search

wintercms / winter

Free, open-source, self-hosted CMS platform based on the Laravel PHP Framework.
https://wintercms.com
MIT License
1.34k stars 191 forks source link

Add optional automatic CSRF protection for AJAX handlers on the frontend #492

Open msimkunas opened 2 years ago

msimkunas commented 2 years ago

Winter CMS Build

dev-develop

PHP Version

7.4

Database engine

MySQL/MariaDB

Plugins installed

No response

Issue description

Frontend AJAX handlers currently do not have CSRF protection enabled.

As per discussion with @LukeTowers, this could be rectified by hooking into the cms.ajax.beforeRunHandler event and checking the token with the verifyCsrfToken() controller method. Care should be taken to prioritize your event listener so that it runs first.

@LukeTowers mentioned he is open to the idea of implementing this in Winter. Could this be an opt-in feature (configurable via enableAjaxCsrfProtection or something along those lines)?

This issue is also documented here:

https://github.com/octobercms/october/issues/696 https://github.com/octobercms/october/issues/3599

Also relevant:

https://github.com/wintercms/winter/commit/260e1f503fe18588f099de5efc928cfe941eed77 https://github.com/wintercms/winter/commit/8da798a5cd2f5f640719550eebebc03e9a9d29d1

Steps to replicate

The server accepts an AJAX request even if it contains an invalid CSRF token.

Workaround

As a temporary workaround, one could register a cms.ajax.beforeRunHandler listener in a custom plugin:

public function boot()                                                                                                                                                         
{                                                                                                                                                                              
    Event::listen('cms.ajax.beforeRunHandler', function($controller, $handler) {                                                                                               
        /**                                                                                                                                                                    
         * The verifyCsrfToken() method is currently                                                                                                                           
         * protected - use reflection as a temporary                                                                                                                           
         * workaround                                                                                                                                                          
         */                                                                                                                                                                    
        $controllerClass = new \ReflectionClass($controller);                                                                                                                  
        $method = $controllerClass->getMethod('verifyCsrfToken');                                                                                                              
        $method->setAccessible(true);                                                                                                                                          
        if( ! $method->invoke($controller)) {                                                                                                                                  
            return Response::make(Lang::get('system::lang.page.invalid_token.label'), 403);                                                                                    
        }                                                                                                                                                                      
    }, PHP_INT_MAX);                                                                                                                                                                        
}
github-actions[bot] commented 2 years ago

This issue will be closed and archived in 3 days, as there has been no activity in the last 60 days. If this issue is still relevant or you would like to see it actioned, please respond and we will re-open this issue. If this issue is critical to your business, consider joining the Premium Support Program where a Service Level Agreement is offered.

github-actions[bot] commented 1 year ago

This issue will be closed and archived in 3 days, as there has been no activity in this issue for the last 6 months. If this issue is still relevant or you would like to see it actioned, please respond within 3 days. If this issue is critical for your business, please reach out to us at wintercms@luketowers.ca.

github-actions[bot] commented 1 year ago

This issue will be closed and archived in 3 days, as there has been no activity in this issue for the last 6 months. If this issue is still relevant or you would like to see it actioned, please respond within 3 days. If this issue is critical for your business, please reach out to us at wintercms@luketowers.ca.

github-actions[bot] commented 8 months ago

This issue will be closed and archived in 3 days, as there has been no activity in this issue for the last 6 months. If this issue is still relevant or you would like to see it actioned, please respond within 3 days. If this issue is critical for your business, please reach out to us at wintercms@luketowers.ca.

github-actions[bot] commented 2 months ago

This issue will be closed and archived in 3 days, as there has been no activity in this issue for the last 6 months. If this issue is still relevant or you would like to see it actioned, please respond within 3 days. If this issue is critical for your business, please reach out to us at wintercms@luketowers.ca.