--dangerous-allow-path-app-site-owner-access Allow site-owners to access workspace
|
||||
apps from workspaces they do not own.
|
||||
Owners cannot access path-based apps they
|
||||
do not own by default. Path-based apps
|
||||
can make requests to the Coder API and
|
||||
pose a security risk when the workspace
|
||||
serves malicious JavaScript. Path-based
|
||||
apps can be disabled entirely with
|
||||
--disable-path-apps for further security.
|
||||
Consumes
|
||||
$CODER_DANGEROUS_ALLOW_PATH_APP_SITE_OWNER_ACCESS
|
||||
--dangerous-disable-rate-limits Disables all rate limits. This is not
|
||||
recommended in production.
|
||||
Consumes $CODER_RATE_LIMIT_DISABLE_ALL
|
||||
@ -61,6 +83,14 @@ Flags:
|
||||
Consumes
|
||||
$CODER_DERP_SERVER_STUN_ADDRESSES
|
||||
(default [stun.l.google.com:19302])
|
||||
--disable-path-apps Disable workspace apps that are not
|
||||
served from subdomains. Path-based apps
|
||||
can make requests to the Coder API and
|
||||
pose a security risk when the workspace
|
||||
serves malicious JavaScript. This is
|
||||
recommended for security purposes if a
|
||||
--wildcard-access-url is configured.
|
||||
Consumes $CODER_DISABLE_PATH_APPS
|
||||
--experiments strings Enable one or more experiments. These are
|
||||
not ready for production. Separate
|
||||
multiple experiments with commas, or
|
||||
|
Reference in New Issue
Block a user