All geek questions in one place

Properly pin GAE task queue URLs (without using app.yaml)

I want to protect task queue URLs from malicious access.

In views that request task queue requests:

if not users.is_current_user_admin(): return HttpResponse(status=403)

But my task queues get 403 errors! I was impressed by this GAE documentation that the task queue user was assigned as an administrator. What gives?

NOTE: I am using DjangoNonRel, so I cannot specify access only for the URL only in my app.yaml , I have to do this programmatically in the views.

+6
source share
3 answers

Tasks can circumvent login: admin restrictions, however users.is_current_user_admin() will still return false, because technically there is no current user.

Using Django-Nerel should not stop you from protecting your tasks with app.yaml. Just add a secure handler above your Django catch-all:

 handlers: - url: /tasks/.+ script: main.py login: admin - url: .* script: main.py

Any URLs starting with / tasks / will be accessible to the task queue and not accessible to visitors who are not administrators, without changing the routes.

+10
source

Your handlers may look for an HTTP task queue header, such as X-AppEngine-QueueName.

From the official GAE docs :

Requests from the task queue service contain the following HTTP headers:

X-AppEngine-QueueName
X-AppEngine-TaskName
X-AppEngine-TaskRetryCount
X-AppEngine-TaskExecutionCount
X-AppEngine-TaskETA

These headers are set inside the Google App Engine. If your request handler finds any of these headers, it can request - this is a request to the task queue. If any of the above headers are present in the external user request for your application, they are deprived.

+4
source

You can do this by doing 2 checks

  • Check the remote address, it will be 0.1.0.1
  • Check for the [ X-Appengine-Cron ] header.

This will protect you the task queue URLs (this only applies to fetch queues as far as I know).

I wrote a decorator that does this check for me. Hope this was helpful

For more information, please refer to Documents

0
source

Source: https://habr.com/ru/post/887415/

More articles:


All Articles