Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MBS-13309: Restrict cross-origin requests to /ws/js/edit #3075

Merged
merged 1 commit into from
Nov 7, 2023

Conversation

mwiencek
Copy link
Member

@mwiencek mwiencek commented Nov 5, 2023

Problem

MBS-13309

/ws/js/edit is prone to CSRF attacks that could be used to trick editors into submitting edits without their review.

Solution

Restrict submissions from external origins to bot accounts.

Copy link
Contributor

@yvanzo yvanzo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTMBDNT. Just wondering about tests documentation but can be merged already for beta.

t/lib/t/MusicBrainz/Server/Controller/WS/js/Edit.pm Outdated Show resolved Hide resolved
This commit restricts cross-origin requests to /ws/js/edit to bot accounts in
order to mitigate CSRF attacks that could be used to trick editors into
submitting edits without their review.
@mwiencek mwiencek merged commit 452eb91 into metabrainz:master Nov 7, 2023
3 checks passed
@mwiencek mwiencek deleted the mbs-13309 branch November 7, 2023 00:19
yvanzo added a commit that referenced this pull request Nov 7, 2023
* master:
  Update POT files using the production database
  MBS-13336: Add a script to rebuild all indexes using collations (#3062)
  MBS-13309: Restrict cross-origin requests to /ws/js/edit (#3075)
yvanzo added a commit that referenced this pull request Nov 13, 2023
* beta:
  Translated using Weblate (Italian)
  Translated using Weblate (Lithuanian)
  Added translation using Weblate (Thai)
  Added translation using Weblate (Thai)
  Translated using Weblate (Russian)
  Translated using Weblate (French)
  Update translation files
  Update POT files using the production database
  Translated using Weblate (Italian)
  Update translation files
  Fix wrongly ordered calls l(addColonText(()
  Update POT files using the production database
  MBS-13336: Add a script to rebuild all indexes using collations (#3062)
  MBS-13309: Restrict cross-origin requests to /ws/js/edit (#3075)
  MBS-13348: Fix edit_data_idx_link_type (#3073)
  MBS-13349: Support LibraryThing disambiguation URLs (#3077)
  MBS-13347: Relationship Type edit search times out (#3074)
  MBS-5987: Add "Submit votes & edit notes" to top (#3072)
  MBS-13350: Return all barcode matches in release editor (#3076)
  Translated using Weblate (Chinese (Simplified))
  Translated using Weblate (German)
  Translated using Weblate (Italian)
  Translated using Weblate (French)
  Update translation files
  Add test for isObjectEmpty
  Add test for isBlank
  Add test for escapeLuceneValue
  Add test for escapeRegExp
  Add test for relationshipDateText
  Add test for sortByEntityName
  Move getSortName entities to constants
  Add test for isDisabledLink
  Add test for isFutureDate
  Add tests for strings
  Make renderMergeCheckboxElement function a component
  Fix require sort order
  Add test for isDateEmpty
  Add test for formatEndDate
  Add test for entityHref
  Make generic entity consts reusable
  Add test for isGuid
  Add test for isolateText
  Add test for natatime
  Add test for primaryAreaCode
  Add test for isDatabaseRowId
  Add test for getSortName
  More precise comparison for null barcode
  Add test for formatBarcode
  Add tests for clean
  Add tests for arrays.js functions
  Add test for calculateFullToc
  Add test for bracketed
  Add renderToStaticMarkup wrapper
  Use compareDates as the base for areDatesEqual
  Add test for areDatePeriodsEqual
  Use exactCount for newline-after-import eslint rule (#3071)
  MBS-12727: Show genre alias connections for tags (#2757)
  MBS-4822: Drop duplicate colon strings
  Add context to "Cancelled" and drop duplicate colons
  Add context to "Ended" and drop duplicate colons
  Add context to "Location" and drop duplicate colons
  Add context to EditReleaseEvents headings
  Standardize election headers and drop duplicate colons
  Add context to "Old" and drop duplicate colons
  Add context to "Status" and drop duplicate colons
  Add context to "Merge" and drop duplicate colons
  Add context to "Preview" and drop duplicate colons
  MBS-13207 (II): Move "Add a new recording" above suggestions (#3069)
  MBS-12893: Add places column to country statistics
  MBS-12852: Add events column to country statistics
  Ensure release stats are calculated for every country
  Use "create", "add", "enter" in more specific ways (#3070)
  Bump hermes-eslint to 0.17.1
  Bump eslint-plugin-ft-flow to 3.0.1
  Move eslint-plugin-simple-import-sort to devDependencies
  Migrate to Yarn v4
  Fix permission errors in run_selenium_tests.sh
