Security issue: read-only canned queries leak CSRF token in URL

[simonw]

The HTML form for a read-only canned query includes the hidden CSRF token field added in #798 for writable canned queries (#698).

This means that submitting those read-only forms exposes the CSRF token in the URL - for example on https://latest.datasette.io/fixtures/neighborhood_search submitting the form took me to:

https://latest.datasette.io/fixtures/neighborhood_search?text=down&csrftoken=IlFubnoxVVpLU1NGT3NMVUoi.HbOPd2YH_epQmp8f_aAt0s-MxtU

This token could potentially leak to an attacker if the resulting page has a link to an external site on it and the user clicks the link, since the token would be exposed in the referral logs.

[simonw]

Fix has been released in Datasette 0.46: https://datasette.readthedocs.io/en/latest/changelog.html#v0-46

[simonw]

It's worth noting that in order to exploit this issue the following would all need to be true:

• A user is running a copy of Datasette protected by a cookie-based authentication plugin AND configured with at least one writable canned query
• An attacker is in control of a URL that could concievably be returned on a page that is displayed as the result of submitting a read-only canned query
• An authenticated user of that Datasette instance, who is running a browser that doesn't support the SameSite=lax cookie parameter (which is widely supported by modern browsers), submits the read-only canned query form and then clicks a link to the attacker's off-site page, exposing their CSRFToken in the attacker's HTTP referer logs
• The attacker then tricks that user into visiting their own malicious web page which includes a POST form that auto-submits against the writable canned query that the attacker wishes to exploit, including the CSRF token as a hidden field

The attacker would need full knowledge of the URL and form layout of the Datasette instance that they are exploiting.

[simonw]

Submitting the form on https://latest.datasette.io/fixtures/neighborhood_search demonstrates that this is fixed.

[simonw]

GitHub security advisory: GHSA-q6j3-c4wc-63vw