Always check CSRF token if request has body #8
Comments
|
meh. a lot of methods like GET, HEAD, and DELETE shouldn't even have bodies. |
|
Right, but they can, which may lead to someone sending a body with a GET request and (if the user incorrectly placed method-override after this module) could be interpreted as a POST. I'm proposing the check to be if (hasbody(req) || ('GET' !== req.method && 'HEAD' !== req.method && 'OPTIONS' !== req.method)) {
checkCSRF()
} |
|
FWIW this is a response to http://blog.nibblesec.org/2014/05/nodejs-connect-csrf-bypass-abusing.html From email, since yahoo's being stupid and not sending to @jonathanong
Just because they shouldn't have bodies doesn't mean that they won't. |
|
my general philosophy is to educate vs. handle all these cases. i'd rather add that link to the readme and tell developers what they should and shouldn't be doing. but if we add this in and somebody complains, we could always tell them, "stop". haha |
|
Unfortunately when it comes to security, people can shoot themselves in the foot, but we should at least make them try harder to do this. Currently all it takes is We can always go around chanting "be sure method-override comes before csrf" but that doesn't seem very proactive to me. If all it took was education, those blog articles may not exist.
people never ask questions and just copy-pasta all day long. once one example on the interweb does csrf before method-override, it'll just be everywhere. |
|
In fact, the only times I see people asking security-related questions in projects is because they are wondering how to do something that is not secure at all and wondering why they are not being allowed to (or how it is hard to make it insecure). |
|
yup. what we can do is just we could also change body-parser to do the same. |
I think I like this better than just checking the CSRF token and carrying on, though if a method is idempotent would need to be a whitelist instead of a blacklist to be safe... |
|
@visionmedia koajs/koa#274 can you move in the |
|
Once issue I can see, though, is that |
|
I feel like I have circled back around to liking my original proposal better again... |
|
lol, I just thought of a crazy new idea: check the CSRF token how it is, but then set |
|
I think I like the idea of the original check returning a |
|
i'm so confused now. haha. i'm down for that too. haha |
lol, sorry. just brainstroming over here :P
@Fishrock123 which check was that (you can always quote it is link to it)? |
|
@dougwilson -- checking for a body. if (hasbody(req) || ('GET' !== req.method && 'HEAD' !== req.method && 'OPTIONS' !== req.method) {
checkCSRF()
} |
|
So to continue this real quick, if I were to say add the |
|
If any option, I'd add an option to still This is CSRF prevention, it's going to be strict. |
|
Fair enough, @Fishrock123 that sounds good to me. |
|
By the way, having these modules not included in connect/express is AWESOME. We can make breaking changes in them, bump the major version, and not care! |
|
If we are talking 2.0, docs needs to be landed first for sure. #7 |
|
@Fishrock123 I'll make a milestone in here. |
This is a placeholder for the idea to alter this module to check for the CSRF token when the request has a body, regardless of the method. Any request containing a body should fall under CSRF checking (since it is likely modifying state).
@jonathanong @Fishrock123 @defunctzombie thoughts?
The text was updated successfully, but these errors were encountered: