User avatar upload endpoint is vulnerable to XSRF

2014-03-14T00:35:27
ID ATLASSIAN:BSERV-5335
Type atlassian
Reporter pepoirot
Modified 2017-02-16T02:07:01

Description

Stash, as 2.12, will allows users to upload local avatars to their account (STASHDEV-6182).

That upload is submitted to a (non-API) end point that accepts a POST request with the avatar as [data-uri|https://en.wikipedia.org/wiki/Data_Uri].

Currently, because the form is submitted by AJAX, the end point is annotated with {{@IgnoresXsrf}}, as the front-end doesn't have a security token to submit along with the request. See [UserProfileController.uploadAvatar|https://stash.dev.internal.atlassian.com/projects/STASH/repos/stash/browse/webapp/default/src/main/java/com/atlassian/stash/internal/web/users/UserProfileController.java#65] for the source.

The two alternatives to fix this (and remove the annotation) are: - submit the data as JSON instead of {{form-urlencoded}}, - get hold of a security token/value in the page and submit it as part of the AJAX request.