php.laravel.security.laravel-blade-form-missing-csrf.laravel-blade-form-missing-csrf

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Detected a form executing a state-changing HTTP method $METHOD to route definition $...ROUTE without a Laravel CSRF decorator or explicit CSRF token implementation. If this form modifies sensitive state this will open your application to Cross-Site Request Forgery (CSRF) attacks.

Run Locally

Run in CI

Defintion

rules:
  - id: laravel-blade-form-missing-csrf
    message: Detected a form executing a state-changing HTTP method `$METHOD` to
      route definition `$...ROUTE` without a Laravel CSRF decorator or explicit
      CSRF token implementation. If this form modifies sensitive state this will
      open your application to Cross-Site Request Forgery (CSRF) attacks.
    severity: WARNING
    metadata:
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      category: security
      cwe:
        - "CWE-352: Cross-Site Request Forgery (CSRF)"
      cwe2021-top25: true
      cwe2022-top25: true
      owasp:
        - A01:2021 - Broken Access Control
      references:
        - https://laravel.com/docs/9.x/csrf
      subcategory:
        - audit
      technology:
        - php
        - laravel
        - blade
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site Request Forgery (CSRF)
    languages:
      - generic
    paths:
      include:
        - "*.blade.php"
    patterns:
      - pattern: |
          action="$...ROUTE"
      - pattern-inside: |
          <form ... method="$METHOD" ... >
          ...
      - pattern-not-inside: |
          <!-- ... ... ... ... ... ... ... -->
      - metavariable-pattern:
          metavariable: $...ROUTE
          language: generic
          patterns:
            - pattern-not-regex: \A\s*\Z
            - pattern-not: "#"
      - metavariable-regex:
          metavariable: $METHOD
          regex: (?i)(post|put|patch|delete)
      - pattern-not-inside: |
          <form ...>
          ...
          ...
          ...
          @csrf
      - pattern-not-inside: |
          <form ...>
          ...
          ...
          ...
          csrf_field()
      - pattern-not-inside: |
          <form ...>
          ...
          ...
          ...
          csrf_token()