Fix CSRF vulnerability on approve/reject links

Fixes #17
author: rubenwardy <rw@rubenwardy.com> 2018-05-13 18:37:57 +0100
committer: rubenwardy <rw@rubenwardy.com> 2018-05-13 18:38:01 +0100
commit: 889e130e6bfa98974611d3eee3c9073c3753bc9b (patch)
tree: 8823f5898d95441ca07cf18f65e8642e7c3073fe /app
parent: 0dc02ed67fff593b6d85fba916d79089aebf5b93 (diff)
download: cheatdb-889e130e6bfa98974611d3eee3c9073c3753bc9b.tar.xz
5 files changed, 21 insertions, 8 deletions
diff --git a/app/__init__.py b/app/__init__.py
index 8e989c4..11d7cca 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -3,14 +3,18 @@ from flask_user import *
 import flask_menu as menu
 from flask.ext import markdown
 from flask_github import GitHub
+from flask_wtf.csrf import CsrfProtect
 import os
 
+
+
 app = Flask(__name__)
 app.config.from_pyfile(os.environ["FLASK_CONFIG"])
 
 menu.Menu(app=app)
 markdown.Markdown(app, extensions=["fenced_code"], safe_mode=True, output_format="html5")
 github = GitHub(app)
+csrf = CsrfProtect(app)
 
 from . import models, tasks
 from .views import *
diff --git a/app/templates/packages/editrequest_view.html b/app/templates/packages/editrequest_view.html
index ce8f70e..95d4674 100644
--- a/app/templates/packages/editrequest_view.html
+++ b/app/templates/packages/editrequest_view.html
@@ -29,9 +29,14 @@
 		</div>
 	{% elif package.checkPerm(current_user, "APPROVE_CHANGES") %}
 		<div class="box box_grey">
-			To resolve this request, either
-			<a href="{{ request.getApproveURL() }}">Approve and Apply</a> or
-			<a href="{{ request.getRejectURL() }}">Reject</a> it.
+			<form method="post" action="{{ request.getApproveURL() }}">
+				<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+				<input type="submit" value="Approve and Apply" />
+			</form>
+			<form method="post" action="{{ request.getRejectURL() }}">
+				<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+				<input type="submit" value="Reject" />
+			</form>
 		</div>
 	{% endif %}
 
diff --git a/app/templates/packages/view.html b/app/templates/packages/view.html
index ecd6b35..47d74ea 100644
--- a/app/templates/packages/view.html
+++ b/app/templates/packages/view.html
@@ -10,7 +10,10 @@
 			<span class="icon_message"></span>
 			This package needs to be approved before it can be found.
 			{% if package.checkPerm(current_user, "APPROVE_NEW") %}
-				<a href="{{ package.getApproveURL() }}">Approve</a>
+				<form method="post" action="{{ package.getApproveURL() }}">
+					<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+					<input type="submit" value="Approve" />
+				</form>
 			{% endif %}
 			<div style="clear: both;"></div>
 		</div>
diff --git a/app/views/packages.py b/app/views/packages.py
index a732d04..66cf354 100644
--- a/app/views/packages.py
+++ b/app/views/packages.py
@@ -172,7 +172,7 @@ def create_edit_package_page(author=None, name=None):
 
 	return render_template("packages/create_edit.html", package=package, form=form, author=author)
 
-@app.route("/packages/<author>/<name>/approve/")
+@app.route("/packages/<author>/<name>/approve/", methods=["POST"])
 @login_required
 @is_package_page
 def approve_package_page(package):
@@ -314,7 +314,7 @@ def view_editrequest_page(package, id):
 	return render_template("packages/editrequest_view.html", package=package, request=erequest)
 
 
-@app.route("/packages/<author>/<name>/requests/<id>/approve/")
+@app.route("/packages/<author>/<name>/requests/<id>/approve/", methods=["POST"])
 @is_package_page
 def approve_editrequest_page(package, id):
 	if not package.checkPerm(current_user, Permission.APPROVE_CHANGES):
@@ -339,7 +339,7 @@ def approve_editrequest_page(package, id):
 
 	return redirect(package.getDetailsURL())
 
-@app.route("/packages/<author>/<name>/requests/<id>/reject/")
+@app.route("/packages/<author>/<name>/requests/<id>/reject/", methods=["POST"])
 @is_package_page
 def reject_editrequest_page(package, id):
 	if not package.checkPerm(current_user, Permission.APPROVE_CHANGES):
diff --git a/app/views/tasks.py b/app/views/tasks.py
index c5a508a..9b27f61 100644
--- a/app/views/tasks.py
+++ b/app/views/tasks.py
@@ -1,7 +1,7 @@
 from flask import *
 from flask_user import *
 from flask.ext import menu
-from app import app
+from app import app, csrf
 from app.models import *
 from app.tasks import celery
 from app.tasks.importtasks import getMeta
@@ -10,6 +10,7 @@ from .utils import shouldReturnJson
 
 from .utils import *
 
+@csrf.exempt
 @app.route("/tasks/getmeta/new/", methods=["POST"])
 @login_required
 def new_getmeta_page():
author	rubenwardy <rw@rubenwardy.com>	2018-05-13 18:37:57 +0100
committer	rubenwardy <rw@rubenwardy.com>	2018-05-13 18:38:01 +0100
commit	889e130e6bfa98974611d3eee3c9073c3753bc9b (patch)
tree	8823f5898d95441ca07cf18f65e8642e7c3073fe /app
parent	0dc02ed67fff593b6d85fba916d79089aebf5b93 (diff)
download	cheatdb-889e130e6bfa98974611d3eee3c9073c3753bc9b.tar.xz