search

moloch-- / RootTheBox

A Game of Hackers (CTF Scoreboard & Game Manager)
http://root-the-box.com/
Apache License 2.0
915 stars 292 forks source link

HTTP 500 "unexpected keyword argument 'httpOnly' #551

Closed PJNorrisS1 closed 1 year ago

PJNorrisS1 commented 1 year ago

Hi, just provisioned a new instance, pulled down the latest version, and set up as I have done many a time before.

Login screen loads with my HTTPS connection, but i get HTTP 500 page after login.

In the logs I have: (placed xxxx's in sensitive areas)

rtb-channel-challenge-webapp-1     | [I 230418 15:28:06 web:2327] 200 GET /login (86.xxxxxx) 0.94ms
rtb-channel-challenge-webapp-1     | [I 230418 15:28:06 web:2327] 101 GET /connect/notifications/updates (86.xxxxx) 0.56ms
rtb-channel-challenge-webapp-1     | [I 230418 15:28:08 PublicHandlers:284] Successful login: admin from 86.xxxxxx
rtb-channel-challenge-webapp-1     | [E 230418 15:28:08 web:1854] Uncaught exception POST /login (86.xxxxxx)
rtb-channel-challenge-webapp-1     |     HTTPServerRequest(protocol='https', host='partner.xxxxxx.com', method='POST', uri='/login', version='HTTP/1.1', remote_ip='86.xxxxxx')
rtb-channel-challenge-webapp-1     |     Traceback (most recent call last):
rtb-channel-challenge-webapp-1     |       File "/usr/local/lib/python3.8/site-packages/tornado/web.py", line 1767, in _execute
rtb-channel-challenge-webapp-1     |         result = method(*self.path_args, **self.path_kwargs)
rtb-channel-challenge-webapp-1     |       File "/opt/rtb/libs/SecurityDecorators.py", line 106, in wrapper
rtb-channel-challenge-webapp-1     |         return method(self, *args, **kwargs)
rtb-channel-challenge-webapp-1     |       File "/opt/rtb/handlers/PublicHandlers.py", line 224, in post
rtb-channel-challenge-webapp-1     |         self.valid_login(user)
rtb-channel-challenge-webapp-1     |       File "/opt/rtb/handlers/PublicHandlers.py", line 276, in valid_login
rtb-channel-challenge-webapp-1     |         self.successful_login(user)
rtb-channel-challenge-webapp-1     |       File "/opt/rtb/handlers/PublicHandlers.py", line 291, in successful_login
rtb-channel-challenge-webapp-1     |         self.start_session()
rtb-channel-challenge-webapp-1     |       File "/opt/rtb/handlers/BaseHandlers.py", line 102, in start_session
rtb-channel-challenge-webapp-1     |         self.set_secure_cookie("session_id", self.session.session_id, **flags)
rtb-channel-challenge-webapp-1     |       File "/usr/local/lib/python3.8/site-packages/tornado/web.py", line 756, in set_signed_cookie
rtb-channel-challenge-webapp-1     |         self.set_cookie(
rtb-channel-challenge-webapp-1     |     TypeError: set_cookie() got an unexpected keyword argument 'HttpOnly'
rtb-channel-challenge-webapp-1     | [E 230418 15:28:08 BaseHandlers:195] Request from 86.10.128.58 resulted in an error code 500:
rtb-channel-challenge-webapp-1     |     Traceback (most recent call last):
rtb-channel-challenge-webapp-1     |       File "/usr/local/lib/python3.8/site-packages/tornado/web.py", line 1767, in _execute
rtb-channel-challenge-webapp-1     |         result = method(*self.path_args, **self.path_kwargs)
rtb-channel-challenge-webapp-1     |       File "/opt/rtb/libs/SecurityDecorators.py", line 106, in wrapper
rtb-channel-challenge-webapp-1     |         return method(self, *args, **kwargs)
rtb-channel-challenge-webapp-1     |       File "/opt/rtb/handlers/PublicHandlers.py", line 224, in post
rtb-channel-challenge-webapp-1     |         self.valid_login(user)
rtb-channel-challenge-webapp-1     |       File "/opt/rtb/handlers/PublicHandlers.py", line 276, in valid_login
rtb-channel-challenge-webapp-1     |         self.successful_login(user)
rtb-channel-challenge-webapp-1     |       File "/opt/rtb/handlers/PublicHandlers.py", line 291, in successful_login
rtb-channel-challenge-webapp-1     |         self.start_session()
rtb-channel-challenge-webapp-1     |       File "/opt/rtb/handlers/BaseHandlers.py", line 102, in start_session
rtb-channel-challenge-webapp-1     |         self.set_secure_cookie("session_id", self.session.session_id, **flags)
rtb-channel-challenge-webapp-1     |       File "/usr/local/lib/python3.8/site-packages/tornado/web.py", line 756, in set_signed_cookie
rtb-channel-challenge-webapp-1     |         self.set_cookie(
rtb-channel-challenge-webapp-1     |     TypeError: set_cookie() got an unexpected keyword argument 'HttpOnly'
rtb-channel-challenge-webapp-1     |

