search

gsamokovarov / rvt

Remote Terminal for the Browser.
MIT License
56 stars 17 forks source link

422 Unprocessable Entity - InvalidAuthenticityToken in RVT::ConsoleSessionsController#configuration #3

Closed drale2k closed 6 years ago

drale2k commented 6 years ago

When i load the mounted /console site, i get the following error from the xhr request seen in the developer console.

URL: http://localhost:3000/console/console_sessions/39124/configuration Status: 422 Unprocessable Entity Source: Network Address: 127.0.0.1:3000

Checking the rendered response HTML, i see this

ActionController::InvalidAuthenticityToken
      in RVT::ConsoleSessionsController#configuration

I tried adding skip_before_action :verify_authenticity_token to console_sessions_controller.rb but it does not help.

I am on Rails 5.2

gsamokovarov commented 6 years ago

Are you running this behind docker or a development VM?

drale2k commented 6 years ago

No, i am running bare bones rails at the moment on my mac directly and added the gem in my Gemfile via gem 'rvt', git: "https://github.com/gsamokovarov/rvt", branch: "xtermjs"

ps: in production i am planing to use docker and have a rails container. Will this be a problem or are you asking because of IP whitelisting specifically?

gsamokovarov commented 6 years ago

I am asking because of the IP whitelisting. I'll double check the new /configuration endpoint calls.

drale2k commented 6 years ago

Thank you. It's in my interest to get this to work as soon as i can so if you need any additional debug data / testing on my part let me know.

gsamokovarov commented 6 years ago

I have merged thextermjs branch into master, but I cannot reproduce the issue. Can you leave a debugger/puts around: https://github.com/gsamokovarov/rvt/blob/5b623d50191b01652351fed039a458aca62c18a2/app/controllers/rvt/console_sessions_controller.rb#L30

drale2k commented 6 years ago

Just a puts before and after or to inspect something specific?

drale2k commented 6 years ago

Ok so first of all, i created a brand new rails app to make sure it's not something application specific but i got the same error.

Then i put "byebug" and puts before and after @console_session.configure(console_session_params) but no matter where i put it in side that method, it is never reached.

Here is the console output for the error

Started GET "/console/console_sessions/6659/pending_output?uid=50e17f0818e0f8283cd6336db8a3b4c2" for 127.0.0.1 at 2018-06-06 20:49:49 +0200
Processing by RVT::ConsoleSessionsController#pending_output as */*
  Parameters: {"uid"=>"50e17f0818e0f8283cd6336db8a3b4c2", "id"=>"6659"}
Completed 200 OK in 1ms (Views: 0.2ms | ActiveRecord: 0.0ms)

Started PUT "/console/console_sessions/6659/configuration" for 127.0.0.1 at 2018-06-06 20:49:49 +0200
Processing by RVT::ConsoleSessionsController#configuration as */*
  Parameters: {"width"=>"170", "height"=>"48", "uid"=>"50e17f0818e0f8283cd6336db8a3b4c2", "id"=>"6659"}
Can't verify CSRF token authenticity.
Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

actionpack (5.2.0) lib/action_controller/metal/request_forgery_protection.rb:211:in `handle_unverified_request'
actionpack (5.2.0) lib/action_controller/metal/request_forgery_protection.rb:243:in `handle_unverified_request'
actionpack (5.2.0) lib/action_controller/metal/request_forgery_protection.rb:238:in `verify_authenticity_token'
activesupport (5.2.0) lib/active_support/callbacks.rb:426:in `block in make_lambda'
activesupport (5.2.0) lib/active_support/callbacks.rb:198:in `block (2 levels) in halting'
actionpack (5.2.0) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
activesupport (5.2.0) lib/active_support/callbacks.rb:199:in `block in halting'
activesupport (5.2.0) lib/active_support/callbacks.rb:513:in `block in invoke_before'
activesupport (5.2.0) lib/active_support/callbacks.rb:513:in `each'
activesupport (5.2.0) lib/active_support/callbacks.rb:513:in `invoke_before'
activesupport (5.2.0) lib/active_support/callbacks.rb:131:in `run_callbacks'
actionpack (5.2.0) lib/abstract_controller/callbacks.rb:41:in `process_action'
actionpack (5.2.0) lib/action_controller/metal/rescue.rb:22:in `process_action'
actionpack (5.2.0) lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
activesupport (5.2.0) lib/active_support/notifications.rb:168:in `block in instrument'
activesupport (5.2.0) lib/active_support/notifications/instrumenter.rb:23:in `instrument'
activesupport (5.2.0) lib/active_support/notifications.rb:168:in `instrument'
actionpack (5.2.0) lib/action_controller/metal/instrumentation.rb:32:in `process_action'
actionpack (5.2.0) lib/action_controller/metal/params_wrapper.rb:256:in `process_action'
activerecord (5.2.0) lib/active_record/railties/controller_runtime.rb:24:in `process_action'
actionpack (5.2.0) lib/abstract_controller/base.rb:134:in `process'
actionview (5.2.0) lib/action_view/rendering.rb:32:in `process'
actionpack (5.2.0) lib/action_controller/metal.rb:191:in `dispatch'
actionpack (5.2.0) lib/action_controller/metal.rb:252:in `dispatch'
actionpack (5.2.0) lib/action_dispatch/routing/route_set.rb:52:in `dispatch'
actionpack (5.2.0) lib/action_dispatch/routing/route_set.rb:34:in `serve'
actionpack (5.2.0) lib/action_dispatch/journey/router.rb:52:in `block in serve'
actionpack (5.2.0) lib/action_dispatch/journey/router.rb:35:in `each'
actionpack (5.2.0) lib/action_dispatch/journey/router.rb:35:in `serve'
actionpack (5.2.0) lib/action_dispatch/routing/route_set.rb:840:in `call'
railties (5.2.0) lib/rails/engine.rb:524:in `call'
railties (5.2.0) lib/rails/railtie.rb:190:in `public_send'
railties (5.2.0) lib/rails/railtie.rb:190:in `method_missing'
actionpack (5.2.0) lib/action_dispatch/routing/mapper.rb:19:in `block in <class:Constraints>'
actionpack (5.2.0) lib/action_dispatch/routing/mapper.rb:48:in `serve'
actionpack (5.2.0) lib/action_dispatch/journey/router.rb:52:in `block in serve'
actionpack (5.2.0) lib/action_dispatch/journey/router.rb:35:in `each'
actionpack (5.2.0) lib/action_dispatch/journey/router.rb:35:in `serve'
actionpack (5.2.0) lib/action_dispatch/routing/route_set.rb:840:in `call'
rack (2.0.5) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.0.5) lib/rack/etag.rb:25:in `call'
rack (2.0.5) lib/rack/conditional_get.rb:38:in `call'
rack (2.0.5) lib/rack/head.rb:12:in `call'
actionpack (5.2.0) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
rack (2.0.5) lib/rack/session/abstract/id.rb:232:in `context'
rack (2.0.5) lib/rack/session/abstract/id.rb:226:in `call'
actionpack (5.2.0) lib/action_dispatch/middleware/cookies.rb:670:in `call'
activerecord (5.2.0) lib/active_record/migration.rb:559:in `call'
actionpack (5.2.0) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
activesupport (5.2.0) lib/active_support/callbacks.rb:98:in `run_callbacks'
actionpack (5.2.0) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (5.2.0) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (5.2.0) lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'
web-console (3.6.2) lib/web_console/middleware.rb:135:in `call_app'
web-console (3.6.2) lib/web_console/middleware.rb:30:in `block in call'
web-console (3.6.2) lib/web_console/middleware.rb:20:in `catch'
web-console (3.6.2) lib/web_console/middleware.rb:20:in `call'
actionpack (5.2.0) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
railties (5.2.0) lib/rails/rack/logger.rb:38:in `call_app'
railties (5.2.0) lib/rails/rack/logger.rb:26:in `block in call'
activesupport (5.2.0) lib/active_support/tagged_logging.rb:71:in `block in tagged'
activesupport (5.2.0) lib/active_support/tagged_logging.rb:28:in `tagged'
activesupport (5.2.0) lib/active_support/tagged_logging.rb:71:in `tagged'
railties (5.2.0) lib/rails/rack/logger.rb:26:in `call'
sprockets-rails (3.2.1) lib/sprockets/rails/quiet_assets.rb:13:in `call'
actionpack (5.2.0) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
actionpack (5.2.0) lib/action_dispatch/middleware/request_id.rb:27:in `call'
rack (2.0.5) lib/rack/method_override.rb:22:in `call'
rack (2.0.5) lib/rack/runtime.rb:22:in `call'
activesupport (5.2.0) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
actionpack (5.2.0) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (5.2.0) lib/action_dispatch/middleware/static.rb:127:in `call'
rack (2.0.5) lib/rack/sendfile.rb:111:in `call'
railties (5.2.0) lib/rails/engine.rb:524:in `call'
puma (3.11.4) lib/puma/configuration.rb:225:in `call'
puma (3.11.4) lib/puma/server.rb:632:in `handle_request'
puma (3.11.4) lib/puma/server.rb:446:in `process_client'
puma (3.11.4) lib/puma/server.rb:306:in `block in run'
puma (3.11.4) lib/puma/thread_pool.rb:120:in `block in spawn_thread'
Started GET "/console/console_sessions/6659/pending_output?uid=50e17f0818e0f8283cd6336db8a3b4c2" for 127.0.0.1 at 2018-06-06 20:49:49 +0200
Processing by RVT::ConsoleSessionsController#pending_output as */*
  Parameters: {"uid"=>"50e17f0818e0f8283cd6336db8a3b4c2", "id"=>"6659"}
Completed 200 OK in 1ms (Views: 0.2ms | ActiveRecord: 0.0ms)
drale2k commented 6 years ago

Update: I fixed it now by adding skip_before_action :verify_authenticity_token to `rvt/application_controller.rb. (i tried this before but for some reason now it worked)

Any security implications with this?

Unfortunately i ran now into another issue after the console is used for 2 minutes or so. Will open a new issue for this

gsamokovarov commented 6 years ago

@drale2k can you puts the console_session_params and the result of @console_session.configure(console_session_params)?

drale2k commented 6 years ago 
(byebug) console_session_params
<ActionController::Parameters {"id"=>"26647", "uid"=>"52fbd3f140dce0017f0b8b7cd0114d25", "width"=>"170", "height"=>"68"} permitted: true>
(byebug) @console_session.configure(console_session_params)
[68, 170]
gsamokovarov commented 6 years ago

@drale2k can you try reproducing this in a standalone application? I'm not able to reproduce it.

eclemens commented 6 years ago

I have the same problem with Rails 5.2

Started PUT "/console/console_sessions/31794/input" for 127.0.0.1 at 2018-07-17 11:53:35 -0700
Processing by RVT::ConsoleSessionsController#input as */*
  Parameters: {"input"=>"f", "uid"=>"75fd04308a63ebc64a89f0094bb1f99c", "id"=>"31794"}
Can't verify CSRF token authenticity.
Completed 422 Unprocessable Entity in 1ms (Flexirest: 0.0ms for 0 calls | ActiveRecord: 0.0ms)

ActionController::InvalidAuthenticityToken - ActionController::InvalidAuthenticityToken:
gsamokovarov commented 6 years ago

Rails 5 has CSRF protection by default, so I'm skipping it on it. Should be fixed on master.