Field Test CSRF vulnerability

2020-08-0514:53:34

Google

osv.dev

csrf vulnerability

field test dashboard

non-session based authentication

basic authentication

devise's default authentication

upgrade

rails

protect_from_forgery

null_session

exception

EPSS

0.001

Percentile

21.6%

JSON

The Field Test dashboard is vulnerable to cross-site request forgery (CSRF) with non-session based authentication methods in versions v0.2.0 through v0.3.2.

Impact

The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based authentication methods (like Devise’s default authentication) are not affected.

A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, a single endpoint is affected, which allows for changing the variant assigned to a user.

All users running an affected release should upgrade immediately.

Technical Details

Field Test uses the protect_from_forgery method from Rails to prevent CSRF. However, this defaults to :null_session, which has no effect on non-session based authentication methods. This has been changed to protect_from_forgery with: :exception.