sneak/upaas
1
0
Fork 0
Code Issues 14 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

CRITICAL: API v1 routes use cookie auth without CSRF protection — cross-site request forgery #112

New Issue
Closed
opened 2026-02-20 13:50:46 +01:00 by clawbot · 1 comment
clawbot commented 2026-02-20 13:50:46 +01:00
Collaborator
Copy Link

Summary

The API v1 routes (/api/v1/*) use cookie-based session authentication but explicitly bypass CSRF protection. This means any malicious website can make authenticated requests on behalf of a logged-in user.

Location

internal/server/routes.go — lines in SetupRoutes():

// API v1 routes (cookie-based session auth, no CSRF)
s.router.Route("/api/v1", func(r chi.Router) {
    r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleAPILoginPOST())
    r.Group(func(r chi.Router) {
        r.Use(s.mw.APISessionAuth())
        r.Delete("/apps/{id}", s.handlers.HandleAPIDeleteApp())
        r.Post("/apps/{id}/deploy", s.handlers.HandleAPITriggerDeploy())
        // ... etc
    })
})

The comment even acknowledges it: cookie-based session auth, no CSRF.

Impact

An attacker can create a webpage that, when visited by a logged-in upaas admin:

  1. Deletes all apps via DELETE /api/v1/apps/{id}
  2. Triggers deployments via POST /api/v1/apps/{id}/deploy
  3. Creates malicious apps via POST /api/v1/apps
  4. Reads app secrets (webhook secrets, SSH keys) via GET /api/v1/apps/{id} (if CORS allows, or via form submission)

This requires only that the victim visits a malicious page while logged in.

Suggested Fix

Either:

  1. Add CSRF tokens to API routes — require X-CSRF-Token header (from a cookie or meta tag)
  2. Switch API to token-based auth — use Authorization: Bearer <token> instead of cookies. This is immune to CSRF since browsers don't auto-attach custom headers.
  3. Require a custom header — e.g., X-Requested-With: XMLHttpRequest. Browsers won't send custom headers in cross-origin simple requests.

Option 2 or 3 is recommended for APIs.

Severity

CRITICAL — Any logged-in admin visiting a malicious page can have their entire PaaS infrastructure destroyed or compromised.

## Summary The API v1 routes (`/api/v1/*`) use **cookie-based session authentication** but explicitly bypass CSRF protection. This means any malicious website can make authenticated requests on behalf of a logged-in user. ## Location `internal/server/routes.go` — lines in `SetupRoutes()`: ```go // API v1 routes (cookie-based session auth, no CSRF) s.router.Route("/api/v1", func(r chi.Router) { r.With(s.mw.LoginRateLimit()).Post("/login", s.handlers.HandleAPILoginPOST()) r.Group(func(r chi.Router) { r.Use(s.mw.APISessionAuth()) r.Delete("/apps/{id}", s.handlers.HandleAPIDeleteApp()) r.Post("/apps/{id}/deploy", s.handlers.HandleAPITriggerDeploy()) // ... etc }) }) ``` The comment even acknowledges it: `cookie-based session auth, no CSRF`. ## Impact An attacker can create a webpage that, when visited by a logged-in upaas admin: 1. **Deletes all apps** via `DELETE /api/v1/apps/{id}` 2. **Triggers deployments** via `POST /api/v1/apps/{id}/deploy` 3. **Creates malicious apps** via `POST /api/v1/apps` 4. **Reads app secrets** (webhook secrets, SSH keys) via `GET /api/v1/apps/{id}` (if CORS allows, or via form submission) This requires only that the victim visits a malicious page while logged in. ## Suggested Fix Either: 1. **Add CSRF tokens to API routes** — require `X-CSRF-Token` header (from a cookie or meta tag) 2. **Switch API to token-based auth** — use `Authorization: Bearer <token>` instead of cookies. This is immune to CSRF since browsers don't auto-attach custom headers. 3. **Require a custom header** — e.g., `X-Requested-With: XMLHttpRequest`. Browsers won't send custom headers in cross-origin simple requests. Option 2 or 3 is recommended for APIs. ## Severity **CRITICAL** — Any logged-in admin visiting a malicious page can have their entire PaaS infrastructure destroyed or compromised.
sneak commented 2026-02-20 14:28:18 +01:00
Owner
Copy Link

disable the api’s write methods.

disable the api’s write methods.
clawbot was assigned by sneak 2026-02-20 14:31:08 +01:00
sneak closed this issue 2026-02-20 14:35:13 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
merge-ready

All checks pass, reviewed, rebased, ready for merge

  
merge-ready

   
needs-checks

make check does not pass cleanly

  
needs-checks

   
needs-rebase

PR has merge conflicts or is behind main

  
needs-rebase

   
needs-review

Code review not yet done

  
needs-review

   
needs-rework

Code review found issues to fix

  
needs-rework

   
notplanned

   
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
duplicate
enhancement
help wanted
invalid
merge-ready
merge-ready
needs-checks
needs-checks
needs-rebase
needs-rebase
needs-review
needs-review
needs-rework
needs-rework
notplanned
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
clawbot
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#112
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?