potiuk commented on PR #53907: URL: https://github.com/apache/airflow/pull/53907#issuecomment-3195783471
> > A pure GET request that mutates the state runs the risk of some background process (be it the browser itself pre-fetching, or the MUA etc) hitting it and running the endpoint, so I think that is out to my mind. > > It's also a CSRF issue if GET mutates state. https://security.stackexchange.com/questions/115794/should-i-use-csrf-protection-for-get-requests However, actually I think (after reading the whole thread) it's not dangerous to have a GET request for that if: * we have UUID as parameter of the GET * we embed short living JWT token in the GET request parameter bound with the UUID and (potentially) with the user * we validate both the token and the user in the GET request * we never share the URL+ token in any other way than - say - via email or Slack * the GET request only allows for that single pre-determined action (approve) and absolutely nothing else CSRF is only a problem when the GET mutating state is available somewhere in the web page that the attacker might be able read from another tab of the same app, because then attacker can "execute" the URL in the context of that tab, and even if they do not see the result they can initiate the action. This is a different story if the GET URL is shared via a different channel, has short-living time and is only ever displayed in the browser in a tab that is **not** from the original app (say Gmail window) - then attacker cannot execute the request with all the session cookies of the user for authentication because such GET request will not have the right cookies identifying the uer in the "target" application. While GET "technically" should not allow mutations, such technique is often used - for example all the sites that sent "magic links" - like SLACK when you want to login on the new machine - they are doing exactly this. They are sending GET URL requests that have embedded short-living token than allows the user to confirm that they are who they are (because they received the link via mail) - and effectively they mutate the state of the application: <img width="551" height="277" alt="Screenshot 2025-08-18 at 11 01 23" src="https://github.com/user-attachments/assets/b0b4f90f-3fa7-44f4-bfc9-39989cc21b80"; /> So it's not **really** impossible or insecure to do it this way. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
