From b7160f4494827f4b2ae4151bad0662717f581af5 Mon Sep 17 00:00:00 2001
From: ReenigneArcher <42013603+ReenigneArcher@users.noreply.github.com>
Date: Sun, 15 Feb 2026 19:55:58 -0500
Subject: [PATCH] fix(flask): enable csrf protection

---
 .gitignore           |  1 +
 pyproject.toml       |  1 +
 src/common/webapp.py | 12 ++++++++----
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/.gitignore b/.gitignore
index e0aed2f..2ebb6f2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -153,3 +153,4 @@ cython_debug/
 
 # project specific ignores
 data/
+junit.xml
diff --git a/pyproject.toml b/pyproject.toml
index b99a00f..5f6e1c1 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -23,6 +23,7 @@ classifiers = [
 dependencies = [
     "cryptography==46.0.5",
     "Flask==3.1.2",
+    "Flask-WTF==1.2.2",
     "GitPython==3.1.46",
     "libgravatar==1.0.4",
     "mistletoe==1.5.1",
diff --git a/src/common/webapp.py b/src/common/webapp.py
index ea4e3e5..55a4732 100644
--- a/src/common/webapp.py
+++ b/src/common/webapp.py
@@ -8,6 +8,7 @@
 # lib imports
 import discord
 from flask import Flask, jsonify, redirect, request, Response, send_from_directory
+from flask_wtf import CSRFProtect
 from requests_oauthlib import OAuth2Session
 from werkzeug.middleware.proxy_fix import ProxyFix
 
@@ -30,6 +31,8 @@
     import_name='LizardByte-bot',
     static_folder=os.path.join(app_dir, 'assets'),
 )
+app.secret_key = os.urandom(32).hex()
+csrf = CSRFProtect(app)  # Enable CSRF Protection
 
 # this allows us to log the real IP address of the client, instead of the IP address of the proxy host
 app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_port=1)
@@ -75,7 +78,7 @@ def html_to_md(html: str) -> str:
     return html
 
 
-@app.route('/status')
+@app.route('/status', methods=["GET"])
 def status():
     degraded_checks = [
         getattr(globals.DISCORD_BOT, 'DEGRADED', True),
@@ -93,7 +96,7 @@ def status():
     return jsonify(result)
 
 
-@app.route("/favicon.ico")
+@app.route("/favicon.ico", methods=["GET"])
 def favicon():
     return send_from_directory(
         directory=app.static_folder,
@@ -102,7 +105,7 @@ def favicon():
     )
 
 
-@app.route("/discord/callback")
+@app.route("/discord/callback", methods=["GET"])
 def discord_callback():
     # errors will be in the query parameters
     if 'error' in request.args:
@@ -179,7 +182,7 @@ def discord_callback():
     return redirect("https://app.lizardbyte.dev")
 
 
-@app.route("/github/callback")
+@app.route("/github/callback", methods=["GET"])
 def github_callback():
     # errors will be in the query parameters
     if 'error' in request.args:
@@ -256,6 +259,7 @@ def github_callback():
 
 
 @app.route("/webhook/<source>/<key>", methods=["POST"])
+@csrf.exempt
 def webhook(source: str, key: str) -> Tuple[Response, int]:
     """
     Process webhooks from various sources.