You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Checked that there is not already a package that provides the described functionality
Description
Lack of CSRF when uploading files and unable to add custom fields to specify CSRF unless appended to query string as a parameter for uplodUrl and deleteUrl.
Above does not provide a clean mechanism of providing token unless appended as a query parameter as ?csrf=abc to uploadUrl and deleteUrl.
Expected behaviour: Upload and delete URL can only be invoked with a CSRF token.
Actual behaviour: Upload and delete URL can be invoked without any CSRF token, thus a malicious user can invoke the endpoint without any authentication.
Reproduces how often: 100%
Versions
"@ministryofjustice/frontend": "1.6.4",
The text was updated successfully, but these errors were encountered:
Prerequisites
Description
Lack of CSRF when uploading files and unable to add custom fields to specify CSRF unless appended to query string as a parameter for
uplodUrl
anddeleteUrl
.Steps to Reproduce
?csrf=abc
touploadUrl
anddeleteUrl
.Expected behaviour: Upload and delete URL can only be invoked with a CSRF token.
Actual behaviour: Upload and delete URL can be invoked without any CSRF token, thus a malicious user can invoke the endpoint without any authentication.
Reproduces how often: 100%
Versions
"@ministryofjustice/frontend": "1.6.4",
The text was updated successfully, but these errors were encountered: