Routes not protected against CSRF

@prudloff,

I've pushed some changes to the 3566913-routes-not-protected issue fork. Please let me know if the changes satisfy the requirements for this issue ticket.

Sorry about that. The changes are present now.

Thanks for looking at the changes.

The Straker Translate uses the Straker Verify translation management system (https://verify.straker.ai) to translate Drupal content. I tried the reproduction step using <img src="http://example.com/admin/straker-translate/setup/account/handshake?access_token=newtoken"> and the token didn't change, so I think at least that case is fixed.

Is there anything else we can do to fix this ticket's issue? Should I add the "_csrf_token" requirement to every route?

After taking a closer look at all our routes, I added the "_csrf_token" requirement to the "straker_translate.entity.confirm" route. I don't think any other routes need it.

What do you think? Do my changes satisfy the security requirements for this ticket?

Hi Pierre Rudloff,
Hope you are doing well.

Apologies if Join the community I am not a drupal developer but rather a project manager role for the drupal connector, and just want to follow up if what Joey has implemented is already sufficient to meet your security requirements?
Appreciate if we can have feedback as our team is already planning for a demo to use our new drupal connector and we really want to fix and pass this security warnings.

Thanks!

Hi @prudloff,
Hope all is well on your end. Apologies I am not part of the maintainer of this project as I work as a project manager rather a development and I Just want to follow up if the fixes applied by @jbhovik met your security requirements?
As we cannot do some demo to our possible client until we have clear all the warnings in https://www.drupal.org/project/straker_translate,

Appreciate if you can provide feedback if there are action items on here.

Thanks!

Side question:

Did @prudloff attempt to contact any of the maintainers privately (Coordinated Disclosure) before publicly disclosing his concerns here?

@prudloff

In the future you may wish to consider contacting the maintainers directly. As a Drupal Security Team Member you can reasonably be expected to be aware that link is set by the Drupal Association without the full consent of the module owner.

Addtionaly as a Drupal Security Team member you reasonably could have been expected to know that the module owners were attempting to gain security coverage for the module in #3561589: [1.0.x] Straker Translate to consider granting them Coordinated Disclosure.

I had a similar conversation with another one of your colleagues who was on the Drupal Security Team some time back (years) where they were debating how to handle a module in a similar position. I am unable to find the thread at this time however they ended up following Coordinated Disclosure principals even though the D.A and DST would encourage otherwise.

Note; I am not the maintainer, they may find the public disclosure of a security flaw acceptable. This message is intended to point out how you as an individual can improve the ecosystem security.

Maintainers: My apologias for this side track in your issue.

Thanks @cmlara and @prudloff for the response here.

I believe this was the only platform or way we communicate to resolve this findings.
for the security advisory policy we have an open case here --> https://www.drupal.org/project/projectapplications/issues/3561589

@prudloff even after the fixes applied by @jbhovik you can still see that there is a lot of routes? And may I ask currently the status is in active who will move it to another status like for review as joey has applied the fixed also who will review and decide that this has been resolved?

@prudloff,

My mistake. I got pulled into another development effort.

@prudloff,

Since we ran into a merge conflict for the Resolve #3566913 "Routes not protected" merge request, we just committed a patch to the 1.0.x branch within the main repo. Is that okay?