I'm wondering if there is a new library updated that is breaking this?

PJNorrisS1 commented 1 year ago

I did a pip list on a working instance and the latest instance and have just listed the ones I see version changes to:

alembic 1.10.2 -> 1.10.3 cryptography 40.0.1 -> 40.0.2 importlib-metadata 6.1.0 -> 6.5.0 msal 1.21.0 - > 1.22.0 packaging 23.0 -> 23.1 rocketchat-API 1.29.0 -> 1.30.0 tornado 6.2 -> 6.3

PJNorrisS1 commented 1 year ago

Update: I can confirm tornado 6.3 breaks RTB. I have put in requirements the following line: tornado==6.2; python_version>='3.0' Built the image and it worked fine.

eljeffeg commented 1 year ago

Thank you for the report and confirmation of the issue. I'll take a look and see if we can update that to be compliant with the latest Torando.

jharbin commented 1 year ago

@PJNorrisS1 Is that the only change you made in the /setup/requirements.txt file? I am having the same issue with a clean pull from Github. ie Login is fine, but error when hitting first page. Signup and scoreboard show up ok as well.

My error on main page, after adding your tornado directive and re-building the docker image (looks like yours, I believe):

Traceback (most recent call last): File "/usr/local/lib/python3.8/site-packages/tornado/web.py", line 1767, in _execute result = method(*self.path_args, *self.path_kwargs) File "/opt/rtb/libs/SecurityDecorators.py", line 106, in wrapper return method(self, args, kwargs) File "/opt/rtb/handlers/PublicHandlers.py", line 224, in post self.valid_login(user) File "/opt/rtb/handlers/PublicHandlers.py", line 276, in valid_login self.successful_login(user) File "/opt/rtb/handlers/PublicHandlers.py", line 291, in successful_login self.start_session() File "/opt/rtb/handlers/BaseHandlers.py", line 102, in start_session self.set_secure_cookie("session_id", self.session.session_id, flags) File "/usr/local/lib/python3.8/site-packages/tornado/web.py", line 756, in set_signed_cookie self.set_cookie( TypeError: set_cookie() got an unexpected keyword argument 'HttpOnly'

jharbin commented 1 year ago

nvm.. I blew away all the folders, pulled down fresh, made the singular change in requirements.txt and did a "docker-compose build" and then a "docker-compose up" and it's working. Thanks guys!

eljeffeg commented 1 year ago

Until it is resolved, I updated the requirements. Also created an issue at Tornado. https://github.com/tornadoweb/tornado/issues/3252

eljeffeg commented 1 year ago

Applied a fix - let me know if there is any further issue. Thanks

PJNorrisS1 commented 1 year ago

I have remove the requirements statement so 6.3 is installed and can confirm this has worked. Thank you.