Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix(csrf): fix possible infinite loop #2607

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Fix(csrf): fix possible infinite loop #2607

wants to merge 4 commits into from

Conversation

Primexz
Copy link

@Primexz Primexz commented Apr 10, 2024
edited

Description

If the CSRF token is set twice, the user ends up in an infinite loop. This loop can only be exited if the user's cookies are deleted.

Instead of only ever decoding the 1st best cookie, all cookies are now searched to see if a suitable cookie can be found.

Motivation and Context

As an administrator, I don't want my users to end up in my loop, which they can't leave without technical knowledge.
This PR will fix #2606

How Has This Been Tested?

This fix was tested by re-executing the reproducing steps defined in the issue.

Checklist:

  • My change requires a change to the documentation or CHANGELOG.
  • I have updated the documentation/CHANGELOG accordingly.
  • I have created a feature (non-master) branch for my PR.
  • I have written tests for my code changes.

@Primexz Primexz requested a review from a team as a code owner April 10, 2024 13:29
@github-actions github-actions bot added the go label Apr 10, 2024
@github-actions github-actions bot added the docs label Apr 10, 2024
tuunit
tuunit suggested changes Apr 12, 2024
View reviewed changes
pkg/cookies/csrf.go
Comment on lines +85 to +87
if err != nil {
continue
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we still don't have logging levels otherwise i would consider adding a debug log here 🤔

Copy link
Author

@Primexz Primexz Apr 16, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I would also like to have a log at this point.
I think we can also add a log here without log levels as this error should not occur so often.

pkg/cookies/csrf.go Show resolved Hide resolved
@github-actions github-actions bot added the tests label Apr 16, 2024
@Primexz Primexz requested a review from tuunit April 16, 2024 07:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tuunit tuunit Awaiting requested review from tuunit

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docs go tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: Infinite loop if the Csrf cookie is set twice
2 participants
@Primexz @tuunit