Layout Builder move block and add section routes vulnerable to CSRF

Created on 19 October 2023, about 1 year ago

Updated 8 January 2024, 12 months ago

Problem/Motivation

This was originally logged as a private issue to the security team, but was cleared to be moved to the public queue
Drupal Core's Layout Builder module has a mild CSRF vulnerability.

This is only a mild nuisance because it would require someone to save changes for the layout and commit the 'tempstore'. The action for that is behind a form, and hence not vulnerable to CSRF.

Steps to reproduce

1. Enabling the layout builder module
2. As a malicious user, craft a url that matches the layout_builder.move_block route, i.e '/layout_builder/move/block/{section_storage_type}/{section_storage}/{delta_from}/{delta_to}/{region_to}/{block_uuid}/{preceding_block_uuid}
3. Trick a user with the ability to view layout builder for the given storage type (defaults, or overrides) and storage (a view display or a specific entity)
4. Note that the block is moved in the temp store for the given layout
5. The route layout_builder.add_section has the same issue

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Needs work

Version

11.0 🔥

Component

Layout builder →

Last updated 4 days ago

Maintained by
🇺🇸United States @tedbow
🇺🇸United States @dyannenova
🇺🇸United States @tim.plunkett

Created by

🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Merge Requests

!6059Layout Builder move block and add section routes vulnerable to CSRF
Open
🇮🇳India prashant.c
updated 12 months ago

Comments & Activities

Issue created by @larowlan
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
25:03
24:03
Running
Status changed to Needs work about 1 year ago3:02pm 20 October 2023
Comment about 1 year ago →
🇺🇸United States smustgrave
Ran the attached patch but seemed to have failures.
Comment 12 months ago →
🇮🇳India rksyravi New Delhi, 🇮🇳
Hi @larowlan

Please add the steps to reproduce.
Comment 12 months ago →
🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10
Move the steps under the heading, they were there :)
Comment 12 months ago →
🇮🇳India prashant.c Dharamshala
Prashant.c → made their first commit to this issue’s fork.
Merge request !6059Layout Builder move block and add section routes vulnerable to CSRF → (Open) created by prashant.c
Comment 12 months ago →
🇮🇳India prashant.c Dharamshala
Applied the patch provided patch → , added Dependency injection for the services, raised MR as well.

Thank you

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024