@budibase/backend-core CSRF bypass via unanchored route regex

The buildMatcherRegex() and matches() functions in packages/backend-core/src/middleware/matchers.ts compile route patterns into unanchored regular expressions and test them against ctx.request.url (which includes the full query string). This allows an attacker to inject a public route pattern into the query string of a request to a protected endpoint, causing the CSRF middleware to skip token validation.

All Budibase self-hosted deployments with an internet-accessible Worker service up to and including version 3.32.3.

Apply the fix by anchoring the regular expressions with ^ and $ and using ctx.request.path instead of ctx.request.url in the matches() function.