Protect google_calendar_service.import_controller route against against Denial of Service

Created on 29 March 2025, 6 days ago

Problem/Motivation

It was reported that the route /calendar/all/import is not protected against CSRF attacks and this could lead into Denial of Service attacks if the user makes a lot of requests to this route because it will run the calendar import functionality again and again, possibly crashing the site.

Steps to reproduce

You can see this vulnerability by:
1. Enabling the module
2. Create a calendar
3. As an attacker, trick another user with the "administer search_api" permission to open this HTML:

<script>window.location = 'http://example.com/calendar/all/import';</script>

4. If the user opens the HTML, an import is triggered without any confirmation.

Proposed resolution

Add the _csrf_token as suggested here: https://www.drupal.org/docs/8/api/routing-system/access-checking-on-rout...

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

3.0

Component

Code

Created by

🇨🇦Canada danrod Ottawa

Live updates comments and jobs are added and updated live.
  • Novice

    It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024