From 16d0c08347692eba759903b12f8f192406022d39 Mon Sep 17 00:00:00 2001
From: Connor Nelson <Connor@ConnorNelson.com>
Date: Fri, 10 May 2024 08:57:17 -0700
Subject: [PATCH 1/2] Workspace: Forward all standard HTTP request methods
 (#409)

---
 dojo_plugin/pages/workspace.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dojo_plugin/pages/workspace.py b/dojo_plugin/pages/workspace.py
index ec8c56a86..be20fe3e4 100644
--- a/dojo_plugin/pages/workspace.py
+++ b/dojo_plugin/pages/workspace.py
@@ -91,8 +91,8 @@ def view_workspace(service):
 
 @workspace.route("/workspace/<service>/", websocket=True)
 @workspace.route("/workspace/<service>/<path:service_path>", websocket=True)
-@workspace.route("/workspace/<service>/")
-@workspace.route("/workspace/<service>/<path:service_path>")
+@workspace.route("/workspace/<service>/", methods=["GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS", "TRACE", "PATCH"])
+@workspace.route("/workspace/<service>/<path:service_path>", methods=["GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS", "TRACE", "PATCH"])
 @authed_only
 def forward_workspace(service, service_path=""):
     prefix = f"/workspace/{service}/"

From 01f0343a5bb0d1d6ec48c37b3a659e300fcea56e Mon Sep 17 00:00:00 2001
From: Connor Nelson <Connor@ConnorNelson.com>
Date: Fri, 10 May 2024 09:14:08 -0700
Subject: [PATCH 2/2] Workspace: Bypass CSRF

---
 dojo_plugin/pages/workspace.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dojo_plugin/pages/workspace.py b/dojo_plugin/pages/workspace.py
index be20fe3e4..e07a9ccc0 100644
--- a/dojo_plugin/pages/workspace.py
+++ b/dojo_plugin/pages/workspace.py
@@ -4,6 +4,7 @@
 from CTFd.models import Users
 from CTFd.utils.user import get_current_user, is_admin
 from CTFd.utils.decorators import authed_only
+from CTFd.plugins import bypass_csrf_protection
 
 from ..models import Dojos
 from ..utils import random_home_path, redirect_user_socket, get_current_container
@@ -94,6 +95,7 @@ def view_workspace(service):
 @workspace.route("/workspace/<service>/", methods=["GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS", "TRACE", "PATCH"])
 @workspace.route("/workspace/<service>/<path:service_path>", methods=["GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS", "TRACE", "PATCH"])
 @authed_only
+@bypass_csrf_protection
 def forward_workspace(service, service_path=""):
     prefix = f"/workspace/{service}/"
     assert request.full_path.startswith(prefix)