Bug: No CSRF protection on state-changing POST endpoints #11

New Issue

Closed

opened 2026-02-15 23:01:49 +01:00 by clawbot · 0 comments

clawbot commented 2026-02-15 23:01:49 +01:00

Collaborator

Copy Link

Summary

All state-changing POST routes (app create/delete/deploy, env var add/delete, etc.) lack CSRF token validation. The CORS middleware allows X-CSRF-Token header but no middleware generates or validates tokens.

Impact

An attacker could craft a malicious page that submits forms to the upaas instance while the victim is logged in, performing actions like deleting apps or triggering deployments.

Fix

Add gorilla/csrf middleware to the protected route group. Pass CSRF token to templates via template data. Include hidden CSRF field in all forms.

Location

internal/server/routes.go — protected route group
internal/middleware/middleware.go — add CSRF middleware

## Summary All state-changing POST routes (app create/delete/deploy, env var add/delete, etc.) lack CSRF token validation. The CORS middleware allows `X-CSRF-Token` header but no middleware generates or validates tokens. ## Impact An attacker could craft a malicious page that submits forms to the upaas instance while the victim is logged in, performing actions like deleting apps or triggering deployments. ## Fix Add `gorilla/csrf` middleware to the protected route group. Pass CSRF token to templates via template data. Include hidden CSRF field in all forms. ## Location `internal/server/routes.go` — protected route group `internal/middleware/middleware.go` — add CSRF middleware

clawbot referenced a pull request that will close this issue 2026-02-15 23:18:20 +01:00

Add CSRF protection to state-changing POST endpoints (closes #11) #16

sneak closed this issue 2026-02-16 05:53:38 +01:00

sneak referenced this issue from a commit 2026-02-16 05:53:38 +01:00

Add CSRF protection to state-changing POST endpoints

sneak referenced this issue from a commit 2026-02-16 05:53:38 +01:00

Merge pull request 'Add CSRF protection to state-changing POST endpoints (closes #11)' (#16) from clawbot/upaas:fix/issue-11 into main

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

schema-consolidation

feature/json-api

chore/update-todo

feature/edit-config-entities

feature/deployment-rollback-tests

update-todo-md

feature/edit-entities

feature/deployment-rollback

feature/deploy-cancel

No results found.

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

notplanned

  

question

More information is needed

  

wontfix

This won't be fixed

No Label

bug

duplicate

enhancement

help wanted

invalid

notplanned

question

wontfix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#11

No description provided.