Skip to content

Commit

Permalink
Turn CSRF protection on by default (PrefectHQ#12377)
Browse files Browse the repository at this point in the history
  • Loading branch information
bunchesofdonald authored Mar 22, 2024
1 parent 416d63b commit 38f332e
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 18 deletions.
45 changes: 30 additions & 15 deletions .github/workflows/integration-tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,9 @@ jobs:
compatibility-tests:
name: "Check compatibility with Prefect ${{ matrix.prefect-version }}"
timeout-minutes: 10

runs-on: ubuntu-latest
strategy:
fail-fast: true
matrix:
prefect-version:
# These versions correspond to Prefect image tags, the patch version is
Expand All @@ -49,6 +50,7 @@ jobs:
- "2.13"
- "2.14"
- "2.15"
- "2.16"

# We can include the following to always test against the last release
# but the value is not particularly clear and we can just append the
Expand All @@ -61,53 +63,61 @@ jobs:
# incompatibilities are allowed.

# All servers prior to 2.6.0 will not accept 2.6.0+ result types
# All servers prior to 2.16.0 will not accept `Deployment.schedules`

- prefect-version: "2.0"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.1"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.2"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.3"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.4"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.5"
server-incompatible: true

# All servers prior to 2.16.0 will not accept `Deployment.schedules`
server-disable-csrf: true
- prefect-version: "2.6"
server-incompatible: true
server-disable-csrf: true
# 2.6 containers have a bad version of httpcore installed
extra_docker_run_options: '--env EXTRA_PIP_PACKAGES="httpcore>=0.16.2"'
- prefect-version: "2.7"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.8"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.9"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.10"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.11"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.12"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.13"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.14"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.15"
server-incompatible: true
server-disable-csrf: true
- prefect-version: "2.16"
server-incompatible: false

# 2.6 containers have a bad version of httpcore installed
- prefect-version: "2.6"
extra_docker_run_options: '--env EXTRA_PIP_PACKAGES="httpcore>=0.16.2"'
server_command: "prefect orion start"

# 2.6/2.7 require `prefect orion start` instead of prefect server start
- prefect-version: "2.7"
server_command: "prefect orion start"

fail-fast: true

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
Expand Down Expand Up @@ -151,6 +161,11 @@ jobs:
TEST_CLIENT_VERSION=$(python -c 'import prefect; print(prefect.__version__)')
./scripts/run-integration-flows.py
- name: Turn off CSRF protection for older clients.
if: ${{ matrix.server-disable-csrf }}
run: |
echo "PREFECT_SERVER_CSRF_PROTECTION_ENABLED=0" >> $GITHUB_ENV
- name: Start server@dev
run: |
# First, we must stop the server container if it exists
Expand Down
2 changes: 1 addition & 1 deletion src/prefect/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -1235,7 +1235,7 @@ def default_cloud_ui_url(settings, value):
API with another tool you will need to configure this there instead.
"""

PREFECT_SERVER_CSRF_PROTECTION_ENABLED = Setting(bool, default=False)
PREFECT_SERVER_CSRF_PROTECTION_ENABLED = Setting(bool, default=True)
"""
Controls the activation of CSRF protection for the Prefect server API.
Expand Down
14 changes: 12 additions & 2 deletions src/prefect/testing/fixtures.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,12 @@
from prefect.events.clients import AssertingEventsClient
from prefect.events.filters import EventFilter
from prefect.events.worker import EventsWorker
from prefect.settings import PREFECT_API_URL, get_current_settings, temporary_settings
from prefect.settings import (
PREFECT_API_URL,
PREFECT_SERVER_CSRF_PROTECTION_ENABLED,
get_current_settings,
temporary_settings,
)
from prefect.testing.utilities import AsyncMock
from prefect.utilities.processutils import open_process

Expand Down Expand Up @@ -118,7 +123,12 @@ def use_hosted_api_server(hosted_api_server):
"""
Sets `PREFECT_API_URL` to the test session's hosted API endpoint.
"""
with temporary_settings({PREFECT_API_URL: hosted_api_server}):
with temporary_settings(
{
PREFECT_API_URL: hosted_api_server,
PREFECT_SERVER_CSRF_PROTECTION_ENABLED: False,
}
):
yield hosted_api_server


Expand Down
7 changes: 7 additions & 0 deletions tests/conftest.py
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@
PREFECT_MEMOIZE_BLOCK_AUTO_REGISTRATION,
PREFECT_PROFILES_PATH,
PREFECT_SERVER_ANALYTICS_ENABLED,
PREFECT_SERVER_CSRF_PROTECTION_ENABLED,
PREFECT_UNIT_TEST_MODE,
)
from prefect.utilities.dispatch import get_registry_for_type
Expand Down Expand Up @@ -510,6 +511,12 @@ def caplog(caplog):
yield caplog


@pytest.fixture(autouse=True)
def disable_csrf_protection():
with temporary_settings({PREFECT_SERVER_CSRF_PROTECTION_ENABLED: False}):
yield


@pytest.fixture
def enable_workers():
with temporary_settings(
Expand Down

0 comments on commit 38f332e

Please sign in to comment.