Skip to content

fix(high): CSRF cookie missing HttpOnly flag enables token theft via XSS#3428

Open
namann5 wants to merge 3 commits into
ritesh-1918:gssocfrom
namann5:fix/csrf-httponly-flag-high
Open

fix(high): CSRF cookie missing HttpOnly flag enables token theft via XSS#3428
namann5 wants to merge 3 commits into
ritesh-1918:gssocfrom
namann5:fix/csrf-httponly-flag-high

Conversation

@namann5

@namann5 namann5 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Description\n\nFixes missing HttpOnly flag on CSRF cookie in backend/csrf.py.\n\n## Related Issue\n\nFixes #3426\n\n## Changes\n\n- Added httponly=True to CSRF cookie parameters\n- Prevents JavaScript from reading CSRF token via document.cookie\n- Mitigates CSRF token theft in XSS scenarios\n\n## Type of Change\n\n- [x] Bug fix (non-breaking change which fixes an issue)\n- [x] Security fix

namann5 added 3 commits July 5, 2026 16:58
Two issues that prevent the application from starting:

1. rom backend.payload_middleware import PayloadLimitMiddleware references
   a module that does not exist on the gssoc branch, causing an immediate
   ModuleNotFoundError at import time. Removed the import and its
   corresponding �dd_middleware call.

2. create_client() is called on line 37 without being imported — the
   rom supabase import create_client import was missing, causing a
   NameError at runtime when SUPABASE_URL and SUPABASE_SERVICE_KEY are
   both configured. Added the missing import.
…s forged assertions

The verify_saml_response function had multiple code paths that silently set
signature_valid = True when cryptographic verification failed:

1. Lines 218-221: After both RSA-SHA256 and RSA-SHA1 verification failed,
   signature_valid was still set to True with a comment about 'developer
   flexibility for local test cases'.

2. Lines 222-225: If any exception occurred during initialization, the catch
   block set signature_valid = True as a 'default validation fallback'.

3. Lines 226-229: When no signature element was found or no cert was
   configured, signature_valid was unconditionally set to True.

This meant any attacker could forge a SAML response and bypass authentication
entirely. The fix removes all fallback-to-true paths and requires valid
cryptographic proof for SAML assertions.
…HttpOnly

OAuth: Removed insecure SSL context override (check_hostname=False,
verify_mode=CERT_NONE) that disabled certificate validation for
Google/Microsoft/GitHub OAuth API calls, enabling MITM attacks.

CSRF: Added httponly=True to CSRF cookie to prevent JavaScript access
which could allow token theft via XSS.
@vercel

vercel Bot commented Jul 7, 2026

Copy link
Copy Markdown

@namann5 is attempting to deploy a commit to the ritesh Team on Vercel.

A member of the Team first needs to authorize it.

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d1c11abd-7324-4fd9-aeec-e6e466e2bec6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant