Skip to content

fix: short-circuits on any truthy non-boolean in withXSRFToken#10762

Merged
jasonsaayman merged 2 commits intov1.xfrom
fix/axi-205-xsrf-token-cross-origin-leakage-via-prototype-pollution
Apr 19, 2026
Merged

fix: short-circuits on any truthy non-boolean in withXSRFToken#10762
jasonsaayman merged 2 commits intov1.xfrom
fix/axi-205-xsrf-token-cross-origin-leakage-via-prototype-pollution

Conversation

@jasonsaayman
Copy link
Copy Markdown
Member

@jasonsaayman jasonsaayman commented Apr 19, 2026
edited by cubic-dev-ai Bot
Loading

Summary by cubic

Fixes XSRF token leakage by requiring withXSRFToken === true for cross-origin requests; otherwise the token only sends for same-origin. Adds browser tests to block truthy non-boolean values and prototype pollution (AXI-205).

Description

  • Summary of changes
    • In lib/helpers/resolveConfig.js, compute a strict shouldSendXSRF boolean.
    • Send XSRF header only when withXSRFToken === true, or when withXSRFToken is null/undefined and the URL is same-origin.
  • Reasoning
    • Prevent cross-origin leakage via truthy non-boolean values and Object.prototype pollution (GHSA-xx6v-rp6x-q39c).
  • Additional context
    • Aligns with AXI-205.
    • Synced with latest v1.x (no functional changes).

Docs

Please update /docs/ to clarify withXSRFToken:

  • Only true forces sending the token cross-origin.
  • Non-boolean values are ignored.
  • Default (undefined) sends only on same-origin.

Testing

  • Added browser tests in tests/browser/xsrf.browser.test.js to:
    • Block cross-origin sends for truthy non-booleans and polluted Object.prototype.
    • Keep behavior for withXSRFToken === true cross-origin and default same-origin.
  • No other test changes needed.

Semantic version impact

Patch: security bug fix with no API changes.

Written for commit bf3a288. Summary will update on new commits.

@jasonsaayman jasonsaayman self-assigned this Apr 19, 2026
@jasonsaayman jasonsaayman added priority::medium A medium priority commit::fix The PR is related to a bugfix type::security The PR is a secuirty related changed normally from a CVE labels Apr 19, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

@jasonsaayman jasonsaayman merged commit 1728aa1 into v1.x Apr 19, 2026
25 checks passed
@jasonsaayman jasonsaayman deleted the fix/axi-205-xsrf-token-cross-origin-leakage-via-prototype-pollution branch April 19, 2026 14:24
@github-actions github-actions Bot mentioned this pull request Apr 19, 2026
Open
@rtibblesbot rtibblesbot mentioned this pull request May 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

@jasonsaayman jasonsaayman

Labels

commit::fix The PR is related to a bugfix priority::medium A medium priority type::security The PR is a secuirty related changed normally from a CVE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonsaayman