Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.2.1
-
None
-
Important
Description
I believe I've just found a major XSFR flaw in the REST plugin's RestActionMapper.
See http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 for more details concerning XSRF.
Manually performing a GET request on a create() method using the name!method convention, the create() method actually gets invoked (btw, the model is also populated).
As far as I can see, ANY of the operations with side effects (create, update, destroy) can be invoked this way (using a GET request)
The code in RestActionMapper seems to totally ignore the HTTP-method used:
// handle "name!method" convention.
String name = mapping.getName();
int exclamation = name.lastIndexOf("!");
if (exclamation != -1) {
mapping.setName(name.substring(0, exclamation));
mapping.setMethod(name.substring(exclamation + 1));
}
Most other REST frameworks use annotations like @GET/@POST or similar mechanisms on the controller methods in order to make sure that the correct method is used, otherwise yielding a 400 BAD REQUEST or similar.
Has this issue been addressed before?
In the current state, I would not recommend using the REST plugin for production use.