Skip whole check_uri block when trust_all_content.
Fix test name.
# Prefer the attachment-only-host when we want an attachment
# (and when there is no preview link configured)
tmpl = Rails.configuration.keep_web_download_url
- else
+ elsif not Rails.configuration.trust_all_content
check_uri = URI.parse(tmpl % fmt)
if opts[:query_token] and
not check_uri.host.start_with?(munged_id + "--") and
# We're about to pass a token in the query string, but
# keep-web can't accept that safely at a single-origin URL
# template (unless it's -attachment-only-host).
- unless (Rails.configuration.trust_all_content and tmpl)
- tmpl = Rails.configuration.keep_web_download_url
- end
+ tmpl = Rails.configuration.keep_web_download_url
if not tmpl
raise ArgumentError, "Download precluded by site configuration"
end
# keep_web_download_url: https://download.uuid_prefix.arvadosapi.com/c=%{uuid_or_pdh}
keep_web_download_url: false
- # In "trust all content" mode, Workbench will redirect users to
- # keep-web even when that exposes XSS vulnerabilities.
+ # In "trust all content" mode, Workbench will redirect download
+ # requests to keep-web, even in the cases when keep-web would have
+ # to expose XSS vulnerabilities in order to handle the redirect.
#
- # When enabling this setting, the corresponding setting on the
- # keep-web server must also be enabled.
+ # When enabling this setting, the -trust-all-content flag on the
+ # keep-web server must also be enabled. For more detail, see
+ # https://godoc.org/github.com/curoverse/arvados/services/keep-web
+ #
+ # This setting has no effect in the recommended configuration, where
+ # the host part of keep_web_url begins with %{uuid_or_pdh}: in this
+ # case XSS protection is provided by browsers' same-origin policy.
+ #
+ # The default setting (false) is appropriate for a multi-user site.
trust_all_content: false
assert_equal "https://download.example/c=#{id.sub '+', '-'}/_/w%20a%20z?api_token=#{tok}", @response.redirect_url
end
- test "Redirect to keep_web_download_url via #{id_type} when trust_all_content enabled" do
+ test "Redirect to keep_web_url via #{id_type} when trust_all_content enabled" do
Rails.configuration.trust_all_content = true
setup_for_keep_web('https://collections.example/c=%{uuid_or_pdh}',
'https://download.example/c=%{uuid_or_pdh}')
//
// In "trust all content" mode, Keep-web will accept credentials (API
// tokens) and serve any collection X at
-// "https://collections.example.com/collections/X/path/file.ext".
+// "https://collections.example.com/c=X/path/file.ext".
// This is UNSAFE except in the special case where everyone who is
// able write ANY data to Keep, and every JavaScript and HTML file
// written to Keep, is also trusted to read ALL of the data in Keep.
// keep-web -listen :9999 -attachment-only-host domain.example:9999 -trust-all-content
//
// Depending on your site configuration, you might also want to enable
-// "trust all content" setting on Workbench, in which case Workbench will
-// redirect users to keep-web even when that exposes XSS vulnerabilities.
+// "trust all content" setting on Workbench. Normally, Workbench
+// avoids redirecting requests to keep-web if they depend on
+// -trust-all-content being set.
+//
package main