search

openbmc / bmcweb

A do everything Redfish, KVM, GUI, and DBus webserver for OpenBMC
Apache License 2.0
156 stars 131 forks source link

Code doesn't build with insecure-disable-xss option set #178

Closed LW-Ho closed 3 years ago

LW-Ho commented 3 years ago

Sorry...

Because there is only one machine that can be tested, this token (BMCWEB_INSECURE_DISABLE_XSS_PREVENTION) needs to be enabled, but an error is found, can you help me fix it?

https://github.com/openbmc/bmcweb/blob/master/include/security_headers.hpp#L46

thanks a lot.

edtanous commented 3 years ago

This doesn't have nearly enough information for us to help you. What error did you find? Has it worked in the past?

LW-Ho commented 3 years ago

This doesn't have nearly enough information for us to help you. What error did you find? Has it worked in the past?

Hi , I upload screenshot to here. 螢幕擷取畫面 2021-02-03 101331 螢幕擷取畫面 2021-02-03 101352

I enable BMCWEB_INSECURE_DISABLE_CSRF_PREVENTION and BMCWEB_INSECURE_DISABLE_XSS_PREVENTION, then use build_x86_docker.sh to build code.

Subproject exists but has no meson.build file Subproject boost is buildable: NO (disabling) Has header "boost/url/url_view.hpp" : NO Subproject exists but has no meson.build file Subproject boost-url is buildable: NO (disabling) Run-time dependency GTest found: YES 1.10.0 Run-time dependency GMock found: YES 1.10.0 Configuring config.h using configuration Configuring bmcweb.service using configuration Build targets in project: 6

bmcweb 1.0

Report Issues Issues: https://github.com/openbmc/bmcweb/issues/new

Build Info Build Type: debugoptimized Optimization: 2

Enabled Features insecure-disable-csrf: -DBMCWEB_INSECURE_DISABLE_CSRF_PREVENTION ssl: -DBMCWEB_ENABLE_SSL insecure-disable-xss: -DBMCWEB_INSECURE_DISABLE_XSS_PREVENTION host-serial-socket: -DBMCWEB_ENABLE_HOST_SERIAL_WEBSOCKET kvm: -DBMCWEB_ENABLE_KVM basic-auth: -DBMCWEB_ENABLE_BASIC_AUTHENTICATION session-auth: -DBMCWEB_ENABLE_SESSION_AUTHENTICATION xtoken-auth: -DBMCWEB_ENABLE_XTOKEN_AUTHENTICATION cookie-auth: -DBMCWEB_ENABLE_COOKIE_AUTHENTICATION mutual-tls-auth: -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION pam: -DWEBSERVER_ENABLE_PAM redfish: -DBMCWEB_ENABLE_REDFISH rest: -DBMCWEB_ENABLE_DBUS_REST static-hosting: -DBMCWEB_ENABLE_STATIC_HOSTING vm-websocket: -DBMCWEB_ENABLE_VM_WEBSOCKET unittest: NA ibm-management-console: -DBMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE debug: -DBMCWEB_ENABLE_DEBUG logging: -DBMCWEB_ENABLE_LOGGING

Directories prefix: /usr/local bindir: /usr/local/bin systemd unit directory: /lib/systemd/system

Subprojects boost: NO Subproject exists but has no meson.build file boost-url: NO Subproject exists but has no meson.build file nlohmann: YES sdbusplus: YES

