-
-
Notifications
You must be signed in to change notification settings - Fork 4.6k
Fix GHSA-49jp-pjc3-2532: Strengthen CSRF Protections #18769
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Adds the following protections: * A nonce to prevent collisions. This is best practice per OWASP. * A constant-time comparison of expected and received tokens. * HMAC-SHA256 instead of HMAC-MD5. Even though HMAC-MD5 is not broken yet, attacks against MD5 have been getting better, and there's no reason not to switch to SHA256.
|
Hi @U8NWXD please assign the required reviewer(s) for this PR. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! LGTM.
|
Hi @U8NWXD, this PR is ready to be merged. Please address any remaining comments prior to merging, and feel free to merge this PR once the CI checks pass and you're happy with it. Thanks! |
|
Hi, @oppia/release-coordinators flagging this pull request for for your attention since this is labelled as a hotfix PR. Please ensure that you add the "PR: for current release" label if the next release is in progress. Thanks! |
* Strengthen CSRF Protections Adds the following protections: * A nonce to prevent collisions. This is best practice per OWASP. * A constant-time comparison of expected and received tokens. * HMAC-SHA256 instead of HMAC-MD5. Even though HMAC-MD5 is not broken yet, attacks against MD5 have been getting better, and there's no reason not to switch to SHA256. * Fix base controller tests
Overview
This PR fixes GHSA-49jp-pjc3-2532, an un-disclosed security vulnerability.
This PR does the following: Adds the following protections:
For more details on CSRF and protections, see OWASP's guidance.
(For bug-fixing PRs only) The original bug occurred because: See security advisory (once disclosed).
Essential Checklist
followed by a short, clear summary of the changes.
comment with the phrase "@{{reviewer_username}} PTAL" if I don't have
permissions to assign reviewers directly).
Proof that changes are correct
Screen.Recording.2023-08-12.at.09.59.13.mov
PR Pointers