+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: SecurityException Status Codes (/showthread.php?tid=90500)
SecurityException Status Codes - donpwinston - 03-27-2024
It appears CI4.4.3 is setting a 5XX status code for SecurityExceptions. My security people are complaining about this. They (unbelievably) have classified it as a HIGH/cat 1 severity security vulnerability. I think my apps(5 of them) have been doing this for a few years but all of a sudden they are flagging this now for some reason. (They do regular probing of our apps every Sunday)
How can I change this?
I set
PHP Code:
seurity.redirect = true
Looking at the SecurityException class the disallowedAction is supposed to be a 403. So my SecurityException invocations should not be setting the status code to 5xx.
What else could be?
RE: SecurityException Status Codes - donpwinston - 03-27-2024
(03-27-2024, 04:26 AM)donpwinston Wrote: It appears CI4.4.3 is setting a 5XX status code for SecurityExceptions. My security people are complaining about this. They (unbelievably) have classified it as a HIGH/cat 1 severity security vulnerability. I think my apps(5 of them) have been doing this for a few years but all of a sudden they are flagging this now for some reason. (They do regular probing of our apps every Sunday)
How can I change this?
I set
in the .env file but I think that only applies to CSRF SecurityExceptions. I throw a bunch of them in several filters I use to counter other security vulnerabilities my security people have told me to fix. I suppose I could throw some other kind of exception but I'd rather not.PHP Code:seurity.redirect = true
Looking at the SecurityException class the disallowedAction is supposed to be a 403. So my SecurityException invocations should not be setting the status code to 5xx.
What else could be?
I edited App/Config/Exceptions and replaced the exception handler with a customized SecureExceptionHandler. For status codes 500 and above I set it to 418 or 403.
I don't like doing this because I'll have to check it after every upgrade to see if anything changed. ExceptionHandler is a final class. I can't subclass it. I can only just copy it.
RE: SecurityException Status Codes - kenjis - 03-27-2024
No, CI4 returns 403 response when a CSRF error happens.
See https://codeigniter4.github.io/CodeIgniter4/general/errors.html#specify-http-status-code-in-your-exception
PHP Code:
<?php
namespace App\Controllers;
use CodeIgniter\Security\Exceptions\SecurityException;
class Home extends BaseController
{
public function index()
{
throw SecurityException::forDisallowedAction();
}
}
Code:
$ curl -D - -s -o /dev/null http://localhost:8080
HTTP/1.1 403 Forbidden
Host: localhost:8080
Date: Wed, 27 Mar 2024 22:48:17 GMT
Connection: close
X-Powered-By: PHP/7.4.33
Cache-Control: no-store, max-age=0, no-cache
Content-Type: application/json; charset=UTF-8RE: SecurityException Status Codes - donpwinston - 03-31-2024
Yes but it sends 500 codes for other things. This is not allowed by my security people. Replacing the ExceptionHandler class with my version is the only way I've come up with to fix the problem. Maybe you guys should consider not sending 500 codes for any reason. This requirement is coming from the US Federal Government.
RE: SecurityException Status Codes - kenjis - 03-31-2024
What are other things?
If there are exceptions that the framework throws, and the status code is incorrect,
we should fix the status code.
But developers should catch other exceptions if needed, and handle properly.
Yes, when the framework Exception Handler catches Exceptions,
the default HTTP status code will be 500.
In my opinion, changing the default 500 to 4xx does nothing for security,
and 4xx is probably incorrect in most cases. Because 4xx means errors in client side,
but most exceptions caused by server side.
Can you show the exact requirement coming from the US Federal Government?
I don't get why the US Federal Government says such nonsense.
RE: SecurityException Status Codes - donpwinston - 04-01-2024
I don't understand why a 500 status code is so bad either. They tell me that it indicates a possible instability in your system that makes it a candidate to be exploited. It is sort of an encouragement to keep on trying to hack your site. But if you eliminate 500's then 400's could be then interpreted as the same thing. So I think it is stupid.
RE: SecurityException Status Codes - kenjis - 04-01-2024
Indeed, it would be possible to say that 500 represents system instability.
If exceptions can be caught and recovered, the application should do so.
However, if it is a client-side problem, we should return 4xx, and if it is a server-side problem,
we should return 5xx. For example, if it cannot connect to the database, we can only return 500.
Thus, if the framework throws an exception and returns an inappropriate 500 response,
it is a bug in the framework. Please report a bug or send a PR to fix it.