Multi file upload lacks CSRF

[abhi-markan]

Prerequisites

• Reproduced the problem
• Followed all applicable steps in the debugging guide
• Checked the FAQs on the message board for common solutions
• Checked that your issue doesn't exist: https://github.com/ministryofjustice/moj-frontend/issues
• Checked that there is not already a package that provides the described functionality

Description

Lack of CSRF when uploading files and unable to add custom fields to specify CSRF unless appended to query string as a parameter for uplodUrl and deleteUrl.

Steps to Reproduce

if(typeof MOJFrontend.MultiFileUpload !== 'undefined') {
  new MOJFrontend.MultiFileUpload({
    container: $('.moj-multi-file-upload'),
    uploadUrl: '/ajax-upload-url',
    deleteUrl: '/ajax-delete-url'
  });
}

• Above does not provide a clean mechanism of providing token unless appended as a query parameter as ?csrf=abc to uploadUrl and deleteUrl.

Expected behaviour: Upload and delete URL can only be invoked with a CSRF token.

Actual behaviour: Upload and delete URL can be invoked without any CSRF token, thus a malicious user can invoke the endpoint without any authentication.

Reproduces how often: 100%

Versions

"@ministryofjustice/frontend": "1.6.4",