CSRF protection disabled on export endpoints with side effects #171

New Issue

Closed

opened 2026-04-10 16:04:10 +02:00 by shahondin1624 · 0 comments

shahondin1624 commented 2026-04-10 16:04:10 +02:00

Owner

Copy Link

Copy Source

Severity: LOW

Location

All controllers using #[NoCSRFRequired] on GET endpoints

Description

#[NoCSRFRequired] is appropriately used on GET (read-only) endpoints. However, some export/download endpoints that trigger actions or side effects also have this attribute (e.g., DSGVO export, report PDF downloads). This is standard Nextcloud practice for download endpoints but worth noting.

Recommendation

Verify that all #[NoCSRFRequired] endpoints are truly side-effect-free or require explicit user action.

## Severity: LOW ## Location All controllers using `#[NoCSRFRequired]` on GET endpoints ## Description `#[NoCSRFRequired]` is appropriately used on GET (read-only) endpoints. However, some export/download endpoints that trigger actions or side effects also have this attribute (e.g., DSGVO export, report PDF downloads). This is standard Nextcloud practice for download endpoints but worth noting. ## Recommendation Verify that all `#[NoCSRFRequired]` endpoints are truly side-effect-free or require explicit user action.

shahondin1624 added the backendsecuritypriority:low labels 2026-04-10 16:04:10 +02:00

shahondin1624 referenced this issue from a commit 2026-04-10 18:50:07 +02:00

security: enforce CSRF protection on POST/DELETE export endpoints (Closes #171)

shahondin1624 referenced a pull request that will close this issue 2026-04-10 18:50:15 +02:00

security: enforce CSRF protection on POST/DELETE export endpoints (Closes #171) #187

shahondin1624 closed this issue 2026-04-10 18:50:26 +02:00

shahondin1624 referenced this issue from a commit 2026-04-10 18:50:26 +02:00

security: enforce CSRF protection on POST/DELETE export endpoints (Closes #171)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/duplicate-sync-methods

fix/missing-database-transactions

fix/find-archived-filtering-in-memory

fix/n-plus-one-queries-member-list

v0.5.2

v0.3.2

v0.3.1

v0.3.0

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

Labels

Clear labels

backend

Backend / PHP work

bug

Bug report

database

Database migrations and schema

documentation

Documentation

enhancement

Enhancement or improvement

epic

Epic / feature-group issues

frontend

Frontend / Vue.js work

integration

Nextcloud integrations (Calendar, Contacts, Files)

priority:high

High priority

priority:low

Low priority

priority:medium

Medium priority

security

Security-related work

testing

Tests and test infrastructure

No Label backend priority:low security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

shahondin1624

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: shahondin1624/Mitgliederverwaltung#171