fix(high): CSRF cookie missing HttpOnly flag enables token theft via XSS#3428
fix(high): CSRF cookie missing HttpOnly flag enables token theft via XSS#3428namann5 wants to merge 3 commits into
Conversation
Two issues that prevent the application from starting: 1. rom backend.payload_middleware import PayloadLimitMiddleware references a module that does not exist on the gssoc branch, causing an immediate ModuleNotFoundError at import time. Removed the import and its corresponding �dd_middleware call. 2. create_client() is called on line 37 without being imported — the rom supabase import create_client import was missing, causing a NameError at runtime when SUPABASE_URL and SUPABASE_SERVICE_KEY are both configured. Added the missing import.
…s forged assertions The verify_saml_response function had multiple code paths that silently set signature_valid = True when cryptographic verification failed: 1. Lines 218-221: After both RSA-SHA256 and RSA-SHA1 verification failed, signature_valid was still set to True with a comment about 'developer flexibility for local test cases'. 2. Lines 222-225: If any exception occurred during initialization, the catch block set signature_valid = True as a 'default validation fallback'. 3. Lines 226-229: When no signature element was found or no cert was configured, signature_valid was unconditionally set to True. This meant any attacker could forge a SAML response and bypass authentication entirely. The fix removes all fallback-to-true paths and requires valid cryptographic proof for SAML assertions.
…HttpOnly OAuth: Removed insecure SSL context override (check_hostname=False, verify_mode=CERT_NONE) that disabled certificate validation for Google/Microsoft/GitHub OAuth API calls, enabling MITM attacks. CSRF: Added httponly=True to CSRF cookie to prevent JavaScript access which could allow token theft via XSS.
|
@namann5 is attempting to deploy a commit to the ritesh Team on Vercel. A member of the Team first needs to authorize it. |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Description\n\nFixes missing HttpOnly flag on CSRF cookie in backend/csrf.py.\n\n## Related Issue\n\nFixes #3426\n\n## Changes\n\n- Added httponly=True to CSRF cookie parameters\n- Prevents JavaScript from reading CSRF token via document.cookie\n- Mitigates CSRF token theft in XSS scenarios\n\n## Type of Change\n\n- [x] Bug fix (non-breaking change which fixes an issue)\n- [x] Security fix