git724/forgejo
1
0
Fork 0
Code Issues Pull requests 3 Projects 1 Releases Packages Wiki Activity

[v12.0/forgejo] fix: validate CSRF on non-safe methods (#9082)

Browse source 
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9071

All PUT/DELETE routes in the web UI are validated to prevent a [cross site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery). Although all POST routes are validated with a CSRF token, some of the PUT/DELETE routes were missing this validation.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/9071): <!--number 9071 --><!--line 0 --><!--description dmFsaWRhdGUgQ1NSRiBvbiBub24tc2FmZSBtZXRob2Rz-->validate CSRF on non-safe methods<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9082
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
This commit is contained in:
forgejo-backport-action 2025-08-30 18:46:31 +02:00 committed by Earl Warren
commit 5be039310c
2 changed files with 23 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
routers/web/web.go
View file

@ -177,7 +177,8 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.Cont
return
}
if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == "POST" {
safeMethod := ctx.Req.Method == "GET" || ctx.Req.Method == "HEAD" || ctx.Req.Method == "OPTIONS"
if !options.SignOutRequired && !options.DisableCSRF && !safeMethod {
ctx.Csrf.Validate(ctx)
if ctx.Written() {
return

21
tests/integration/csrf_test.go
View file

@ -1,4 +1,5 @@
// Copyright 2017 The Gitea Authors. All rights reserved.
// Copyright 2025 The Forgejo Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package integration
@ -32,3 +33,23 @@ func TestCsrfProtection(t *testing.T) {
resp = session.MakeRequest(t, req, http.StatusBadRequest)
assert.Contains(t, resp.Body.String(), "Invalid CSRF token")
}
func TestCSRFSafeMethods(t *testing.T) {
defer tests.PrepareTestEnv(t)()
t.Run("DELETE", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
session := loginUser(t, "user2")
resp := session.MakeRequest(t, NewRequest(t, "DELETE", "/user2/repo1/projects/1/2"), http.StatusBadRequest)
assert.Equal(t, "Invalid CSRF token.\n", resp.Body.String())
})
t.Run("PUT", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
session := loginUser(t, "user2")
resp := session.MakeRequest(t, NewRequest(t, "PUT", "/user2/repo1/projects/1/2"), http.StatusBadRequest)
assert.Equal(t, "Invalid CSRF token.\n", resp.Body.String())
})
}