bc1bb/OpenLink
1
0
Fork 0
Code Issues 9 Pull requests Projects Releases Packages Wiki Activity Actions

CSRF protection is disabled application-wide; link-creation form has no CSRF token #9

New issue
Open
opened 2026-05-14 20:30:31 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 20:30:31 +02:00
Copy link

Problem

Symfony's built-in CSRF protection is commented out in config/packages/framework.yaml. The link-creation form (POST /link) contains no CSRF token.

Location

  • config/packages/framework.yaml, line 4: #csrf_protection: true
  • templates/index.html.twig, line 13 — form element with no CSRF token field

Risk

Any third-party website can embed a hidden <form> targeting the /link endpoint and auto-submit it when a victim visits, triggering link creation from the victim's browser. With the service being public and unauthenticated the primary impact is abuse (automated junk-link generation through victim browsers). More critically, if authentication is added to the application in the future without re-enabling CSRF, the gap becomes an account-level vulnerability.

Suggested fix direction

Uncomment csrf_protection: true in framework.yaml and add a CSRF token to the form using Twig's {{ csrf_token('link') }}; validate it in the controller with $this->isCsrfTokenValid('link', $request->get('_token')).

Severity

minor

Found by

Automated audit by Claude Code

## Problem Symfony's built-in CSRF protection is commented out in `config/packages/framework.yaml`. The link-creation form (`POST /link`) contains no CSRF token. ## Location - `config/packages/framework.yaml`, line 4: `#csrf_protection: true` - `templates/index.html.twig`, line 13 — form element with no CSRF token field ## Risk Any third-party website can embed a hidden `<form>` targeting the `/link` endpoint and auto-submit it when a victim visits, triggering link creation from the victim's browser. With the service being public and unauthenticated the primary impact is abuse (automated junk-link generation through victim browsers). More critically, if authentication is added to the application in the future without re-enabling CSRF, the gap becomes an account-level vulnerability. ## Suggested fix direction Uncomment `csrf_protection: true` in `framework.yaml` and add a CSRF token to the form using Twig's `{{ csrf_token('link') }}`; validate it in the controller with `$this->isCsrfTokenValid('link', $request->get('_token'))`. ## Severity minor ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
develop
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/OpenLink#9
No description provided.