Require CSRF token for action=scribunto-console

legoktm · jenkins-bot · commit 0f2585244cbd · 2022-10-05T14:38:50.000Z
This is basically unexploitable, given that Scribunto sessions are
"extremely ephemeral", protected by a 31-bit non-cryptographically
random token and generally contain very little useful data.

But, requiring a CSRF token is a best practice and since this module
is internal and only used in one place, it's also unlikely to break
anything. Because it needs a token, the module is POST-only now too.

Bug: T212071
Change-Id: I7fb6b4f856ee6194eb37c26e14f178fea6c0a3f6
diff --git a/includes/ApiScribuntoConsole.php b/includes/ApiScribuntoConsole.php
@@ -145,6 +145,10 @@ protected function newSession() {
 		];
 	}
 
+	public function needsToken() {
+		return 'csrf';
+	}
+
 	public function isInternal() {
 		return true;
 	}
diff --git a/modules/ext.scribunto.edit.js b/modules/ext.scribunto.edit.js
@@ -280,7 +280,7 @@
 		api = new mw.Api();
 		setPending();
 
-		api.post( params )
+		api.postWithToken( 'csrf', params )
 			.done( function ( result ) {
 				if ( result.sessionIsNew === '' && !sentContent ) {
 					// Session was lost. Resend query, with content

Original file line number	Diff line number	Diff line change
`@@ -145,6 +145,10 @@ protected function newSession() {`
`145`	`145`	`];`
`146`	`146`	`}`
`147`	`147`
	`148`	`+ public function needsToken() {`
	`149`	`+ return 'csrf';`
	`150`	`+ }`
	`151`	`+`
`148`	`152`	`public function isInternal() {`
`149`	`153`	`return true;`
`150`	`154`	`}`