Found ninja-1.10.0 at /usr/bin/ninja ninja: Entering directory `build' [1/19] Compiling C++ object subprojects/sdbusplus/libsdbusplus.so.1.0.0.p/src_sdbus.cpp.o [2/19] Compiling C++ object subprojects/sdbusplus/libsdbusplus.so.1.0.0.p/src_exception.cpp.o [3/19] Compiling C++ object subprojects/sdbusplus/libsdbusplus.so.1.0.0.p/src_bus.cpp.o [4/19] Compiling C++ object subprojects/sdbusplus/libsdbusplus.so.1.0.0.p/src_server_interface.cpp.o [5/19] Compiling C++ object subprojects/sdbusplus/libsdbusplus.so.1.0.0.p/src_server_transaction.cpp.o [6/19] Linking target subprojects/sdbusplus/libsdbusplus.so.1.0.0 [7/19] Generating symbol file subprojects/sdbusplus/libsdbusplus.so.1.0.0.p/libsdbusplus.so.1.0.0.symbols [8/19] Compiling C++ object utility_test.p/http_ut_utility_test.cpp.o [9/19] Linking target utility_test [10/19] Compiling C++ object privileges_test.p/redfish-core_ut_privileges_test.cpp.o [11/19] Compiling C++ object dbus_utility_test.p/include_ut_dbus_utility_test.cpp.o [12/19] Linking target dbus_utility_test [13/19] Compiling C++ object lock_test.p/redfish-core_ut_lock_test.cpp.o [14/19] Compiling C++ object bmcweb.p/redfish-core_src_utils_json_utils.cpp.o [15/19] Linking target privileges_test [16/19] Compiling C++ object bmcweb.p/redfish-core_src_error_messages.cpp.o [17/19] Linking target lock_test [18/19] Compiling C++ object bmcweb.p/src_webserver_main.cpp.o FAILED: bmcweb.p/src_webserver_main.cpp.o c++ -Ibmcweb.p -I. -I.. -I../include -I../redfish-core/include -I../redfish-core/lib -I../http -I../subprojects/nlohmann/single_include -I../subprojects/nlohmann/single_include/nlohmann -flto -fdiagnostics-color=always -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -Wnon-virtual-dtor -Wextra -Wpedantic -Werror -std=c++17 -O2 -g -DBMCWEB_INSECURE_DISABLE_CSRF_PREVENTION -DBMCWEB_ENABLE_SSL -DBMCWEB_INSECURE_DISABLE_XSS_PREVENTION -DBMCWEB_ENABLE_HOST_SERIAL_WEBSOCKET -DBMCWEB_ENABLE_KVM -DBMCWEB_ENABLE_BASIC_AUTHENTICATION -DBMCWEB_ENABLE_SESSION_AUTHENTICATION -DBMCWEB_ENABLE_XTOKEN_AUTHENTICATION -DBMCWEB_ENABLE_COOKIE_AUTHENTICATION -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION -DWEBSERVER_ENABLE_PAM -DBMCWEB_ENABLE_REDFISH -DBMCWEB_ENABLE_DBUS_REST -DBMCWEB_ENABLE_STATIC_HOSTING -DBMCWEB_ENABLE_VM_WEBSOCKET -DBMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE -Wold-style-cast -Wcast-align -Wunused -Woverloaded-virtual -Wconversion -Wsign-conversion -Wno-attributes -Wno-stringop-overflow -Wduplicated-cond -Wduplicated-branches -Wlogical-op -Wunused-parameter -Wnull-dereference -Wdouble-promotion -Wformat=2 -fno-fat-lto-objects -fvisibility=hidden -fvisibility-inlines-hidden -DBMCWEB_ENABLE_LOGGING -DBMCWEB_ENABLE_DEBUG -DBOOST_ASIO_USE_TS_EXECUTOR_AS_DEFAULT -DBOOST_ASIO_DISABLE_THREADS -DBOOST_BEAST_USE_STD_STRING_VIEW -DBOOST_ERROR_CODE_HEADER_ONLY -DBOOST_SYSTEM_NO_DEPRECATED -DBOOST_ASIO_NO_DEPRECATED -DBOOST_ALL_NO_LIB -DBOOST_NO_RTTI -DBOOST_NO_TYPEID -DBOOST_COROUTINES_NO_DEPRECATION_WARNING -DBOOST_URL_STANDALONE -DBOOST_URL_HEADER_ONLY -DBOOST_ALLOW_DEPRECATED_HEADERS -isystem../subprojects/boost-url/include -isystem../subprojects/boost_1_73_0 -isystem../subprojects/sdbusplus/include -MD -MQ bmcweb.p/src_webserver_main.cpp.o -MF bmcweb.p/src_webserver_main.cpp.o.d -o bmcweb.p/src_webserver_main.cpp.o -c ../src/webserver_main.cpp In file included from ../http/http_connection.hpp:20, from ../http/http_server.hpp:3, from ../http/app.hpp:4, from ../src/webserver_main.cpp:3: ../include/security_headers.hpp: In function ‘void addSecurityHeaders(crow::Response&)’: ../include/security_headers.hpp:46:37: error: ‘req’ was not declared in this scope; did you mean ‘res’? 46 | const std::string_view origin = req.getHeaderValue("Origin"); | ^~~ | res ../src/webserver_main.cpp: In function ‘int main(int, char**)’: ../src/webserver_main.cpp:103:5: error: ‘cors_preflight’ has not been declared 103 | cors_preflight::requestRoutes(app); | ^~~~~~ ninja: build stopped: subcommand failed. Found runner: ['/usr/bin/ninja'] Removing intermediate container f7b1a6721c23 The command '/bin/sh -c cd source && meson setup build && meson compile -C build' returned a non-zero code: 1

edtanous commented 3 years ago

Yep, this looks like a bug. We'll likely need to add back the req& to the function prototype with a [[maybe_unused]].

Feel free to push the patch to gerrit if you get this fixed before I do.

LW-Ho commented 3 years ago

Yep, this looks like a bug. We'll likely need to add back the req& to the function prototype with a [[maybe_unused]].

Feel free to push the patch to gerrit if you get this fixed before I do.

Thanks your response.

edtanous commented 3 years ago

https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/40369 should be the fix. Please download and comment back if it resolves the issue for you.

LW-Ho commented 3 years ago

Thanks a lot.