Add realtime compiler dashboard CSRF protection#1454
Merged
emmadesilva merged 17 commits intomasterfrom Nov 13, 2023
Merged
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1454 +/- ##
=============================================
Coverage 100.00% 100.00%
- Complexity 1728 3456 +1728
=============================================
Files 180 360 +180
Lines 4693 9386 +4693
=============================================
+ Hits 4693 9386 +4693 |
emmadesilva
changed the title
emmadesilva
force-pushed
the
realtime-compiler-security
branch
from
e8b7ffd to
3f3cc54
Compare
…op into realtime-compiler-security
emmadesilva
force-pushed
the
realtime-compiler-security
branch
from
400bb2d to
f06ff3a
Compare
This reverts commit 8ee7f57af9d94f9feb00ed4993174954081fc623.
These expire with the session anyways, and expiring them manually means only one dashboard action works per page reload which is not helpful.
We probably don't need this
Makes it more readable but has same semantics
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
While we make it clear that the realtime compiler is only intended to be used for local development (as it uses the built in PHP server, which is not designed for public use, as per the manual), since it does allow access to the file system I felt it responsible to at least add some CSRF protection to the dashboard forms. Also extracts a base class while I'm at it.
I ran benchmarks, and adding the session has a negligible performance impact of about
2.5seconds for10 000requests, and that's only for the dashboard page.