search

Jupyter-contrib / jupyter_nbextensions_configurator

A jupyter notebook serverextension providing config interfaces for nbextensions.
Other
981 stars 121 forks source link

Anyone can access the endpoints on nbclassic #159

Open yacchin1205 opened 1 year ago

yacchin1205 commented 1 year ago

When I install this extension on nbclassic, anyone can access the endpoints provided by Server Extension without credentials.

This is because the Server Extension uses notebook.base.handlers.IPythonHandler. https://github.com/Jupyter-contrib/jupyter_nbextensions_configurator/blob/master/src/jupyter_nbextensions_configurator/__init__.py#LL18C1-L18C1 As reported to the notebook project https://github.com/jupyter/nbclassic/issues/271 , it seems that nbclassic should use jupyter_server.base.handlers.JupyterHandler. This may be just a bug in nbclassic, but I report it here too.

To Reproduce To reproduce, please follow the steps below.

  1. Download Dockerfile from https://gist.github.com/yacchin1205/532509f59b1815bdb4624a08db1e4f9c
  2. Build an image: docker build -t jupyter/ipython-handler-authentication-bug .
  3. Run jupyter notebook (former notebook server): docker run --rm -p 8888:8888 -e DOCKER_STACKS_JUPYTER_CMD=notebook jupyter/ipython-handler-authentication-bug
  4. Access the nbextensions configurator endpoint without credentials: curl -vvvv 'http://127.0.0.1:8888/nbextensions/nbextensions_configurator/list' -> It returns 403 Forbidden. (Expected behavior)
  5. Stop the container with Ctrl-C
  6. Run jupyter nbclassic (nbclassic with jupyter-server): docker run --rm -p 8888:8888 -e DOCKER_STACKS_JUPYTER_CMD=nbclassic jupyter/ipython-handler-authentication-bug
  7. Access the nbextensions configurator endpoint without credentials: curl -vvvv 'http://127.0.0.1:8888/nbextensions/nbextensions_configurator/list' -> It returns 200 OK with actual response. (Unexpected behavior)