Skip to content

fix(security): enable CSRF protection for state-changing requests#327

Draft
Isaries wants to merge 2 commits into
WISE-Community:developfrom
Isaries:fix/enable-csrf-protection
Draft

fix(security): enable CSRF protection for state-changing requests#327
Isaries wants to merge 2 commits into
WISE-Community:developfrom
Isaries:fix/enable-csrf-protection

Conversation

@Isaries

@Isaries Isaries commented Jul 6, 2026

Copy link
Copy Markdown

Summary

CSRF protection was disabled site-wide. Because authentication relies on a session cookie that the browser attaches automatically, a malicious page could drive state-changing actions on behalf of a signed-in user. This enables CSRF protection.

Changes

  • Enable CSRF using a cookie based token repository that matches the single page application defaults (token in a cookie, echoed back in a request header).
  • Add a filter that forces the token cookie to be written on requests that do not otherwise read it, since the token is loaded lazily.
  • Send the token from the legacy server-rendered portal pages: a shared handler attaches the token to their jQuery requests, and the one plain HTML form gets the token field. Spring form tag pages already receive the token automatically.

Why this is a draft

Enabling CSRF affects every state-changing request, so it needs verification on a running instance before merging:

  • Confirm the token handshake end to end: the cookie is written on first load and echoed back on sign-in and on single page application actions.
  • Confirm the legacy server-rendered portal pages (enable and disable users, manage roles, portal settings, delete news, list and import projects, impersonate users) still work.

The WebSocket same-origin re-enable is intentionally out of scope; it would need client side token handling and its own verification.

Testing

  • Builds on JDK 17 (mvnw package).

Isaries added 2 commits July 6, 2026 22:29
CSRF protection was disabled site-wide, so any authenticated session
could be driven by a forged cross-site request. Because authentication
relies on a session cookie that the browser attaches automatically, a
malicious page could trigger state-changing actions (password changes,
account edits, run management) on behalf of a signed-in user without
their knowledge.

Enable CSRF using a cookie-based token repository so the token is
readable by the single page application and echoed back in a request
header, matching the client framework defaults. Add a filter that
forces the token cookie to be written on requests that do not otherwise
read it, since the token is loaded lazily.
Enabling CSRF protection also applies to the server rendered admin and
teacher portal pages. Their jQuery POST requests and one plain HTML form
did not send the token, so those actions (enabling or disabling users,
managing roles, portal settings, deleting news, listing and importing
projects, impersonating users) would be rejected with a 403.

Add a shared handler in the common portal script that echoes the token
cookie back in a request header on state changing same origin requests,
include that script on the two pages that lacked it, and add the token
field to the plain import form. Spring form tag pages already receive
the token automatically.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant