CSRF check not passed when creating folder using API

nikkilocke · January 16, 2020, 3:11pm

I have written an application to help me migrate thousands of files from another system into our Nextcloud.

This sometimes works, and sometimes I get CSRF check not passed. errors. These errors do not appear in my nextcloud.log, but are passed back to my application.

Here are the details of what I am sending and receiving:

Method: MKCOL, RequestUri: 'https://<my cloud server>/remote.php/dav/files/<user>/<folder1>/<folder2>'
{
  Authorization: Basic <auth string>
  OCS-APIRequest: true
  Accept: application/json
  Accept: text/html
  Accept: */*
  User-Agent: BasecampGatewayLive
}:
StatusCode: 401, ReasonPhrase: 'Unauthorized', Headers:
{
  Date: Thu, 16 Jan 2020 14:38:08 GMT
  Server: Apache/2.4.38
  Server: (Debian)
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  Referrer-Policy: no-referrer
  X-Content-Type-Options: nosniff
  X-Download-Options: noopen
  X-Frame-Options: SAMEORIGIN
  X-Permitted-Cross-Domain-Policies: none
  X-Robots-Tag: none
  X-XSS-Protection: 1; mode=block
  Cache-Control: no-store, must-revalidate, no-cache
  Pragma: no-cache
  Content-Security-Policy: default-src 'none';
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Content-Length: 222
  Content-Type: application/xml; charset=utf-8
}
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
  <s:message>CSRF check not passed.</s:message>
</d:error>

Can someone explain what I have to do to prevent this happening?

Note that I have removed individual user and folder names, and other info. The user and folder1 above exist. The authorisation string is OK (works elsewhere).

kesselb · January 16, 2020, 3:29pm

Are you able to provide a example how to reproduce? I’m not sure why the code takes this path for your request.

cc @rullzer any idea?

nikkilocke · January 16, 2020, 4:03pm

Thanks for getting back.

I guess I could write some code to reproduce the problem on our server. Of course, the code would then reveal the admin name and password on our server, which might not be a good idea. (The auth string contains the admin name and password.)

If I could find where the check happens, I could perhaps help debug it, but I don’t know that.

kesselb · January 16, 2020, 4:07pm

github.com

nextcloud/server/blob/5bf3d1bb384da56adbf205752be8f840aac3b0c5/apps/dav/lib/Connector/Sabre/Auth.php#L217-L226


      
          		if(!$this->request->passesCSRFCheck() &&
          			$this->requiresCSRFCheck()) {
          			// In case of a fail with POST we need to recheck the credentials
          			if($this->request->getMethod() === 'POST') {
          				$forcedLogout = true;
          			} else {
          				$response->setStatus(401);
          				throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.');
          			}
          		}

nikkilocke · January 20, 2020, 10:54am

I’ve been looking at the code, and requiresCSRFCheck is true for all POSTs.

So the question becomes what do I have to do in my code in order to pass the CSRF check? Is this documented anywhere?

nikkilocke · January 21, 2020, 5:40pm

I tried debugging this, printing a stack trace when this function is called - all that did was make php run out of memory.

Surely this function should not be called for API functions that have the login information in the authentication header?

nikkilocke · January 21, 2020, 6:00pm

Please, please, can someone tell me how to format my requests dso they PASS CSRF checks? I haven’t found ANY documentation on this so far!

kesselb · January 21, 2020, 7:22pm

That seems to be wrong yes.

PASS CSRF checks? I haven’t found ANY documentation on this so far!

github.com

nextcloud/server/blob/5bf3d1bb384da56adbf205752be8f840aac3b0c5/apps/dav/lib/Connector/Sabre/Auth.php#L181-L187


      
          		if($this->request->isUserAgent([
          			IRequest::USER_AGENT_CLIENT_DESKTOP,
          			IRequest::USER_AGENT_CLIENT_ANDROID,
          			IRequest::USER_AGENT_CLIENT_IOS,
          		])) {
          			return false;
          		}

github.com

nextcloud/server/blob/5bf3d1bb384da56adbf205752be8f840aac3b0c5/lib/public/IRequest.php#L86


      
          	const USER_AGENT_CLIENT_ANDROID = '/^Mozilla\/5\.0 \(Android\) (ownCloud|Nextcloud)\-android.*$/';
          
          	/**
          	 * @since 13.0.0
          	 */
          	const USER_AGENT_TALK_ANDROID = '/^Mozilla\/5\.0 \(Android\) Nextcloud\-Talk v.*$/';
          
          	/**
          	 * @since 9.1.0
          	 */
          	const USER_AGENT_CLIENT_DESKTOP = '/^Mozilla\/5\.0 \([A-Za-z ]+\) (mirall|csyncoC)\/.*$/';
          
          	/**
          	 * @since 9.1.0
          	 */
          	const USER_AGENT_CLIENT_IOS = '/^Mozilla\/5\.0 \(iOS\) (ownCloud|Nextcloud)\-iOS.*$/';
          
          	/**
          	 * @since 13.0.0
          	 */
          	const USER_AGENT_TALK_IOS = '/^Mozilla\/5\.0 \(iOS\) Nextcloud\-Talk v.*$/';

As workaround I would try to tell the Nextcloud server that I’m a official client To debug this further could you validate that the request also fails with curl and if so share the curl command? Also Nextcloud’s “dav implementation” has some strange oddities like requiring cookies. It’s actually stateless but Nextcloud sometimes expects some cookies to be set.

nikkilocke · January 31, 2020, 8:08am

I’ve got a bit further with this - I think it works if you clear your cookies. I was opening a connection to Nextcloud, with a cookie container, and leaving it open for days on end.
I changed the code to close the connection and open a new one with a new, empty cookie container every few minutes, and it’s OK now.

Does that help pin it down?