csrf failed when run with workers

Question

csrf failed when run with workers

ohahlev opened this issue 5 years ago · comments

I try to run guestbook; and it is working fine until I set workers=4, because my machine is a 4-core monster; and nightmare starts to come.

steps to reproduce

git clone git@github.com:ohahlev/guestbook-sanic-wtf.git
python app.py
try to submit data again and again

expected results
form can be always submitted without error
what really happens
Sometimes form is submitted successfully, and sometimes not. I print out form.errors, and see that, the error is "csrf failed"

Joe Doherty · Answer 1 · Sat Oct 12 2019 15:57:58 GMT+0800 (China Standard Time)

Hi @ohahlev in your implementation you are using a global variable for session (https://github.com/ohahlev/guestbook-sanic-wtf/blob/master/app.py#L16)

I presume in your actual app you have sessions stored elsewhere?

This global variable will not be shared amongst the different workers, so the csrf token will only be valid on a particular worker.

Cody Thomas · Answer 2 · Thu Apr 08 2021 07:32:07 GMT+0800 (China Standard Time)

if it's not shared, what's the recommended solution to have the csrf value shared across workers?

Philip Xu · Answer 3 · Fri Apr 09 2021 16:23:01 GMT+0800 (China Standard Time)

if it's not shared, what's the recommended solution to have the csrf value shared across workers?

One way is to use a persistent storage such as a database. The global variable as storage in guestbook example is for self-contained demonstration purpose, you need something better in production.

Cody Thomas · Answer 4 · Fri Apr 09 2021 23:07:54 GMT+0800 (China Standard Time)

I was chatting with the devs for Sanic (https://community.sanicframework.org/t/restructuring-create-server-to-leverage-workers/832/8?u=its-a-feature) and it appears that the value I set for the "WTF_CSRF_SECRET_KEY" is duplicated for each worker. So, if each worker gets that variable, why do we have the issue where only one worker can successfully handle the response?

Cody Thomas · Answer 5 · Fri Apr 09 2021 23:08:56 GMT+0800 (China Standard Time)

or is it specifically this piece that's the issue:
https://github.com/pyx/sanic-wtf/blob/master/examples/guestbook.py#L16-L19

Philip Xu · Answer 6 · Sat Apr 10 2021 15:25:11 GMT+0800 (China Standard Time)

I was chatting with the devs for Sanic (https://community.sanicframework.org/t/restructuring-create-server-to-leverage-workers/832/8?u=its-a-feature) and it appears that the value I set for the "WTF_CSRF_SECRET_KEY" is duplicated for each worker. So, if each worker gets that variable, why do we have the issue where only one worker can successfully handle the response?

I read the discussion you mentioned, looks like that's what you INTENDED. You want to share the secret key across workers.

If the code snippet "ahopkins" quoted there is what you are using, you are initializing your secret keys (notice I said keys, not a single key) per worker, I didn't follow the development of Sanic lately, but if workers are process based like you mentioned, that means your code:

mythic.config[
    "WTF_CSRF_SECRET_KEY"
] = str(uuid.uuid4()) + str(uuid.uuid4)

will be executed for as many times as the number of works (processes), and you are generating that many different secret keys (provided no collision here), in that case, the CSRF token validation should fail unless your POST request is handle by the VERY SAME worker that render your form request to begin with, that is, using same secret key both to render and to verify. It's by design, since we are assuming outside attackers don't know your secret key so that it's almost impossible for them to forged a token that can be validated.

Find some way to generate the secret key once and once only, then share it between your workers, ENV var suggested by "ahopkins" seems a good idea.

And something off-topic, initializing the secret key randomly in worker code has the side effect of no persistent CSRF token between service restarts, imagine, client C opened a new tab in browser with your form rendered with secret key S, while client C spent sometime to fill out the form, the service restarts, a new secret key S' was generated, the validation will fail should client C submit the form with now outdated CSRF token, this might or not might be what you want.

Cody Thomas · Answer 7 · Sun Apr 11 2021 00:31:11 GMT+0800 (China Standard Time)

So, I mentioned in that thread (https://community.sanicframework.org/t/restructuring-create-server-to-leverage-workers/832/7?u=its-a-feature) that even when i set that value to something static, like "5" in that message i just linked, i still get the same effect. So, there's something else that's coming into play.

Yeah, by design for my application if the application restarts, I want all of the csrf and secret keys to invalidate.

Philip Xu · Answer 8 · Sun Apr 11 2021 11:12:40 GMT+0800 (China Standard Time)

So, I mentioned in that thread (https://community.sanicframework.org/t/restructuring-create-server-to-leverage-workers/832/7?u=its-a-feature) that even when i set that value to something static, like "5" in that message i just linked, i still get the same effect. So, there's something else that's coming into play.

Yeah, by design for my application if the application restarts, I want all of the csrf and secret keys to invalidate.

Could you show me a minimal app with the issue?