CSRF protection for web forms #570
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
roymarantz
approved these changes
Oct 11, 2017
qx-xp
approved these changes
Oct 11, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds protection from CSRF attacks by adding a token check to non-API endpoints. Currently, if an attacker can guess (or bruteforce) the asset tags of nodes he or she would be able to create assets, decommission assets, put assets in maintenance, etc. by getting a logged in user to visit a webpage. Depending on the type of automation and asset tags in the installation this could obviously be very bad.
This only applies to routes using session authentication and not the API since it is protected by basic authentication. Furthermore, only the login and create resource forms actually have the CSRF token in a hidden input tag since the other forms submit their data through XHR.
We will post a nginx-based workaround on the mailing list, but recommend users to update collins as well. I will publish a new release (2.2.0) once this is merged.
@tumblr/collins