Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

It is possible to circumvent CSRF protection on TranskripRequest/add #30

Closed
pascalalfadian opened this issue Nov 28, 2018 · 4 comments
Closed

It is possible to circumvent CSRF protection on TranskripRequest/add #30

pascalalfadian opened this issue Nov 28, 2018 · 4 comments
Assignees
@pascalalfadian

Comments

@pascalalfadian
Copy link
Contributor

Simply by issuing GET method to https://bluetape.azurewebsites.net/TranskripRequest/add.

This is because only POST methods are CSRF protected.

The possible fix is to filter the controller function, to only process POST request, not others.

Special shoutout to @rrrr98 for finding this issue 🙏
@pascalalfadian pascalalfadian self-assigned this Nov 28, 2018
@chez14
Copy link
Contributor

chez14 commented Nov 29, 2018

Hi, just got this news from @levint55,

I have suggestion to uniform all the URL to mimics RESTful API, so instead doing POST /TranskripRequest/add, we just do POST /TranskripRequest, and make sure all endpoints do the same, as the URL will looks cleaner.

(maybe we can make it cuter with /transkrip-request? But as far as i know this will need some changes on the CI's config, so it's pain-in-the-neck)

What do you think?

On the implementations we just need to move the HTTP Method checking to the index(), make the add() private, and call it when the method is POST.

@pascalalfadian
Copy link
Contributor Author

Thanks @darknight060198 for the fix!

@chez14 Thank you for the suggestion. I will attend to your comment soon.

@pascalalfadian
Copy link
Contributor Author

Hi @chez14,

Thank you for your suggestion. I may be old school, but as of now I don't have any plans to convert this portal to a newer web standards, with the following considerations:

  • I want to make it as simple as possible, allowing students to understand and participate in the code
  • Rewriting the architecture means rewriting the group project task description for Keamanan Informasi
  • UNPAR is not funding me for this 😆 and they already make me spend some time each month for printing out the receipt from cloud provider, to reimburse the provider cost (they pay for the cloud provider but not me). Hence, I don't want to invest too much time on this.

There is an alternative though, if admin team wants to takeover this whole project, I will be willing to handover it to them. I cannot transfer it to you personally, because although you have the technical capabilities, but this project must be continued even after you graduated.

I am closing this issue. Please reopen if you want to appeal. Thank you.

@chez14
Copy link
Contributor

chez14 commented Nov 29, 2018

Ahh i see, i don't think admin will have time for managing OSS project right now, since we have things to do with our backend too, so i'll leave it like this then hehe.

pascalalfadian added a commit that referenced this issue Feb 16, 2021
@pascalalfadian
Merge pull request #30 from stephenhadi/issue22
ec9d9a2 
Issue22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pascalalfadian pascalalfadian

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chez14 @pascalalfadian