-
Notifications
You must be signed in to change notification settings - Fork 644
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add AntiForgery tokens to some actions that were missing them #4490
Conversation
How did you test this? |
$(document).ready(function() { | ||
$(document).ready(function () { | ||
var addAntiForgeryToken = function (data) { | ||
var $field = $("#AntiForgeryForm input[name=__RequestVerificationToken]"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code should go in a shared location.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's reduce the copied code here.
Could we have a unit test that verifies that controller actions w/ HttpPost also have ValidateAntiForgeryToken? |
@skofman1 I tested all of the endpoints manually and checked that they all worked with the attribute. @chenriksson I like that idea, will add to this PR. |
@joelverhagen I moved the code to a shared place by adding a |
@chenriksson Finished the test as requested and found two more endpoints with the issue! |
@@ -0,0 +1,104 @@ | |||
using System; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
copyright
Mostly admin routes.
These include
https://github.com/NuGet/Engineering/issues/638