angular-ui/ui-grid

[Security Issue] Cross-Site Request Forgery (CSRF)

Open

#7,169 opened on 2021年8月19日

GitHub で見る
 (2 comments) (0 reactions) (0 assignees)JavaScript (5,395 stars) (2,496 forks)batch import
Hi-Pri Buggrid-editgrid-importerhelp wanted

説明

Description

A cross-site request forgery (CSRF) vulnerability occurs when: A Web application uses session cookies. The application acts on an HTTP request without verifying that the request was made with the user's consent.

There are 5 cases of CSRF in ui-grid.

  1. The application generates HTTP request via a form post at fileChooserEditor.html line 2. PoC:
<div>
  <form
    name="inputForm">
    <input
      ng-class="'colt' + col.uid"
      ui-grid-edit-file-chooser
      type="file"
      id="files"
      name="files[]"
      ng-model="MODEL_COL_FIELD"/>
  </form>
</div>

The form post at fileChooserEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location: https://github.com/angular-ui/ui-grid/blob/4aa2cc59a6bc683552a1e328f639a0aa0a0c7527/packages/edit/src/templates/fileChooserEditor.html#L1-L12

  1. The application generates HTTP request via a form post at index.html line 124 and at index.html line 149. PoC (L124):
<form>
            <div class="col-sm-12 col-md-6 col-lg-4" ng-repeat="v in variables track by $index">
              <label for="{{ v.name }}" class="muted">{{ v.name }}</label> <input id="{{ v.name }}" type="text" class="form-control" ng-model="v.value" ng-change="updateCSS()">
            </div>
          </form>

PoC (L149):

<form>
            <label for="customLess">Custom Less</label>
            <textarea class="form-control" id="customLess" rows="4" ng-model="customLess" ng-change="updateCSS()" ng-init="customLess = ''"></textarea>
          </form>

The form post at index.html line 124 and line 149 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location (124-128): https://github.com/angular-ui/ui-grid/blob/4aa2cc59a6bc683552a1e328f639a0aa0a0c7527/misc/site/customizer/index.html#L124-L128

Location (149-152): https://github.com/angular-ui/ui-grid/blob/4aa2cc59a6bc683552a1e328f639a0aa0a0c7527/misc/site/customizer/index.html#L149-L152

  1. The application generates HTTP request via a form post at importerMenuItem.html line 3. PoC:
<li
  class="ui-grid-menu-item">
  <form>
    <input
      class="ui-grid-importer-file-chooser"
      type="file"
      id="files"
      name="files[]"/>
  </form>
</li>

The form post at importerMenuItem.html line 3 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location: https://github.com/angular-ui/ui-grid/blob/4aa2cc59a6bc683552a1e328f639a0aa0a0c7527/packages/importer/src/templates/importerMenuItem.html#L1-L10

  1. The application generates HTTP request via a form post at dropdownEditor.html line 2. PoC:
<div>
  <form
    name="inputForm">
    <select
      ng-class="'colt' + col.uid"
      ui-grid-edit-dropdown
      ng-model="MODEL_COL_FIELD"
      ng-options="field[editDropdownIdLabel] as field[editDropdownValueLabel] CUSTOM_FILTERS for field in editDropdownOptionsArray">
    </select>
  </form>
</div>

The form post at dropdownEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location: https://github.com/angular-ui/ui-grid/blob/4aa2cc59a6bc683552a1e328f639a0aa0a0c7527/packages/edit/src/templates/dropdownEditor.html#L1-L11

  1. The application generates HTTP request via a form post at cellEditor.html line 2. PoC:
<div>
  <form
    name="inputForm">
    <input
      type="INPUT_TYPE"
      ng-class="'colt' + col.uid"
      ui-grid-editor
      ng-model="MODEL_COL_FIELD" />
  </form>
</div>

The form post at cellEditor.html line 2 must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.

Location: https://github.com/angular-ui/ui-grid/blob/4aa2cc59a6bc683552a1e328f639a0aa0a0c7527/packages/edit/src/templates/cellEditor.html#L1-L10

コントリビューターガイド

技術スタック
javascripthtmlcssangular
領域
frontendsecurity
Issue 種別
security
難度新しい貢献者にとっての実装難度です。1 は非常に小さな変更、5 は専門的な作業です。
3
推定時間経験ある貢献者が調査、実装、テスト、pull request 準備にかけるおおよその時間範囲です。
half day
活動状況Issue が今どれだけ取り組みやすいかを示します。新しい、活発、古い、ブロック中、またはメンテナー入力待ちなどです。
stale
明確さ期待される変更、受け入れ条件、次の手順がどれだけ明確かを示します。
clear
前提条件
basic understanding of CSRFfamiliarity with AngularJS forms
初心者向け度初回貢献者にどれだけ取り組みやすいかを 1-100 で推定したスコアです。
65
調査方針
Review the five template files mentioned: fileChooserEditor.html, index.html (two locations), importerMenuItem.html, dropdownEditor.html, and cellEditor.html. Each contains a <form> element that currently lacks a CSRF token. To fix, generate a unique token per session or request and include it as a hidden field in each form. The token should be tied to the user's session and verified server side. Look at how the AngularJS app currently handles authentication or existing token mechanisms. Consider using AngularJS's $http interceptor or adding the token manually. Test that requests fail without the token.