Fix CSRF vulnerability in project creation endpoint

fixes/README.md

@@ -0,0 +1,179 @@
+# CSRF Vulnerability Fix for AIxBlock
+
+## 🚨 Critical Security Fix
+
+This directory contains the fix for a **CRITICAL CSRF VULNERABILITY** discovered in the AIxBlock application.
+
+### Vulnerability Summary
+- **Endpoint**: `POST /api/projects/`
+- **Impact**: Attackers can create projects on behalf of authenticated users
+- **CVSS Score**: 8.8 (HIGH)
+- **Status**: Fixed with enhanced CSRF protection middleware
+
+## Files Included
+
+### 1. `csrf-protection-middleware.py`
+Enhanced CSRF protection middleware that:
+- Validates CSRF tokens for all state-changing requests
+- Provides clear error messages for validation failures
+- Logs CSRF violations for security monitoring
+- Supports both header and cookie-based CSRF tokens
+
+### 2. `README.md` (this file)
+Implementation instructions and documentation
+
+## Implementation Steps
+
+### Step 1: Add Middleware to Django Settings
+
+Add the CSRF protection middleware to your `settings.py`:
+
+```python
+MIDDLEWARE = [
+    'django.middleware.security.SecurityMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',  # Keep Django's built-in CSRF
+    'path.to.csrf_protection_middleware.CSRFProtectionMiddleware',  # Add our enhanced middleware
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+]
+```
+
+### Step 2: Configure CSRF Settings
+
+Add these security settings to your `settings.py`:
+
+```python
+# Enhanced CSRF security settings
+CSRF_COOKIE_SECURE = True  # Only send CSRF cookie over HTTPS
+CSRF_COOKIE_HTTPONLY = False  # Allow JavaScript access for AJAX requests
+CSRF_COOKIE_SAMESITE = 'Strict'  # Prevent CSRF from other sites
+CSRF_USE_SESSIONS = True  # Store CSRF token in session instead of cookie
+CSRF_FAILURE_VIEW = 'django.views.csrf.csrf_failure'  # Custom failure view
+```
+
+### Step 3: Update Frontend Code
+
+Ensure your frontend includes CSRF tokens in all state-changing requests:
+
+```javascript
+// Get CSRF token from cookie
+function getCSRFToken() {
+    const name = 'csrftoken';
+    let cookieValue = null;
+    if (document.cookie && document.cookie !== '') {
+        const cookies = document.cookie.split(';');
+        for (let i = 0; i < cookies.length; i++) {
+            const cookie = cookies[i].trim();
+            if (cookie.substring(0, name.length + 1) === (name + '=')) {
+                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+                break;
+            }
+        }
+    }
+    return cookieValue;
+}
+
+// Example project creation with CSRF protection
+async function createProject(projectData) {
+    const csrfToken = getCSRFToken();
+
+    const response = await fetch('/api/projects/', {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'X-CSRFToken': csrfToken,
+        },
+        body: JSON.stringify(projectData),
+    });
+
+    if (!response.ok) {
+        throw new Error('Failed to create project');
+    }
+
+    return response.json();
+}
+```
+
+### Step 4: Test the Implementation
+
+Run the included test utilities to verify the fix:
+
+```python
+# Run the test suite
+python csrf-protection-middleware.py
+```
+
+## Testing the Fix
+
+### Before Fix (Vulnerable)
+```bash
+# This request should succeed (vulnerable)
+curl -s -X POST -H "Content-Type: application/json" \
+  -H "Cookie: sessionid=valid_session; csrftoken=valid_token" \
+  -H "X-CSRFToken: INVALID_TOKEN" \
+  -d '{"title":"CSRF_TEST"}' \
+  "https://app.aixblock.io/api/projects/"
+# Response: 200 OK (VULNERABLE)
+```
+
+### After Fix (Protected)
+```bash
+# This request should fail (protected)
+curl -s -X POST -H "Content-Type: application/json" \
+  -H "Cookie: sessionid=valid_session; csrftoken=valid_token" \
+  -H "X-CSRFToken: INVALID_TOKEN" \
+  -d '{"title":"CSRF_TEST"}' \
+  "https://app.aixblock.io/api/projects/"
+# Response: 403 Forbidden (PROTECTED)
+```
+
+## Security Benefits
+
+1. **Prevents CSRF Attacks**: Blocks unauthorized state-changing requests
+2. **Clear Error Messages**: Provides helpful feedback for debugging
+3. **Security Logging**: Logs all CSRF violations for monitoring
+4. **Flexible Configuration**: Supports various authentication methods
+5. **Performance Optimized**: Uses compiled regex patterns for efficiency
+
+## Monitoring and Alerting
+
+The middleware logs all CSRF validation failures. Set up monitoring for:
+
+```python
+# Log pattern to monitor
+"CSRF validation failed for {method} {path} from IP {ip}"
+```
+
+## Rollback Plan
+
+If issues arise, you can temporarily disable the middleware by commenting it out:
+
+```python
+MIDDLEWARE = [
+    'django.middleware.security.SecurityMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    # 'path.to.csrf_protection_middleware.CSRFProtectionMiddleware',  # Temporarily disabled
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+]
+```
+
+## Support
+
+For questions or issues with this fix, please:
+1. Check the Django CSRF documentation
+2. Review the middleware logs for specific error messages
+3. Test with the included test utilities
+4. Contact the security team if needed
+
+## References
+
+- [OWASP CSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)
+- [Django CSRF Protection](https://docs.djangoproject.com/en/stable/ref/csrf/)
+- [CSRF Token Best Practices](https://owasp.org/www-community/attacks/csrf)