  Bump SIR_TAG to v3.0.1 in the test images
  Switch to chrome-for-testing in tests
  Bump chromedriver to 119.0.6045.105
  Create the pgtap extension as a superuser
  Bump musicbrainz-tests-perl-5-dot-30 image
  Fix phusion/baseimage focal tag
  Fix PGDATA permission issues
  MBS-13261: Upgrade the required version of Node.js to 20
  Move duplicated CircleCI steps to script
  Regenerate cpanfile.snapshot
  Fix apt-key deprecation warning
  Upgrade the Docker base images to jammy
  Bump ARTWORK_REDIRECT_COMMIT
  Copy Dockerfile.tests to Dockerfile.perl5.30.tests
  Explicitly list the .gitignore'd Dockerfiles
  Replace xgettext-js with forked copy using hermes-parser (#3067)
  Use Unicode quotes for string being changed already
  Use Unicode quotes for string being changed already
  Remove i.e. from user-facing strings
  Remove e.g. from user-facing strings
  Capitalize URL in user-facing string (#3058)
  Normalize "track duration" to "track length" in UI (#3057)
  Normalize "pending edits" to "open edits" in UI (#3056)
  Update POT file from the current database
  Translated using Weblate (Turkish)
  Translated using Weblate (German)
  Translated using Weblate (Japanese)
  Added translation using Weblate (Chinese (Traditional))
  Translated using Weblate (Japanese)
  Translated using Weblate (Spanish)
  Translated using Weblate (Portuguese)
  Translated using Weblate (Chinese (Simplified))
  Translated using Weblate (Russian)
  Translated using Weblate (French)
  Translated using Weblate (Bengali)
  Translated using Weblate (Portuguese)
  Translated using Weblate (German)
  Translated using Weblate (Italian)
  Translated using Weblate (Lithuanian)
  Use "remove" consistently for non-editor cases
  Translated using Weblate (Turkish)
  Translated using Weblate (German)
  Translated using Weblate (Japanese)
  Added translation using Weblate (Chinese (Traditional))
  Translated using Weblate (Japanese)
  Translated using Weblate (Spanish)
  Translated using Weblate (Portuguese)
  Translated using Weblate (Chinese (Simplified))
  Translated using Weblate (Russian)
  Translated using Weblate (French)
  Translated using Weblate (Bengali)
  Translated using Weblate (Portuguese)
  Translated using Weblate (German)
  Translated using Weblate (Italian)
  Translated using Weblate (Lithuanian)
  Upgrade Flow to 0.220.0
  MBS-13320 (II): Warn on form unload with rel changes (#3064)
  Add labels to all tests in Data::Editor
  Give a name to remaining 'all' test and add labels
  Split various_edit_counts into separate test
  Split editor subscription methods into separate test
  MBS-13334: Also find emails with capitalization differences
  Split and expand email checking tests
  MBS-13320: Prompt before unloading modified forms (#3054)
  Split new editor creation test to new subtest
  Upgrade Flow to 0.219.3
  Remove a few $FlowIgnores
  Remove uses of any in SeriesIndex.js
  Replace $MakeReadOnly type with one using infer
  Upgrade Flow to 0.219.2
  Upgrade Flow to 0.219.0
  Upgrade Flow to 0.218.1
  Upgrade Flow to 0.218.0
  Upgrade Flow to 0.217.2
  Upgrade Flow to 0.217.1
  Upgrade Flow to 0.217.0
  Remove unnecessary check in concatStringMatch
  Fix indentation in PhraseVarArgs class
  Upgrade Flow to 0.216.1
  Upgrade Flow to 0.216.0
  Upgrade Flow to 0.215.1
  Upgrade Flow to 0.215.0
  MBS-13319: Show help bubble for language/script on release editor (#3053)
  Use our new contains_ functions in more places (#3051)
  MBS-8952: Can rename recordings via autocomplete (#3039)
  MBS-13317: Remove Kget.jp from lyrics whitelist (#3052)
  Fix newly detected eslint issues
  Upgrade ESLint and associated plugins
  Upgrade Babel dependencies
  Regenerate yarn.lock
  Upgrade Flow to 0.214.0
  Upgrade Flow to 0.213.1
  Upgrade Flow to 0.213.0
  Upgrade Flow to 0.212.0
  Upgrade Flow to 0.211.1
  Upgrade Flow to 0.211.0
  Upgrade Flow to 0.210.2
  Upgrade Flow to 0.210.1
  Upgrade Flow to 0.210.0
  Upgrade Flow to 0.209.0
  Upgrade Flow to 0.208.1
  Upgrade Flow to 0.208.0
  Switch Babel & ESLint parsers to hermes
  Upgrade Flow to 0.207.0
  Upgrade Flow to 0.206.0
  Upgrade Flow to 0.205.1
  Upgrade Flow to 0.205.0
  Upgrade Flow to 0.204.1
  Upgrade Flow to 0.204.0
  Upgrade Flow to 0.203.1
  Upgrade Flow to 0.203.0
  Upgrade Flow to 0.202.1
  Upgrade Flow to 0.202.0
  Remove all uses of the switch feature (given/when)
  Remove all uses of the smartmatch operator
  Link directly to the anchor in Markdown
  Update INSTALL.md's building static resources section (#3042)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants