Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Under certain conditions, disabling CSRF for a route doesnt work (Debugging included)

See original GitHub issue

Node version: 8 Sails version (sails): 1.2.3

In https://github.com/balderdashy/sails/blob/b3afed7a6c67ba61b5202cab5954a388f05617c2/lib/hooks/security/csrf/index.js#L32

Due to the path being lowercased, if you have a RegEx pattern with uppercased letters, it will then fail to properly match against a given request URL further down and thus always return Forbidden.

https://github.com/balderdashy/sails/blob/b3afed7a6c67ba61b5202cab5954a388f05617c2/lib/hooks/security/csrf/index.js#L99

I’m not sure if there would be any regressions from removing the .toLowerCase() but certainly this shouldnt be desired behaviour.

Issue Analytics

  • State:open
  • Created 4 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
johnabrams7commented, Aug 28, 2019

@kinsi55 We were able to reproduce this and were able to actually hit the root if we changed the CAPS to lowercased characters. We’re going to further investigate what the deal is with .toLowerCase() and any true regressions for working around it to allow CAPS in the RegEx patterns as well.

1reaction
kinsi55commented, Aug 26, 2019

Nevermind the previous comment, that was related to my PR I mixed it up.

I dont have the time to setup a repo for this rn but the way you can repro it is by having a route like this:

'post r|/CAPS/(.+)$|foo': {
		action: 'anything',
		csrf: false
}

Trying to post to /CAPS/foo will then still require CSRF

Read more comments on GitHub >

github_iconTop Results From Across the Web

Disabling CSRF protections is security-sensitive
A cross-site request forgery (CSRF) attack occurs when a trusted user of a web application can be forced, by an attacker, to perform...
Read more >
CSRF Failed: CSRF token missing or incorrect - Stack Overflow
Permanent Solution: If you are using Postman, First, clear the existing cookies by clicking 'X' s. Then add correct cookie. Temporary Solution (for...
Read more >
CSRF Protection in Flask - TestDriven.io
This article looks at how to prevent CSRF attacks in Flask. Along the way, we'll look at what CSRF is, an example of...
Read more >
CSRF Protection - Jenkins
To disable CSRF protection, set the system property hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION to true on startup. Learn more ...
Read more >
Config.php Parameters - ownCloud Documentation
Set this to the empty string if you do not want to copy any skeleton files. A valid path must be given for...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Is the Sails team willing to support beforeValidation?

Next page

How exactly do you use sails to send mails?