Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disabling CSRF guard for specific routes #665

Closed
alexweissman opened this issue Mar 14, 2017 · 2 comments
Closed

Disabling CSRF guard for specific routes #665

alexweissman opened this issue Mar 14, 2017 · 2 comments
Labels
performance Framework performance issue REST API API standard standards and best practices Coding guidelines
Milestone
4.1.0

Comments

@alexweissman
Copy link
Member

Sometimes, you need to exclude certain routes from CSRF checks. For example, routes that are meant to be consumed by another application instead of a browser (see #385, #521, #558, #568). It's also useful for things like raw asset loading, where you want to avoid initializing the CSRF middleware altogether, because it has a dependency on session - which in turn can cause too many read/write attempts in succession, as we saw with #633.

One option is to disable global CSRF middleware, and instead require that each route explicitly declare the CSRF check as route middleware ("whitelist" approach). I'm not sure if this would still end up initializing the middleware on routes that don't actually use it.

Or, we can leave global CSRF middleware enabled, and then provide a means for routes to declare themselves exempt from CSRF checks ("blacklist" approach). Again, we'd want to check the blacklist before the middleware is even instantiated in the first place.

You can see how we're implementing blacklisting for asset routes right now:

// Middleware
// Hacky fix to prevent sessions from being hit too much: ignore CSRF middleware for requests for raw assets ;-)
// See https://github.com/laravel/framework/issues/8172#issuecomment-99112012 for more information on why it's bad to hit Laravel sessions multiple times in rapid succession.
$request = $container->request;
$path = $request->getUri()->getPath();
$csrfBlacklist = [
    $container->config['assets.raw.path']
];
if (!$path || !starts_with($path, $csrfBlacklist)) {
    $app->add($container->csrf);
}

So, maybe we could just go with a blacklist, and build a wrapper around it so that it doesn't have to do this in index.php?

This is also related to #617.
@alexweissman alexweissman added performance Framework performance issue REST API API standard standards and best practices Coding guidelines labels Mar 14, 2017
@alexweissman alexweissman mentioned this issue Mar 14, 2017
Closed
@lcharette
Copy link
Member

+1 For blacklist. Forget to whitelist one and you have a security issue

@alexweissman alexweissman modified the milestone: 4.0 Mar 14, 2017
@alexweissman alexweissman mentioned this issue May 14, 2017
Closed
@alexweissman alexweissman modified the milestones: 4.0.x, 4.1.x May 16, 2017
@alexweissman alexweissman modified the milestones: 4.1.0, 4.1.x Jun 16, 2017
@alexweissman
Copy link
Member Author

Ok, this has been implemented with the csrf.blacklist configuration setting, which maps regular expressions (matching routes) to arrays of HTTP methods. Any requests that match one of these blacklisted routes and methods will bypass the CSRF middleware.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
performance Framework performance issue REST API API standard standards and best practices Coding guidelines
Projects
None yet
Milestone
4.1.0
Development

No branches or pull requests
2 participants
@lcharette @alexweissman