Skip to content

Disallow mutating SQL in GET requests#7791

Merged
labkey-adam merged 6 commits into
developfrom
fb_mutating_sql
Jun 25, 2026
Merged

Disallow mutating SQL in GET requests#7791
labkey-adam merged 6 commits into
developfrom
fb_mutating_sql

Conversation

@labkey-adam

@labkey-adam labkey-adam commented Jun 23, 2026
edited by labkey-robert
Loading

Copy link
Copy Markdown
Contributor

Rationale

For a long time (since 2019?) we've prohibited mutating SQL (INSERT, UPDATE, DELETE, etc.) via GET requests when running in dev mode with asserts on. It's past time to turn this on for production-mode deployments. This protects our customers from Cross-Site Request Forgery (CSRF) attacks. A deprecated feature flag can be enabled to turns this off temporarily in case a customer discovers a mutating action that isn't hasn't been migrated to POST. https://github.com/LabKey/kanban/issues/1941

Related Pull Requests

User Education

  • Probably need a Release Note bullet about the change in behavior. Could lump this with other security "benefits".
  • Could document the Deprecated Feature in the usual way. Although it's a little different in that we've added a flag that turns off a new feature.

Tasks 📍

  • Claude Code Review
  • Test Automation
  • Manual Testing / Verify Fix @labkey-tchad

@labkey-adam labkey-adam self-assigned this Jun 23, 2026
@labkey-adam labkey-adam mentioned this pull request Jun 24, 2026
Merged
labkey-jeckels
labkey-jeckels approved these changes Jun 24, 2026
View reviewed changes
Comment thread api/src/org/labkey/api/action/SpringActionController.java Outdated
@labkey-adam labkey-adam merged commit 719aabd into develop Jun 25, 2026
6 of 7 checks passed
@labkey-adam labkey-adam deleted the fb_mutating_sql branch June 25, 2026 17:14
@labkey-adam labkey-adam mentioned this pull request Jun 25, 2026
Merged
labkey-adam added a commit that referenced this pull request Jun 26, 2026
@labkey-adam
Skip deprecated feature check until after startup (#7794)
6f36095 
## Rationale
Optional feature check was causing reentrancy on bootstrap

## Related Pull Requests
- #7791
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@labkey-jeckels labkey-jeckels labkey-jeckels approved these changes
@labkey-matthewb labkey-matthewb Awaiting requested review from labkey-matthewb

Assignees

@labkey-adam labkey-adam

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@labkey-adam @labkey-jeckels