Skip to content

fix(security): prevent CSRF bypass via domain boundary check on referer#3172

Open
nyxsky404 wants to merge 1 commit into
Priyanshu-byte-coder:mainfrom
nyxsky404:fix/csrf-referer-bypass
Open

fix(security): prevent CSRF bypass via domain boundary check on referer#3172
nyxsky404 wants to merge 1 commit into
Priyanshu-byte-coder:mainfrom
nyxsky404:fix/csrf-referer-bypass

Conversation

@nyxsky404

Copy link
Copy Markdown
Contributor

This PR fixes a security vulnerability in the custom CSRF validator (validateCsrf). The previous implementation used a naive referer.startsWith(a) string match, allowing attackers to bypass CSRF protections by registering subdomains like https://devtrack.com.attacker.com. The logic has been updated to strictly enforce the domain boundary by appending a trailing slash to the prefix match, preventing subdomain spoofing attacks. Fixes #3168.

@github-actions github-actions Bot added gssoc26 GSSoC 2026 contribution type:bug GSSoC type bonus: bug fix type:security GSSoC type bonus: security (+20 pts) labels Jul 8, 2026
@github-actions github-actions Bot added type:feature GSSoC type bonus: new feature type:performance GSSoC type bonus: performance (+15 pts) labels Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

  • level:beginner — 20 pts
  • level:intermediate — 35 pts
  • level:advanced — 55 pts
  • level:critical — 80 pts

Quality (optional):

  • quality:clean — ×1.2 multiplier
  • quality:exceptional — ×1.5 multiplier

Validation (required to score):

  • gssoc:approved — counts for points
  • gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gssoc26 GSSoC 2026 contribution type:bug GSSoC type bonus: bug fix type:feature GSSoC type bonus: new feature type:performance GSSoC type bonus: performance (+15 pts) type:security GSSoC type bonus: security (+20 pts)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] CSRF Validation Bypass via Referer Prefix Matching Flaw

1 participant