Hi Adam, I did a bit of work removing the @crsf_exempt decorator from v4 code (starting at this commit: https://github.com/archesproject/arches/commit/516a533389f0e2b8a6633a04621032a6c7138716 and also this: https://github.com/archesproject/arches/commit/67fbdbda19e7cbbbfb2602f860f12dd62b0a5907 ). Most ajax requests use our Abstract model and so I attached a handler to add a django specific header to pass along the csrf_exempt token. See the django docs for more info (https://docs.djangoproject.com/en/1.9/ref/csrf/) I think you could apply this pretty easily to v3. Cheers, Alexei
Director of Web Development - Farallon Geographics, Inc. - 971.227.3173 On Wed, Apr 13, 2016 at 10:09 AM, Adam Cox <[email protected]> wrote: > Hi Alexei, thanks for the response. Does this mean that security-related > concerns will be used as a justification for upgrading to v4? I've > rewritten significant portions of the app at this point, so I'm leaning > toward not upgrading this specific installation when v4 comes around. > Therefore, any more information on how the csrf-related gaps can be closed > would be much appreciated. > > Do you think that would cover the main security concerns (outside of an > SSL certificate, which we've talked about already) and allow the app to > hold up to a high-level of scrutiny? > > Adam > > > On Monday, April 11, 2016 at 4:39:14 PM UTC-6, Alexei Peters wrote: >> >> Hi Adam, >> A good question which probably warrants further discussion. As far as >> Arches v3 goes, there are some gaps related to the crsf_exempt decorator >> that will be closed in v4. For the most part we use the ORM and should be >> protected against SQL injection. Most of our data comes in as JSON strings >> and is never rendered as html so we should be safe there. >> As far as the "|safe" filter is concerned we only use those on instances >> where we use summer node for html descriptions and that data get's escaped >> by the summer note widget (although it looks like someone, an authenticated >> user mind you, could use the dev tools to bypass that). >> Hope that helps a little. >> Cheers, >> Alexei >> >> >> Director of Web Development - Farallon Geographics, Inc. - 971.227.3173 >> >> On Mon, Apr 11, 2016 at 9:46 AM, Adam Cox <[email protected]> wrote: >> >>> EDIT: I mistakenly pasted the wrong link... This is what meant to >>> reference: >>> http://security.stackexchange.com/questions/27805/is-djangos-built-in-security-enough >>> Sorry for the confusion. >>> >>> On Mon, Apr 11, 2016 at 10:43 AM, Adam Cox <[email protected]> wrote: >>> >>>> Hello, I'm anticipating security-related questions, and I was looking >>>> into what people have to say about Django generally. I'm wondering if an >>>> Arches developer can comment on the subjects raised in this thread: >>>> https://groups.google.com/forum/#!topic/archesproject/sXu6qpMuoAs, >>>> regarding SQL Injection, CRSF, and XSS attacks. I've noticed a couple of >>>> specific things--that a number of model functions have the crsf_exempt >>>> decorator, and that the "|safe" filter is used in the report templates, for >>>> example--but I would appreciate a general rundown of how Arches is a secure >>>> Django application. >>>> >>>> Thanks, >>>> Adam >>>> >>>> -- >>>> -- To post, send email to [email protected]. To >>>> unsubscribe, send email to [email protected]. >>>> For more information, visit >>>> https://groups.google.com/d/forum/archesproject?hl=en >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "Arches Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> -- To post, send email to [email protected]. To >>> unsubscribe, send email to [email protected]. >>> For more information, visit >>> https://groups.google.com/d/forum/archesproject?hl=en >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Arches Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > -- To post, send email to [email protected]. To unsubscribe, > send email to [email protected]. For more > information, visit https://groups.google.com/d/forum/archesproject?hl=en > --- > You received this message because you are subscribed to the Google Groups > "Arches Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- -- To post, send email to [email protected]. To unsubscribe, send email to [email protected]. For more information, visit https://groups.google.com/d/forum/archesproject?hl=en --- You received this message because you are subscribed to the Google Groups "Arches Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
