[Security] Missing CSRF Protection - Forms Vulnerable to Cross-Site Request Forgery

[anshul23102]

Description

API endpoints that modify state (POST, PUT, DELETE) do not validate CSRF tokens. An attacker can craft a malicious webpage that tricks authenticated users into unintentionally performing unwanted actions on the tracker application.

Steps to Reproduce

1. User logs into tracker application
2. User visits attacker's website (in same browser session)
3. Attacker's page contains:
4. User's browser automatically includes authentication cookies
5. Repository is deleted without user's knowledge

Environment Information

• Framework: Express.js
• State-changing endpoints: POST /api/, PUT /api/, DELETE /api/*
• Authentication: Session cookies
• Application version: Current main branch

Expected Behavior

All state-modifying requests require CSRF token validation. Tokens should be:

1. Unique per user session
2. Verified before processing requests
3. Invalid if tokens don't match

Actual Behavior

File: backend/routes/*.js
No CSRF token validation on POST/PUT/DELETE endpoints.

Code Reference

File: backend/server.js
Missing: csrf middleware from packages like csurf

Additional Context

Add CSRF protection middleware:

const csrf = require('csurf');
app.use(csrf());

Include token in forms and validate on submission.

GSSoC Points Estimate: Level 2 (Security/CSRF)

Suggested Labels

• gssoc:approved

• type:bug

• severity:high

• area:security

• Searched existing issues, not a duplicate

• Read CONTRIBUTING.md guidelines

• Read README and understand project scope

• Provided clear reproduction steps

• Provided environment information

• Described expected vs. actual clearly