Under certain conditions, disabling CSRF for a route doesnt work (Debugging included)

[kinsi55]

Node version: 8
Sails version (sails): 1.2.3

---

In

sails/lib/hooks/security/csrf/index.js

Line 32 in b3afed7

var path = routeInfo.original.toLowerCase();

Due to the path being lowercased, if you have a RegEx pattern with uppercased letters, it will then fail to properly match against a given request URL further down and thus always return Forbidden.

sails/lib/hooks/security/csrf/index.js

Line 99 in b3afed7

return req.path.match(blacklistedRoute.regex) && (!blacklistedRoute.method || blacklistedRoute.method === req.method.toLowerCase());

I'm not sure if there would be any regressions from removing the .toLowerCase() but certainly this shouldnt be desired behaviour.

[sailsbot]

@kinsi55 Thanks for posting! We'll take a look as soon as possible.

In the mean time, there are a few ways you can help speed things along:

• look for a workaround. (Even if it's just temporary, sharing your solution can save someone else a lot of time and effort.)
• tell us why this issue is important to you and your team. What are you trying to accomplish? (Submissions with a little bit of human context tend to be easier to understand and faster to resolve.)
• make sure you've provided clear instructions on how to reproduce the bug from a clean install.
• double-check that you've provided all of the requested version and dependency information. (Some of this info might seem irrelevant at first, like which database adapter you're using, but we ask that you include it anyway. Oftentimes an issue is caused by a confluence of unexpected factors, and it can save everybody a ton of time to know all the details up front.)
• read the code of conduct.
• if appropriate, ask your business to sponsor your issue. (Open source is our passion, and our core maintainers volunteer many of their nights and weekends working on Sails. But you only get so many nights and weekends in life, and stuff gets done a lot faster when you can work on it during normal daylight hours.)
• let us know if you are using a 3rd party plugin; whether that's a database adapter, a non-standard view engine, or any other dependency maintained by someone other than our core team. (Besides the name of the 3rd party package, it helps to include the exact version you're using. If you're unsure, check out this list of all the core packages we maintain.)

---

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

[whichking]

Hey, @kinsi55—any chance you could create a simple repo that reproduces this error? Thanks!

[kinsi55]

Nevermind the previous comment, that was related to my PR I mixed it up.

I dont have the time to setup a repo for this rn but the way you can repro it is by having a route like this:

'post r|/CAPS/(.+)$|foo': {
		action: 'anything',
		csrf: false
}

Trying to post to /CAPS/foo will then still require CSRF

[johnabrams7]

@kinsi55
We were able to reproduce this and were able to actually hit the root if we changed the CAPS to lowercased characters. We're going to further investigate what the deal is with .toLowerCase() and any true regressions for working around it to allow CAPS in the RegEx patterns as well.

[whichking]

Hey, @kinsi55!
We've created a patch for this issue. It's not yet been published, but if you want to test it out, feel free to access it where on GitHub (see above).