CSRF Vulnerability with Non-Session Based Authentication
ankane opened this issue · comments
The Field Test dashboard is vulnerable to cross-site request forgery (CSRF) with non-session based authentication methods. This vulnerability has been assigned the CVE identifier CVE-2020-16252.
Versions Affected: 0.2.0 to 0.3.2
Fixed Versions: 0.4.0
Impact
The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based authentication methods (like Devise's default authentication) are not affected.
A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, a single endpoint is affected, which allows for changing the variant assigned to a user.
All users running an affected release should upgrade immediately.
Technical Details
Field Test uses the protect_from_forgery
method from Rails to prevent CSRF. However, this defaults to :null_session
, which has no effect on non-session based authentication methods. This has been changed to protect_from_forgery with: :exception
.