Verify that the request comes from GCP #45
Conversation
The underlying GCP Pilot library requests that Google Cloud Tasks signs the request with an OIDC token, but there is no logic to check that in the view. This is a security vulnerability since the tasks can be run by anyone now.
|
Code Climate has analyzed commit aa9db5f and detected 0 issues on this pull request. View more on Code Climate. |
There was a problem hiding this comment.
For setups that use private Cloud Run instances, the OIDC token is already validated by Cloud Run ingress [ref]. Adding a manual OIDC verification would be redundant.
Although I agree we should definitely allow manual checking for other uses cases, such as public Cloud Run instances. Thus, I'd suggest making this authentication opt-in using a setting (eg. DJANGO_CLOUD_TASKS_AUTH)
|
I would argue for doing the check by default and giving people the option to opt-out of this check as this is something easy to not-spot which could end-up in interesting data breaches (depending on what peeps use the async tasks for…). Also the cost of doing the check is absolutely marginal. Any plan to get this in soonish? As this is currently a blocker for me to start using this lib. |
3 participants
The underlying GCP Pilot library requests that Google Cloud Tasks signs the request with an OIDC token, but there is no logic to check that in the view.
This is a security vulnerability since the tasks can be run by anyone now.