php.laravel.security.laravel-blade-form-missing-csrf.laravel-blade-form-missing-csrf
returntocorpAuthor
unknown
Download Count*
License
Detected a form executing a state-changing HTTP method $METHOD to route definition $...ROUTE without a Laravel CSRF decorator or explicit CSRF token implementation. If this form modifies sensitive state this will open your application to Cross-Site Request Forgery (CSRF) attacks.
Run Locally
Run in CI
Defintion
rules:
- id: laravel-blade-form-missing-csrf
message: Detected a form executing a state-changing HTTP method `$METHOD` to
route definition `$...ROUTE` without a Laravel CSRF decorator or explicit
CSRF token implementation. If this form modifies sensitive state this will
open your application to Cross-Site Request Forgery (CSRF) attacks.
severity: WARNING
metadata:
likelihood: LOW
impact: MEDIUM
confidence: LOW
category: security
cwe:
- "CWE-352: Cross-Site Request Forgery (CSRF)"
cwe2021-top25: true
cwe2022-top25: true
owasp:
- A01:2021 - Broken Access Control
references:
- https://laravel.com/docs/9.x/csrf
subcategory:
- audit
technology:
- php
- laravel
- blade
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- generic
paths:
include:
- "*.blade.php"
patterns:
- pattern: |
action="$...ROUTE"
- pattern-inside: |
<form ... method="$METHOD" ... >
...
- pattern-not-inside: |
<!-- ... ... ... ... ... ... ... -->
- metavariable-pattern:
metavariable: $...ROUTE
language: generic
patterns:
- pattern-not-regex: \A\s*\Z
- pattern-not: "#"
- metavariable-regex:
metavariable: $METHOD
regex: (?i)(post|put|patch|delete)
- pattern-not-inside: |
<form ...>
...
...
...
@csrf
- pattern-not-inside: |
<form ...>
...
...
...
csrf_field()
- pattern-not-inside: |
<form ...>
...
...
...
csrf_token()
Short Link: https://sg.run/Obyn