Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

csrf protection in job_agent #47710

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

csrf protection in job_agent #47710

wants to merge 5 commits into from

Conversation

richo-anyscale
Copy link
Contributor

r? @alanwguo

Why are these changes needed?

Prevent confused deputy attacks on the job_agent

Checks

  • I've signed off every commit(by using the -s flag, i.e., git commit -s) in this PR.
  • I've run scripts/format.sh to lint the changes in this PR.
  • I've included any doc changes needed for https://docs.ray.io/en/master/.
    • I've added any new APIs to the API Reference. For example, if I added a
      method in Tune, I've added it in doc/source/tune/api/ under the
      corresponding .rst file.
  • I've made sure the tests are passing. Note that there might be a few flaky tests, see the recent failures at https://flakey-tests.ray.io/
  • Testing Strategy
    • Unit tests
    • Release tests
    • This PR is not tested :(

(Working on the checks!)

alanwguo
alanwguo reviewed Sep 24, 2024
View reviewed changes
python/ray/dashboard/optional_utils.py Outdated
Comment on lines 271 to 274
return Response(
text="Method not allowed",
status=aiohttp.web.HTTPNotAllowed.status_code,
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we tell people that browser requests are not supported? Or do we purposely not expose this detail?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think there's meaningful value to hiding it although you are so far from a supported path if you wind up there. I can adjust the message.

@richo-anyscale richo-anyscale force-pushed the richo/csrf-protection branch 5 times, most recently from 55d11e3 to 65c48f2 Compare October 29, 2024 00:33
@richo-anyscale
Refactor
7f18443 
Signed-off-by: Richo Healey <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alanwguo alanwguo alanwguo left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@richo-anyscale @alanwguo