🛡️ Sentinel: [HIGH] Add CSRF protection to report-issue endpoint#130
🛡️ Sentinel: [HIGH] Add CSRF protection to report-issue endpoint#130aicoder2009 wants to merge 1 commit into
Conversation
Added `isSameOrigin` validation from `@/lib/security/rate-limit` to the `POST /api/report-issue` endpoint to prevent Cross-Site Request Forgery (CSRF) attacks. Requests from external origins will now correctly receive a `403 Forbidden` response. Updated the associated test suite to assert the new CSRF protection behavior. Co-authored-by: aicoder2009 <127642633+aicoder2009@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Adds same-origin validation to the POST /api/report-issue Next.js App Router endpoint to mitigate CSRF, and extends the API test suite to ensure cross-origin POSTs are rejected.
Changes:
- Enforced CSRF protection by rejecting cross-origin requests using
isSameOrigin(request)before processing report payloads. - Updated
report-issueroute tests to includeOriginby default and added a 403 test for cross-origin POSTs. - Documented the CSRF learning/prevention in
.jules/sentinel.md.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/app/api/report-issue/route.ts | Adds same-origin gate (403) to block CSRF-style cross-site POST submissions. |
| src/app/api/report-issue/route.test.ts | Ensures requests include an Origin header and verifies cross-origin requests are rejected. |
| .jules/sentinel.md | Records CSRF vulnerability details and the expected prevention pattern for POST endpoints. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| function makeRequest(body: object, headers: Record<string, string> = {}) { | ||
| return new NextRequest('http://localhost/api/report-issue', { | ||
| method: 'POST', | ||
| headers: { | ||
| origin: 'http://localhost', |
🛡️ Sentinel: [HIGH] Add CSRF protection to report-issue endpoint
Severity: HIGH
Vulnerability: The application was not protecting the
POST /api/report-issueendpoint from Cross-Site Request Forgery (CSRF) attacks.Impact: An attacker could host a malicious page that tricks an authenticated user's browser into submitting arbitrary issue reports to the repository via a forged POST request.
Fix: Added
isSameOriginvalidation from@/lib/security/rate-limitto explicitly validate the requestOriginorRefererheaders before processing the payload.Verification: Added a test in
src/app/api/report-issue/route.test.tsto ensure cross-origin requests are rejected with a 403 Forbidden status, and ranpnpm testto ensure it passes.PR created automatically by Jules for task 2101093649296935502 started by @aicoder2009