From e6d31c8bd212d46272864103896728b70602c2da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Fri, 1 Dec 2017 18:16:59 -0500
Subject: [PATCH] add referer check to /api/admin/users/csv

---
 src/controllers/admin/users.js |  6 ++++++
 test/controllers-admin.js      | 31 ++++++++++++++++++++++++++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/src/controllers/admin/users.js b/src/controllers/admin/users.js
index d454b287a1..5c71c19da7 100644
--- a/src/controllers/admin/users.js
+++ b/src/controllers/admin/users.js
@@ -2,6 +2,7 @@
 
 var async = require('async');
 var validator = require('validator');
+var nconf = require('nconf');
 
 var user = require('../../user');
 var meta = require('../../meta');
@@ -183,6 +184,11 @@ function render(req, res, data) {
 }
 
 usersController.getCSV = function (req, res, next) {
+	var referer = req.headers.referer;
+
+	if (!referer || !referer.replace(nconf.get('url'), '').startsWith('/admin/manage/users')) {
+		return res.status(403).send('[[error:invalid-origin]]');
+	}
 	events.log({
 		type: 'getUsersCSV',
 		uid: req.user.uid,
diff --git a/test/controllers-admin.js b/test/controllers-admin.js
index 74cb521bc1..7639a0df4f 100644
--- a/test/controllers-admin.js
+++ b/test/controllers-admin.js
@@ -255,9 +255,38 @@ describe('Admin Controllers', function () {
 		});
 	});
 
-	it('should load /admin/users/csv', function (done) {
+	it('should return 403 if no referer', function (done) {
 		request(nconf.get('url') + '/api/admin/users/csv', { jar: jar }, function (err, res, body) {
 			assert.ifError(err);
+			assert.equal(res.statusCode, 403);
+			assert.equal(body, '[[error:invalid-origin]]');
+			done();
+		});
+	});
+
+	it('should return 403 if referer is not /admin/users/csv', function (done) {
+		request(nconf.get('url') + '/api/admin/users/csv', {
+			jar: jar,
+			headers: {
+				referer: '/topic/1/test',
+			},
+		}, function (err, res, body) {
+			assert.ifError(err);
+			assert.equal(res.statusCode, 403);
+			assert.equal(body, '[[error:invalid-origin]]');
+			done();
+		});
+	});
+
+	it('should load /admin/users/csv', function (done) {
+		request(nconf.get('url') + '/api/admin/users/csv', {
+			jar: jar,
+			headers: {
+				referer: nconf.get('url') + '/admin/manage/users',
+			},
+		}, function (err, res, body) {
+			assert.ifError(err);
+			assert.equal(res.statusCode, 200);
 			assert(body);
 			done();
 		});