Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue: read-only canned queries leak CSRF token in URL #918

Closed
simonw opened this issue Aug 9, 2020 · 4 comments
Closed

Security issue: read-only canned queries leak CSRF token in URL #918

simonw opened this issue Aug 9, 2020 · 4 comments
Labels
bug security

Comments

@simonw
Copy link
Owner

simonw commented Aug 9, 2020

The HTML form for a read-only canned query includes the hidden CSRF token field added in #798 for writable canned queries (#698).

This means that submitting those read-only forms exposes the CSRF token in the URL - for example on https://latest.datasette.io/fixtures/neighborhood_search submitting the form took me to:

https://latest.datasette.io/fixtures/neighborhood_search?text=down&csrftoken=IlFubnoxVVpLU1NGT3NMVUoi.HbOPd2YH_epQmp8f_aAt0s-MxtU

This token could potentially leak to an attacker if the resulting page has a link to an external site on it and the user clicks the link, since the token would be exposed in the referral logs.
simonw added a commit that referenced this issue Aug 9, 2020
@simonw
Fix for security issue #918
7f10f0f
simonw added a commit that referenced this issue Aug 9, 2020
@simonw
Fixed link in release notes, refs #918
b597aa0
@simonw
Copy link
Owner Author

simonw commented Aug 9, 2020

Fix has been released in Datasette 0.46: https://datasette.readthedocs.io/en/latest/changelog.html#v0-46

@simonw simonw closed this as completed Aug 9, 2020
@simonw
Copy link
Owner Author

simonw commented Aug 9, 2020

It's worth noting that in order to exploit this issue the following would all need to be true:

  • A user is running a copy of Datasette protected by a cookie-based authentication plugin AND configured with at least one writable canned query
  • An attacker is in control of a URL that could concievably be returned on a page that is displayed as the result of submitting a read-only canned query
  • An authenticated user of that Datasette instance, who is running a browser that doesn't support the SameSite=lax cookie parameter (which is widely supported by modern browsers), submits the read-only canned query form and then clicks a link to the attacker's off-site page, exposing their CSRFToken in the attacker's HTTP referer logs
  • The attacker then tricks that user into visiting their own malicious web page which includes a POST form that auto-submits against the writable canned query that the attacker wishes to exploit, including the CSRF token as a hidden field

The attacker would need full knowledge of the URL and form layout of the Datasette instance that they are exploiting.

@simonw
Copy link
Owner Author

simonw commented Aug 9, 2020

Submitting the form on https://latest.datasette.io/fixtures/neighborhood_search demonstrates that this is fixed.

@simonw
Copy link
Owner Author

simonw commented Aug 9, 2020

GitHub security advisory: GHSA-q6j3-c4wc-63vw

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simonw