CSRF Vulnerability

[gitblit]

Originally reported on Google Code with ID 499

Description:
    GitBlit is susceptible to CSRF attacks. Specifically one can form a url that if clicked
would delete a repository.
Steps to reproduce the problem:
    Prerequisite: have a local html page with the delete url for a repository.
    (e.g. <a href="https://<server>/?wicket:interface=:<repoid>:editForm:delete::ILinkListener::">Click
Me</a>)
1.  Open a browser
2.  Login to GitBlit
3.  In another window or tab of the same browser open the local html page.
4.  Click the link with the delete url for a repository.
5.  Observe the repository is gone.
Expected Output:
    An error saying it detected a csrf attack and the repository is still there.
Actual Output:
    The repository is deleted.
Environment:
    Gitblit Version 1.6.0 running on rhel 6 / tomcat 7 / apache httpd 2.2 with proxy ajp

Reported by 1988porsche944 on 2014-09-05 13:47:27

[gitblit]

Ugh.  This one is my least favorite.  Not sure how best to tackle it.

Thanks for taking the time to audit Gitblit.

Reported by James.Moger on 2014-09-05 23:23:23

[gitblit]

Authrization check before execution might help

Reported by srbala on 2014-09-09 13:04:01

[gitblit]

Can you send a single use csrf token across as a parameter of the delete link? Which
would be checked against the csrf value set in the session when the link was rendered
for a user.

Reported by 1988porsche944 on 2014-09-12 09:42:24

[gitblit]

I can do that for now.  Long-term Gitblit is trying to go stateless (& session-less)
as much as possible so eventually a different strategy will need to be employed.

Reported by James.Moger on 2014-09-12 13:29:38