[Snyk: High] Cross-Site Request Forgery (CSRF) (due 05/09/2020)

[lbeaufort]

Cross-Site Request Forgery (CSRF)
Vulnerable module: webargs
Introduced through: webargs@5.4.0 and regcore@4.2.0
Exploit maturity: No known exploit
Fixed in: 5.5.3, 6.0.0b4
Fix this vulnerability
Detailed paths and remediation
Introduced through: project@0.0.0 › webargs@5.4.0
Remediation: Upgrade webargs to version 5.5.3 or 6.0.0b4
Introduced through: project@0.0.0 › regcore@4.2.0 › webargs@5.4.0
Remediation: Pin webargs to version 5.5.3 or 6.0.0b4
Overview
webargs is a python library for parsing and validating HTTP request objects, with built-in support for popular web frameworks, including Flask, Django, Bottle, Tornado, Pyramid, webapp2, Falcon, and aiohttp.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF). Flaskparser.py does not check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.

Will likely go out with the 5/12/2020 release.

[jason-upchurch]

closing in favor of #488

[jason-upchurch]

@PaulClark2 @AmyKort cc @JonellaCulmer This security vulnerability was a pretty easy fix since the package isn't a direct dependency of the project. It's a dependency of regcore, so I was able to fix it simply by removing the package directly and letting regcore install a "nonvulnerable" version. I then pinned all the packages and added them as a new experimental approach to maintaining this particular repo's packages so that we can follow the story of why certain packages are being installed. Both @pkfec and @fec-jli are familiar with my approach to keep this repo staying as resilient and secure as possible.

The thing that made this a "trouble child" issue is that in order to feel good about the "fix" I needed to be able to verify for myself that I could actually parse the regulations and make the solution effective, so I originally lumped this security issue into the same issue that dealt with the necessary fix to the repo at large. My apologies for any confusion this called caused--we had team calls to collaborate on the approach consisting of subject matter devs most familiar with the work and the repo itself.

In any event, I believe the issue is resolved and on time!

[pkfec]

Updated webargs to v6.0.0 in PR#496. Its merged. Closing this issue.