BLT
BLT copied to clipboard
OWASP-BLT
Remove GET based actions that make server side changes.
Below are the actions identified by coderabbit, check first if it's really an issue or just false positive. Check #4057 for more info.
I've identified several endpoints that modify server-side state in response to GET requests, which could lead to CSRF vulnerabilities.
Here are the specific problematic functions:
In website/views/issue.py:
like_issue(request, issue_pk) - modifies user upvotes
dislike_issue(request, issue_pk) - modifies user downvotes
flag_issue(request, issue_pk) - modifies issue flags
save_issue(request, issue_pk) - adds/removes saved issues
unsave_issue(request, issue_pk) - removes saved issues
In website/views/organization.py:
like_activity(request, id) - modifies activity likes/approval
dislike_activity(request, id) - modifies activity dislikes
approve_activity(request, id) - changes approval status
None of these functions check for the request method, meaning they process changes via GET requests.
