CSRF Bug Not Resolved in Latest Release

[TheAIWizard]

Hi,

I'm still encountering the 403 Forbidden error related to CSRF, mentioned here in #6296, even after updating to version 1.14.0, which was supposed to address the CSRF errors when using Docker (#6344).

Could you please assist with resolving this?

Thanks in advance!

[makseq]

Could you show what you see on /version page?

[dbandurin]

Hello, I am running the Label studio container on Azure cloud. Today, when I tried to login into the studio, I got same message. What does it mean? It has been working fine for far, and I have not seen it before. I tried to re-register myself, but it does not help.
I am running the LS out of your container "heartexlabs/label-studio:latest". I wonder if it is caused by a recent image submission to that container registry

Here is my version page

[dbandurin]

FYI: the migration to version 1.13.1 helped. It works now.

[TheAIWizard]

@makseq I got this:

{
  "release": "1.14.0",
  "label-studio-os-package": {
    "version": "1.14.0",
    "short_version": "1.14",
    "latest_version_from_pypi": "1.14.0",
    "latest_version_upload_time": "2024-11-04T17:28:49",
    "current_version_is_outdated": false
  },

  "label-studio-os-backend": {
    "message": "empty commit to trigger build with updated flags",
    "commit": "4223d73ba3dc1711ecbf30c4bf5df5acbf099c28",
    "date": "2024/10/24 16:53:57",
    "branch": "",
    "version": "1.14.0+0.g4223d73"
  },

  "label-studio-frontend": {
    "message": "feat: LEAP-1476: Add ability to edit classifications on existing comme ...",
    "commit": "e824fbd3bf170509ffa5dd815deb7b0a5705381b",
    "date": "2024-10-16T21:39:46.000Z",
    "branch": "develop"
  },

  "dm2": {
    "message": "fix: LEAP-1596: Missed check for review_settings (#6535)",
    "commit": "ff2f11da387840c0863c711494b7d7ed2e3fd5c2",
    "date": "2024-10-17T12:31:43.000Z",
    "branch": "develop"
  },

[nithin-bose]

I got this same issue. Was using the latest image. Interestingly, I did not pull or redeploy in the last 20 or so days, does the latest image auto update or something?

Reverting to 1.13.1 solved the issue for the time being

[jombooth]

@TheAIWizard and others - can you describe a bit more about your setups? In particular, are you accessing your Docker server on the default URL of http://localhost:8080? Also, did you check out the repo at the 1.14.0 tag and docker-compose up build from there, or did you run the container some other way?

When I build label-studio in docker-compose at the 1.14.0 tag and access it at localhost:8080, it does seem to work, which is why I am asking these questions :)

If you use some origin other than http://localhost:8080 to access your LS server, I suspect adding that URL to CSRF_TRUSTED_ORIGINS in your docker compose override file or similar might help; see https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins

[nithin-bose]

I was using the docker image heartexlabs/label-studio:latest. It was deployed about a month prior on kubernetes. I am sure I was running 1.13 something when i had deployed it.

At the time I faced this issue, the kubernetes pods were up for more than 20 days, I didn't pull the latest image or restart the the pods. I never realised label studio switched to version 1.14 until I faced the issue and tried /version, which is weird, it shouldn't have updated at all.

The label studio instance is behind a traefik proxy. Maybe the origin should be set to * by default and be overridden by the value of CSRF_TRUSTED_ORIGINS if set, this issue blindsided me since I wasn't expecting it to update in the first place and since the previous version worked fine without the environment variable being set.

I have now pinned the docker image to 1.13.1. I should not have used latest in the first place. I'll try to update to 1.14 in a few days.

[ocharles]

I have just updated from 1.12 to 1.14.0post0 and I'm also hitting this. Happy to provide any information that you think may help!

[ocharles]

If you use some origin other than http://localhost:8080 to access your LS server, I suspect adding that URL to CSRF_TRUSTED_ORIGINS in your docker compose override file or similar might help; see https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins

I do indeed use a URL other than localhost - we have Label Studio served behind a Caddy proxy that sits on our Tailscale network. I'm not familiar with Django - is that an environment variable, or do I set it by some other mechanism? We're hosting using Nomad, but if you can show me how to do it in Docker Compose I can probably port that over to Nomad easily.

[brane-netspi]

Issue seems not fixed, have used latest image with ECR, ALB over HTTPS and also set environment variables (to avoid CSFR Verification issue):
{ "name" : "CSRF_COOKIE_SECURE", "value" : "True" },
{ "name" : "SESSION_COOKIE_SECURE", "value" : "True" },
{ "name" : "CSRF_TRUSTED_ORIGINS", "value" : "https://${aws_lb.load_balancer.dns_name}" }

Container gets failed with logs:

Seems bug within python file - https://github.com/HumanSignal/label-studio/blob/develop/label_studio/core/settings/base.py#L427 for SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE

[makseq]

As I know this problem was solved in the latest versions of LS.