Implement CSRF protection for MakeAPI

RESOLVED FIXED

Status

Webmaker
MakeAPI
--
blocker
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: jbuck, Assigned: cade)

Tracking

Details

(Whiteboard: s=2013w24 p=1)

Attachments

(1 attachment)

Comment hidden (empty)
Blocks: 880900
No longer blocks: 880900

Updated

5 years ago
Whiteboard: s=2013w24 → s=2013w24 p=1

Updated

5 years ago
Assignee: pomax → chris
(Assignee)

Comment 1

5 years ago
Created attachment 760395 [details] [review]
https://github.com/mozilla/MakeAPI/pull/81

This patch adds the express.csrf() middleware to routes that use our Webmaker SSO to make authenticated API calls. ( The Login/Admin pages )

I added the option for a csrf token in the Make API client code so that it can be applied to the header of requests.

Regular routes that are used by our trusted apps and through basic authentication do not need csrf protection since they can't be loaded into an iframe and abused by an attacker. Also, searching doesn't change the state of the session/database and thus does not need CSRF protection either.
Attachment #760395 - Flags: review?(jon)
Severity: normal → blocker
(Reporter)

Comment 2

5 years ago
Comment on attachment 760395 [details] [review]
https://github.com/mozilla/MakeAPI/pull/81

r+ with nits, I think you can delete the reference to the CSRF token in the node strategy.
Attachment #760395 - Flags: review?(jon) → review+

Comment 3

5 years ago
Commit pushed to master at https://github.com/mozilla/MakeAPI

https://github.com/mozilla/MakeAPI/commit/673b62980eff38522fdc870d8bc0994dd300de3f
Fix Bug 880894 - Add CSRF middleware to protect vulnerable admin routes and paths

Updated

5 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Attachment mime type: text/plain → text/x-github-pull-request

Comment 4

4 years ago
I,m the only user Jeffery hill Sr of 2300 so caraway rd rm 207 Jonesboro AR 72401 3134559189,Jefferyhill835@yahoo.com,ho
You need to log in before you can comment on or make changes to this bug.