From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Tue, 14 Jun 2016 16:15:40 +0000 (-0400)
Subject: API: Log non-whitelisted CORS requests with session cookies
X-Git-Tag: 1.31.0-rc.0~6464^2
X-Git-Url: https://git.cyclocoop.org/%242?a=commitdiff_plain;h=43b2693a3359a190a32a69934ef72305ae9f8849;p=lhc%2Fweb%2Fwiklou.git

API: Log non-whitelisted CORS requests with session cookies

As requested in T62835#1794915, this logs requests that have an Origin
header that isn't whitelisted and have "session" cookies (defined as
"cookies that SessionManager says to vary on").

Change-Id: I3e34ff1e3a0a3f63c709ee95aa5cf8309fbc4367
---

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index ce9587f399..43cc08821f 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -171,22 +171,53 @@ class ApiMain extends ApiBase {
 
 		if ( isset( $request ) ) {
 			$this->getContext()->setRequest( $request );
+		} else {
+			$request = $this->getRequest();
 		}
 
-		$this->mInternalMode = ( $this->getRequest() instanceof FauxRequest );
+		$this->mInternalMode = ( $request instanceof FauxRequest );
 
 		// Special handling for the main module: $parent === $this
 		parent::__construct( $this, $this->mInternalMode ? 'main_int' : 'main' );
 
+		$config = $this->getConfig();
+
 		if ( !$this->mInternalMode ) {
-			// Impose module restrictions.
-			// If the current user cannot read,
-			// Remove all modules other than login
-			global $wgUser;
+			// Log if a request with a non-whitelisted Origin header is seen
+			// with session cookies.
+			$originHeader = $request->getHeader( 'Origin' );
+			if ( $originHeader === false ) {
+				$origins = [];
+			} else {
+				$originHeader = trim( $originHeader );
+				$origins = preg_split( '/\s+/', $originHeader );
+			}
+			$sessionCookies = array_intersect(
+				array_keys( $_COOKIE ),
+				MediaWiki\Session\SessionManager::singleton()->getVaryCookies()
+			);
+			if ( $origins && $sessionCookies && (
+				count( $origins ) !== 1 || !self::matchOrigin(
+					$origins[0],
+					$config->get( 'CrossSiteAJAXdomains' ),
+					$config->get( 'CrossSiteAJAXdomainExceptions' )
+				)
+			) ) {
+				MediaWiki\Logger\LoggerFactory::getInstance( 'cors' )->warning(
+					'Non-whitelisted CORS request with session cookies', [
+						'origin' => $originHeader,
+						'cookies' => $sessionCookies,
+						'ip' => $request->getIP(),
+						'userAgent' => $this->getUserAgent(),
+						'wiki' => wfWikiID(),
+					]
+				);
+			}
 
+			// If we're in a mode that breaks the same-origin policy, strip
+			// user credentials for security.
 			if ( $this->lacksSameOriginSecurity() ) {
-				// If we're in a mode that breaks the same-origin policy, strip
-				// user credentials for security.
+				global $wgUser;
 				wfDebug( "API: stripping user credentials when the same-origin policy is not applied\n" );
 				$wgUser = new User();
 				$this->getContext()->setUser( $wgUser );
@@ -211,7 +242,6 @@ class ApiMain extends ApiBase {
 			}
 		}
 
-		$config = $this->getConfig();
 		$this->mModuleMgr = new ApiModuleManager( $this );
 		$this->mModuleMgr->addModules( self::$Modules, 'action' );
 		$this->mModuleMgr->addModules( $config->get( 'APIModules' ), 'action' );