Hacker News new | ask | show | jobs
by griffinmb 2409 days ago
This class of bug (CSRF bypass via route confusion) is probably more common in Phoenix apps. I’ve found a handful of apps vulnerable to this issue with Sobelow.

People create (for example) a get ‘/profile’ and a post ‘/profile’, and the action intended to correspond with post requests really just pattern matches against params.

I’ve also seen at least one app implement this properly, matching against the HTTP method as you described.
1 comments
nickjj 2409 days ago
To be safe from this in Phoenix that would look like this right?

    def profile(conn = %{method: "GET"}, params) do
      # ...
    end

    def profile(conn = %{method: "POST"}, %{"user" => user_params) do
      # ...
    end
This would be in a case where your router looks like:

    get "/profile", UserController, :profile, as: :user
    post "/profile", UserController, :profile, as: :user
That's what I'm doing in my code base at the moment. Mainly thanks to Changelog open sourcing their platform, and you can see that pattern being used here: https://github.com/thechangelog/changelog.com/blob/f9b0a7587...

The above seems like the natural way to do it with Phoenix once you get a hang of pattern matching.

link
griffinmb 2409 days ago
Yep, that’s the way!
link