Island: Disable session-based cookies in Flask

ilija-lazoroski · ilija-lazoroski · commit 6a4610b0aa7b · 2023-03-03T13:49:37.000+01:00
Issue: #2157 PR: #3044
diff --git a/monkey/monkey_island/cc/app.py b/monkey/monkey_island/cc/app.py
@@ -4,7 +4,8 @@
 from typing import Iterable, Set, Type
 
 import flask_restful
-from flask import Flask, Response, send_from_directory
+from flask import Flask, Response, g, send_from_directory
+from flask.sessions import SecureCookieSessionInterface
 from flask_mongoengine import MongoEngine
 from flask_security import ConfirmRegisterForm, MongoEngineUserDatastore, Security
 from werkzeug.exceptions import NotFound
@@ -88,6 +89,8 @@ def setup_authentication(app, data_dir):
     # Ignore CSRF, because it's irrelevant for javascript applications
     app.config["WTF_CSRF_CHECK_DEFAULT"] = False
     app.config["SECURITY_CSRF_IGNORE_UNAUTH_ENDPOINTS"] = True
+    # Forbid sending authentication token in URL parameters
+    app.config["SECURITY_TOKEN_AUTHENTICATION_KEY"] = None
 
     # The database object needs to be created after we configure the flask application
     db = MongoEngine(app)
@@ -114,6 +117,13 @@ class CustomConfirmRegisterForm(ConfirmRegisterForm):
         user_datastore,
         confirm_register_form=CustomConfirmRegisterForm,
     )
+    from flask_login import user_loaded_from_request
+
+    @user_loaded_from_request.connect
+    def user_loaded_from_request(self, user=None):
+        g.login_via_request = True
+
+    app.session_interface = disable_session_cookies()
 
 
 def init_app_config(app, mongo_url, data_dir: Path):
@@ -135,6 +145,21 @@ def init_app_config(app, mongo_url, data_dir: Path):
     setup_authentication(app, data_dir)
 
 
+def disable_session_cookies() -> SecureCookieSessionInterface:
+    class CustomSessionInterface(SecureCookieSessionInterface):
+        """Prevent creating session from API requests."""
+
+        def should_set_cookie(self, *args, **kwargs):
+            return False
+
+        def save_session(self, *args, **kwargs):
+            if g.get("login_via_request"):
+                return
+            return super(CustomSessionInterface, self).save_session(*args, **kwargs)
+
+    return CustomSessionInterface()
+
+
 def init_app_url_rules(app):
     app.add_url_rule("/", "serve_home", serve_home)
     app.add_url_rule("/<path:static_path>", "serve_static_file", serve_static_file)
diff --git a/vulture_allowlist.py b/vulture_allowlist.py
@@ -102,6 +102,9 @@
 app.url_map.strict_slashes
 api.representations
 hub.exception_stream
+app.login_via_request
+app.should_set_cookie
+app.session_interface
 
 # Deployment is chosen dynamically
 Deployment.DEVELOP
