Skip to content

fix: prevent unrelated websites from modifying shortlinks via CSRF #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: prevent unrelated websites from modifying shortlinks via CSRF #30

wants to merge 1 commit into from

Conversation

midchildan
Copy link

Issue

Unrelated websites can issue requests to register/modify shortlinks.

How to reproduce

  1. Run go on localhost:8067
  2. Access https://jsfiddle.net/tcm5vjwy/
  3. Shortlink :1 is set to https://example.com without any user interaction

The fix

  • Attach an X-Requested-With header in client requests
  • Make sure client POST requests have a content type of "application/json"

@midchildan
fix: prevent unrelated websites from modifying shortlinks via CSRF
49f834a 
Added two mitigations for this issue:

- Attach an 'X-Requested-With' header in client requests
- Make sure client POST requests have a content type of "application/json"
@midchildan
Copy link
Author

I initially wrote the server side checks to mandate X-Requested-With be set to XMLHttpRequest, but I've now relaxed it a bit to accept any non-empty value.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@midchildan