Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only use session tokens for auth for GET requests #1488

Closed
wants to merge 1 commit into from
Closed

Only use session tokens for auth for GET requests #1488

wants to merge 1 commit into from

Conversation

sgrif
Copy link
Contributor

@sgrif sgrif commented Sep 7, 2018

Since we do not have any form of CSRF protection in place, we should not
be allowing session tokens to be used for non-get requests. We don't
currently have any CSRF vulnerabilities, as there are no POST requests
in our router today.

In the event that one does get added in the future, this will prevent
a CSRF vulnerability from appearing, without us having to remember this
detail in the future. It will also force us to properly add some form of
protection if we want to accept a POST request sent by an HTML form in
the future.

@sgrif
Only use session tokens for auth for GET requests
5a45032 
Since we do not have any form of CSRF protection in place, we should not
be allowing session tokens to be used for non-get requests. We don't
currently have any CSRF vulnerabilities, as there are no `POST` requests
in our router today.

In the event that one does get added in the future, this will prevent
a CSRF vulnerability from appearing, without us having to remember this
detail in the future. It will also force us to properly add some form of
protection if we want to accept a POST request sent by an HTML form in
the future.
@jtgeibel
Copy link
Member

We've definitely had issues like this in the past, for instance 2a46845.

I believe we have some front-end PUT routes that use the session cookie. For instance, /crates/:crate_id/follow, /me/tokens, /confirm/:email_token, and a few others. (There some corresponding DELETE routes as well.) Maybe we should explicitly test for the POST method and skip setting the user only in that case.

@sgrif
Copy link
Contributor Author

sgrif commented Sep 12, 2018

The browser is only capable of sending GET and POST requests from a form. Only POST requests are vulnerable to CSRF assuming any browser more recent than IE9

@jtgeibel
Copy link
Member

Yes, but the current PR only sets the session for GET, and I think the PUT routes will fail without a session. The cargo routes (such as publish) will still get a user session from the "Authorization" header, but PUT routes used by the front-end, such as creating a new token, will not know which user to create a token for.

@sgrif
Copy link
Contributor Author

sgrif commented Sep 15, 2018

Are there any non-get requests sent through the browser?

@sgrif
Copy link
Contributor Author

sgrif commented Sep 15, 2018

Ah I guess token management is handled through the browser. I'll change this to exclude POST rather than include only GET

@sgrif sgrif mentioned this pull request Oct 20, 2018
Open
@carols10cents
Copy link
Member

I'll change this to exclude POST rather than include only GET

Hi @sgrif, could you make this change please?

@carols10cents
Copy link
Member

Closing after discussion with @sgrif.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sgrif @jtgeibel @carols10cents