Contrib.social

"nojs"/"ajax" route parameter in use-ajax link breaks CSRF protection

Open on Drupal.org →
Created on 17 February 2016, about 9 years ago
Updated 20 March 2023, about 2 years ago

Problem/Motivation

When creating a route that makes use of the nojs functionality of Drupal Ajax (the one that replaces "nojs" with "ajax" in your link when the link has the "use-ajax" class) in combination with the "_csrf_token" requirement on your route, the CSRF validation breaks on ajax requests as the path doesn't match the original rendered path anymore for which the token was generated.

For example:
My original link is:
/flag/flag/bookmark/1/nojs?destination=node/1&token=BKjZye8PPzpXvn_VlslxaXv_XdT1KoD5e-mGeaRmMlk
Drupal changes this path into:
/flag/flag/bookmark/1/ajax?destination=node/1&token=BKjZye8PPzpXvn_VlslxaXv_XdT1KoD5e-mGeaRmMlk

The new URL makes us able to return a proper response if the user has JS disabled (or just opened the link in a new tab).
However, "_csrf_token" bases it's token on the generated path, including all parameters, so when requested Ajax URL get's validated with \Drupal\Core\Access\CsrfAccessCheck, it denies access.

Proposed resolution

How I'm seeing it there are 2 possible solutions:

  • We use a predefined parameter for such URLs, maybe {js}? Example: "/flag/flag/{flag}/{entity_id}/{js}". That parameter is replaced inside \Drupal\Core\Access\CsrfAccessCheck and \Drupal\Core\Access\RouteProcessorCsrf to always contain the same value, so that CSRF thinks our path always is /flag/flag/{flag}/{entity_id}/js
  • We move the nojs/ajax from the path to the query string.
🐛 Bug report
Status

Needs work

Version

10.1

Component
Ajax 

Last updated 1 day ago

Created by

🇳🇱Netherlands jeroen.b

Live updates comments and jobs are added and updated live.
  • Contributed project blocker

    It denotes an issue that prevents porting of a contributed project to the stable version of Drupal due to missing APIs, regressions, and so on.

  • Needs change record

    A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.

  • Needs release note

    The major change should have a special release note written to summarize the importance of the change. See Write a release note for an issue.

  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago
    🇫🇷France izus

    confirmig #50 did it for me.
    Thank you

  • Comment 3 months ago
    🇬🇧United Kingdom joachim

    Couple of things:

    1. +++ b/core/lib/Drupal/Core/Access/RouteProcessorCsrfAjax.php
@@ -0,0 +1,73 @@
+ * Processes outbound ajax/nojs route to handle the CSRF token.

      This needs documentation to explain why this class is different from the parent. 

    2. +++ b/core/lib/Drupal/Core/Access/RouteProcessorCsrfAjax.php
@@ -0,0 +1,73 @@
+  public function processOutbound($route_name, Route $route, array &$parameters, BubbleableMetadata $bubbleable_metadata = NULL) {

      This method looks the same as in the parent?

  • Comment about 2 months ago
    🇫🇷France goz

    I agree the idea to have specific access for Ajax should be a good idea, except reading actual code, this does not provide more or less feature, only duplicate code.

    Current patch does not work anymore, and taking care of #60 make me wonder if all this duplicate stuff is really needed.

    Why we do not need _csrf_ajax_token ?

    Using _csrf_ajax_token, we have to create both RouteProcessorCsrfAjax and CsrfAjaxAccessCheck which do exactly the same thing as _csrf_token.

    _csrf_exclude_parameters is enough to solve the issue, like it's already in use in https://git.drupalcode.org/project/vote_up_down/-/blob/8.x-1.x/vud.routi...

    So instead of adding both _csrk_ajax_token and/or _csrf_exclude_parameters, the second one should be enough for less code.

    I put this in MR instead of keeping on old patchs.

  • Merge request !11146Issue #2670798 by goz, benjifisher, jeroen.b: "nojs"/"ajax" route parameter in... → (Open) created by goz
  • Pipeline finished with Failed
    about 2 months ago
    Total: 195s
    #417816
  • Pipeline finished with Failed
    about 2 months ago
    Total: 171s
    #417817
  • Comment about 2 months ago
    🇫🇷France goz

    goz changed the visibility of the branch 2670798-nojsajax-route-parameter-10.4.x to hidden.

  • Pipeline finished with Failed
    about 2 months ago
    Total: 152s
    #417932
  • Pipeline finished with Success
    about 2 months ago
    Total: 416s
    #417942
  • Pipeline finished with Success
    about 2 months ago
    Total: 336s
    #417956
  • Comment about 2 months ago
    🇫🇮Finland anaconda777

    With 2670798-50.patch I am getting

    Path: /flag/unflag/like/11969/default?destination=/node/6%3Fpage%3D%252C%252C%252C%252C%252C%252C%252C%252C%252C%252C%252C%252C%252C1&token=awoKBYgqrejo2wsK3kmJH7iOzWluofZsoXUmcbeyv0E&_wrapper_format=drupal_ajax. Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: 'csrf_token' URL query argument is invalid. in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 120 of /var/www/html/test/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).

    This error comes with views and infinity scroll, and for some of those flags which the views infinity loads after user scrolls down enough that it initiates a load of new content. So the first nodes which have flags are working, but some of the new do not work.

  • Comment about 1 month ago
    dhavalpanchal

    I am adding the patch file instead of using a PR in the composer.json file for PR #11146 in Drupal 10.4.3 with PHP 8.3.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024