From efb593e4c891663acce7a4e60e6cbcaf2bc317c6 Mon Sep 17 00:00:00 2001
From: HDVinnie <hdinnovations@protonmail.com>
Date: Thu, 23 Sep 2021 21:50:33 -0400
Subject: [PATCH] security: cross-site request forgery

- huntr bounty
---
 resources/views/Staff/chat/bot/index.blade.php   | 16 ++++++++++++----
 resources/views/partials/dashboardmenu.blade.php | 10 +++++++---
 routes/web.php                                   |  6 +++---
 3 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/resources/views/Staff/chat/bot/index.blade.php b/resources/views/Staff/chat/bot/index.blade.php
index e27ec1d70f..09a04f2eb1 100644
--- a/resources/views/Staff/chat/bot/index.blade.php
+++ b/resources/views/Staff/chat/bot/index.blade.php
@@ -54,11 +54,19 @@ class="btn btn-warning">@lang('common.edit')</a>
             
                                         @else
                                             @if($bot->active)
-                                                <a href="{{ route('staff.bots.disable', ['id' => $bot->id]) }}"
-                                                    class="btn btn-danger">@lang('common.disable')</a>
+                                                <form role="form" method="POST" action="{{ route('staff.bots.disable', ['id' => $bot->id]) }}" style="display: inline-block;">
+                                                    @csrf
+                                                    <button type="submit" class="btn btn-xs btn-warning">
+                                                        <i class='{{ config('other.font-awesome') }} fa-times-circle'></i> @lang('common.disable')
+                                                    </button>
+                                                </form>
                                             @else
-                                                <a href="{{ route('staff.bots.enable', ['id' => $bot->id]) }}"
-                                                    class="btn btn-success">@lang('common.enable')</a>
+                                                <form role="form" method="POST" action="{{ route('staff.bots.enable', ['id' => $bot->id]) }}" style="display: inline-block;">
+                                                    @csrf
+                                                    <button type="submit" class="btn btn-xs btn-success">
+                                                        <i class='{{ config('other.font-awesome') }} fa-check-circle'></i> @lang('common.enable')
+                                                    </button>
+                                                </form>
                                             @endif
                                         @endif
                                     </form>
diff --git a/resources/views/partials/dashboardmenu.blade.php b/resources/views/partials/dashboardmenu.blade.php
index b308be3194..969f60ef7a 100644
--- a/resources/views/partials/dashboardmenu.blade.php
+++ b/resources/views/partials/dashboardmenu.blade.php
@@ -48,9 +48,13 @@
                 </a>
             </li>
             <li>
-                <a href="{{ route('staff.flush.chat') }}">
-                    <i class="{{ config('other.font-awesome') }} fa-broom"></i> @lang('staff.flush-chat')
-                </a>
+                <form role="form" method="POST" action="{{ route('staff.flush.chat') }}" style="padding: 10px 15px;">
+                    @csrf
+                    <i class="{{ config('other.font-awesome') }} fa-broom"></i>
+                    <button type="submit" class="btn btn-xs btn-info">
+                        @lang('staff.flush-chat')
+                    </button>
+                </form>
             </li>
 
             <li class="nav-header head">
diff --git a/routes/web.php b/routes/web.php
index 79cf301a19..0ec26b8f38 100755
--- a/routes/web.php
+++ b/routes/web.php
@@ -693,8 +693,8 @@
                 Route::get('/bots/{id}/edit', [App\Http\Controllers\Staff\ChatBotController::class, 'edit'])->name('edit');
                 Route::patch('/bots/{id}/update', [App\Http\Controllers\Staff\ChatBotController::class, 'update'])->name('update');
                 Route::delete('/bots/{id}/destroy', [App\Http\Controllers\Staff\ChatBotController::class, 'destroy'])->name('destroy');
-                Route::get('/bots/{id}/disable', [App\Http\Controllers\Staff\ChatBotController::class, 'disable'])->name('disable');
-                Route::get('/bots/{id}/enable', [App\Http\Controllers\Staff\ChatBotController::class, 'enable'])->name('enable');
+                Route::post('/bots/{id}/disable', [App\Http\Controllers\Staff\ChatBotController::class, 'disable'])->name('disable');
+                Route::post('/bots/{id}/enable', [App\Http\Controllers\Staff\ChatBotController::class, 'enable'])->name('enable');
             });
         });
 
@@ -749,7 +749,7 @@
         Route::group(['prefix' => 'flush'], function () {
             Route::name('staff.flush.')->group(function () {
                 Route::get('/peers', [App\Http\Controllers\Staff\FlushController::class, 'peers'])->name('peers');
-                Route::get('/chat', [App\Http\Controllers\Staff\FlushController::class, 'chat'])->name('chat');
+                Route::post('/chat', [App\Http\Controllers\Staff\FlushController::class, 'chat'])->name('chat');
             });
         });