Skip to content

fix(COLDBOX-1406): restrict HTTP method spoofing to POST requests only#673

Merged
lmajano merged 2 commits into
developmentfrom
copilot/coldbox-1406-fix-method-spoofing
Jul 15, 2026
Merged

fix(COLDBOX-1406): restrict HTTP method spoofing to POST requests only#673
lmajano merged 2 commits into
developmentfrom
copilot/coldbox-1406-fix-method-spoofing

Conversation

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

getHTTPMethod() honored the _method request parameter from any HTTP verb, meaning a GET request with ?_method=DELETE would pass DELETE-only allowedMethods checks — enabling CSRF-style attacks via <img> tags, crawlers, or prefetch.

Changes

  • RequestContext::getHTTPMethod() — now only applies the _method override when CGI.REQUEST_METHOD is POST, and only for PUT, PATCH, or DELETE targets. All other original methods are returned unchanged.
  • RequestContext::getOriginalHTTPMethod() — new method that always returns the raw transport-level CGI.REQUEST_METHOD, regardless of any _method parameter. Useful for interceptors, security modules, and logging.
// GET /admin/tags/1?_method=DELETE  →  getHTTPMethod() now returns "GET"
// POST /admin/tags/1 + _method=DELETE  →  getHTTPMethod() returns "DELETE"  ✓
// POST /admin/tags/1 + _method=GET  →  getHTTPMethod() returns "POST"  (invalid override ignored)
Original _method Result
GET DELETE GET — override ignored
HEAD DELETE HEAD — override ignored
POST DELETE DELETE
POST PUT PUT
POST PATCH PATCH
POST GET POST — invalid override ignored

Unit tests added for all combinations above.

- `getHTTPMethod()` now only honors the `_method` override when the
  transport-level request method is POST, and only for PUT, PATCH, or
  DELETE targets.  Any other original method (GET, HEAD, PUT, …) is
  returned unchanged, closing the CSRF-style attack surface described
  in COLDBOX-1406.
- Added `getOriginalHTTPMethod()` that always returns the raw
  CGI.REQUEST_METHOD, letting interceptors/logging distinguish
  transport vs effective method.
- Covered all combinations with unit tests in RequestContextTest.
Copilot AI changed the title [WIP] Fix method spoofing to restrict HTTP method usage fix(COLDBOX-1406): restrict HTTP method spoofing to POST requests only Jul 14, 2026
Copilot AI requested a review from lmajano July 14, 2026 23:35
@lmajano
lmajano marked this pull request as ready for review July 15, 2026 00:30
@github-actions

github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown

Test Results

0 tests  ±0   0 ✅ ±0   0s ⏱️ ±0s
0 suites ±0   0 💤 ±0 
0 files   ±0   0 ❌ ±0 

Results for commit 70fc3f7. ± Comparison against base commit 6d82fed.

♻️ This comment has been updated with latest results.

@lmajano
lmajano merged commit 9f94cd1 into development Jul 15, 2026
25 of 28 checks passed
@lmajano
lmajano deleted the copilot/coldbox-1406-fix-method-spoofing branch July 15, 2026 00:42
@homestar9

Copy link
Copy Markdown
Contributor

@lmajano, just a heads-up that this issue affects Coldbox 7 as well. Let me know if you want me to create a separate Jira issue. I didn't see a way to tag both Coldbox 8 and 7 in the same issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants