Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: respond with 200 to HEAD requests for non-prerendered pages as well #13101

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: respond with 200 to HEAD requests for non-prerendered pages as well #13101

wants to merge 1 commit into from
+38 −7

Conversation

corneliusroemer
Copy link

@corneliusroemer corneliusroemer commented Jan 30, 2025
edited by ematipico
Loading

Changes

Fixes #13079
Fixes #13104
Fixes #13103

Also ensure that HTTP method CONNECT gets origin checked as well (it was previously wrongly omitted because only POST, PUT, PATCH, DELETE were previously checked).

Inspired by @joshmkennedy's PR #13100

Testing

Add test for HEAD getting correct HTTP response 200 (this would have failed prior to his prior)

Docs

Pure bug fix, no docs changes necessary

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jan 30, 2025

🦋 Changeset detected

Latest commit: e4bf640

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions github-actions bot added the pkg: astro Related to the core `astro` package (scope) label Jan 30, 2025
@codspeed-hq CodSpeed HQ
Copy link

codspeed-hq bot commented Jan 30, 2025

CodSpeed Performance Report

Merging #13101 will not alter performance

Comparing corneliusroemer:fix-csrf (e4bf640) with main (23e631c)

Summary

✅ 6 untouched benchmarks

@corneliusroemer corneliusroemer mentioned this pull request Jan 30, 2025
Open
1 task
@joshmkennedy joshmkennedy mentioned this pull request Jan 31, 2025
Closed
@corneliusroemer
Copy link
Author

I don't understand why the test fails, is there maybe another big somewhere in HEAD handling? Or is this in the test utils?

When I test locally, I get 200 for head now.

@joshmkennedy
Copy link

You will need to update the fixture. Here is what I did in my pull request. I just added a index.astro to the csrf-check-origin fixture. You could also add a API route for HEAD requests. Not sure which is best.

ematipico
ematipico requested changes Jan 31, 2025
View reviewed changes
packages/astro/test/csrf-protection.test.js
@@ -176,6 +176,34 @@ describe('CSRF origin check', () => {
});
});

it("return a 200 when the origin doesn't match but calling HEAD", async () => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is quite a delicate feature that involves security, would you mind adding a test for each verb method that was added to SAFE_METHODS? I would like to cover all cases if possible

ematipico
ematipico reviewed Jan 31, 2025
View reviewed changes
packages/astro/test/csrf-protection.test.js
Comment on lines +182 to +185
request = new Request('http://example.com/api/', {
headers: { origin: 'http://loreum.com', 'content-type': 'multipart/form-data' },
method: 'HEAD',
});
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test is failing because you're hitting an endpoint, which exposes only the GET method.

You should:

  • create an astro component and hit that route
  • expand the api.ts file and add the rest of the verbs to test

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the pointers!

jurajkapsz
jurajkapsz reviewed Feb 3, 2025
View reviewed changes
packages/astro/src/core/app/middlewares.ts
request.method === 'PATCH' ||
request.method === 'DELETE') &&
request.headers.get('origin') === url.origin;
const sameOrigin = request.headers.get('origin') === url.origin;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a nuance, imho isSameOrigin would fit better, as seen also in isPrerendered, hasContentType etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jurajkapsz jurajkapsz jurajkapsz left review comments

@ematipico ematipico ematipico requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
pkg: astro Related to the core `astro` package (scope)
Projects
None yet
Milestone
No milestone
4 participants
@corneliusroemer @joshmkennedy @ematipico @jurajkapsz