This adds protection from CSRF attacks by adding a token check to non-API endpoints. Currently, if an attacker can guess (or bruteforce) the asset tags of nodes he or she would be able to create assets, decommission assets, put assets in maintenance, etc. by getting a logged in user to visit a webpage. Depending on the type of automation and asset tags in the installation this could obviously be very bad.
This only applies to routes using session authentication and not the API since it is protected by basic authentication. Furthermore, only the login and create resource forms actually have the CSRF token in a hidden input tag since the other forms submit their data through XHR.
We will post a nginx-based workaround on the mailing list, but recommend users to update collins as well. I will publish a new release (2.2.0) once this is merged.
This adds protection from CSRF attacks by adding a token check to non-API endpoints. Currently, if an attacker can guess (or bruteforce) the asset tags of nodes he or she would be able to create assets, decommission assets, put assets in maintenance, etc. by getting a logged in user to visit a webpage. Depending on the type of automation and asset tags in the installation this could obviously be very bad.
This only applies to routes using session authentication and not the API since it is protected by basic authentication. Furthermore, only the login and create resource forms actually have the CSRF token in a hidden input tag since the other forms submit their data through XHR.
We will post a nginx-based workaround on the mailing list, but recommend users to update collins as well. I will publish a new release (2.2.0) once this is merged.
@tumblr/collins