The application lacks protection against CSRF

Netflix / flamescope

FlameScope is a visualization tool for exploring different time ranges as Flame Graphs.

Apache License 2.0

3k stars 168 forks source link

The application lacks protection against CSRF #7

Closed atx closed 6 years ago

atx commented 6 years ago

The application lacks any sort of protection against CSRF (let alone DNS rebinding).

As some, uhhh, creative development time saving techniques are used, an attacker can execute arbitrary shell commands on the computer running this software by redirecting the users browser to something like:

<a href="http://127.0.0.1:5000/stack/?filename=%3Bxcalc%3Bfoo.gz">Link</a>

brendangregg commented 6 years ago

Thanks @atx! I've fixed the filename escapes. We still need to look at the CSRF and DNS rebinding.

spiermar commented 6 years ago

@brendangregg recent PR merge might have fixed a few of those issues.

spiermar commented 6 years ago

Assuming this was fixed. Closing.