Mitigate CSRF on repository settings #217

ikus060 · Sep 20, 2022 · 20fc0d3 · 20fc0d3
1 parent 18a5aab
commit 20fc0d3
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -113,6 +113,7 @@ This releases include a security fix. If you are using an earlier version, you s
 
 * Support MarkupSafe<3 for Debian bookworm
 * Mitigate CSRF on user's notification settings #216 [CVE-2022-3233](https://nvd.nist.gov/vuln/detail/CVE-2022-3233)
+* Mitigate CSRF on repository settings #217
 
 ## 2.4.5 (2002-09-16)
 

diff --git a/rdiffweb/controller/page_settings.py b/rdiffweb/controller/page_settings.py
@@ -36,12 +36,13 @@ class SettingsPage(Controller):
     )
     def default(self, path=b"", action=None, **kwargs):
         repo_obj = self.app.store.get_repo(path)
-        if kwargs.get('keepdays'):
-            return self._remove_older(repo_obj, **kwargs)
-        elif kwargs.get('new_encoding'):
-            return self._set_encoding(repo_obj, **kwargs)
-        elif kwargs.get('maxage'):
-            return self._set_maxage(repo_obj, **kwargs)
+        if cherrypy.request.method == 'POST':
+            if kwargs.get('keepdays'):
+                return self._remove_older(repo_obj, **kwargs)
+            elif kwargs.get('new_encoding'):
+                return self._set_encoding(repo_obj, **kwargs)
+            elif kwargs.get('maxage'):
+                return self._set_maxage(repo_obj, **kwargs)
         # Get page data.
         params = {
             'repo': repo_obj,

diff --git a/rdiffweb/controller/tests/test_page_settings.py b/rdiffweb/controller/tests/test_page_settings.py
@@ -59,6 +59,15 @@ def test_set_maxage(self):
         repo_obj = self.app.store.get_user('admin').get_repo(self.REPO)
         self.assertEqual(4, repo_obj.maxage)
 
+    def test_set_maxage_method_get(self):
+        # When trying to update maxage with GET method
+        self.getPage("/settings/" + self.USERNAME + "/" + self.REPO + "/?maxage=4")
+        # Then page return without error
+        self.assertStatus(200)
+        # Then database is not updated
+        repo_obj = self.app.store.get_user('admin').get_repo(self.REPO)
+        self.assertEqual(0, repo_obj.maxage)
+
     def test_does_not_exists(self):
         # Given an invalid repo
         repo = 'invalid'

diff --git a/rdiffweb/controller/tests/test_page_settings_remove_older.py b/rdiffweb/controller/tests/test_page_settings_remove_older.py
@@ -77,3 +77,13 @@ def test_as_another_user(self):
         # Browse admin's repos
         self._remove_older('anotheruser', 'testcases', '2')
         self.assertStatus('403 Forbidden')
+
+    def test_set_keepdays_method_get(self):
+        # When trying update keepdays with method GET
+        self.getPage("/settings/" + self.USERNAME + "/" + self.REPO + "/?keepdays=4")
+        # Then pge return without error
+        self.assertStatus(200)
+        # Then database is not updated
+        user = self.app.store.get_user(self.USERNAME)
+        repo = user.get_repo(self.REPO)
+        self.assertEqual(-1, repo.keepdays)
diff --git a/rdiffweb/controller/tests/test_page_settings_set_encoding.py b/rdiffweb/controller/tests/test_page_settings_set_encoding.py
@@ -113,3 +113,13 @@ def test_as_another_user(self):
         # Browse admin's repos
         self._set_encoding('anotheruser', 'testcases', 'utf-8')
         self.assertStatus('403 Forbidden')
+
+    def test_set_encoding_method_get(self):
+        # When trying to update encoding with method GET
+        self.getPage("/settings/admin/testcases/?new_encoding=cp1252")
+        # Then page return without error
+        self.assertStatus(200)
+        # Then database is not updated
+        user = self.app.store.get_user(self.USERNAME)
+        repo = user.get_repo(self.REPO)
+        self.assertEqual('utf-8', repo.encoding)