Add CSRF protection to remaining commands
This commit is contained in:
Antonin Delpeuch
parent
3559eeb11f
commit
5dc005749a
@ -49,6 +49,10 @@ public class SetPreferenceCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
Project project = request.getParameter("project") != null ? getProject(request) : null;
|
||||
PreferenceStore ps = project != null ?
|
||||
|
||||
@ -50,6 +50,10 @@ public class AnnotateOneRowCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
response.setCharacterEncoding("UTF-8");
|
||||
response.setHeader("Content-Type", "application/json");
|
||||
|
||||
@ -50,6 +50,10 @@ public class DenormalizeCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
Project project = getProject(request);
|
||||
|
||||
@ -111,6 +111,10 @@ public class GetRowsCommand extends Command {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* This command accepts both POST and GET. It is not CSRF-protected as it does not incur any state change.
|
||||
*/
|
||||
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
|
||||
@ -0,0 +1,24 @@
|
||||
package com.google.refine.commands;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
public class SetPreferenceCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new SetPreferenceCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
|
||||
@ -0,0 +1,22 @@
|
||||
package com.google.refine.commands.row;
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
public class AnnotateOneRowCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new AnnotateOneRowCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,23 @@
|
||||
package com.google.refine.commands.row;
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
public class DenormalizeCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new DenormalizeCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
|
||||
@ -721,7 +721,7 @@ ListFacet.prototype._setChoiceCountLimit = function(choiceCount) {
|
||||
|
||||
if (!isNaN(n)) {
|
||||
var self = this;
|
||||
$.post(
|
||||
Refine.postCSRF(
|
||||
"command/core/set-preference",
|
||||
{
|
||||
name : "ui.browsing.listFacet.limit",
|
||||
|
||||
@ -28,19 +28,22 @@ Refine.SetLanguageUI = function(elmt) {
|
||||
});
|
||||
|
||||
this._elmts.set_lan_btn.bind('click', function(e) {
|
||||
$.ajax({
|
||||
url : "command/core/set-preference?",
|
||||
type : "POST",
|
||||
async : false,
|
||||
data : {
|
||||
name : "userLang",
|
||||
value : JSON.stringify($("#langDD option:selected").val())
|
||||
},
|
||||
success : function(data) {
|
||||
alert($.i18n('core-index-lang/page-reload'));
|
||||
location.reload(true);
|
||||
}
|
||||
});
|
||||
Refine.wrapCSRF(function(token) {
|
||||
$.ajax({
|
||||
url : "command/core/set-preference?",
|
||||
type : "POST",
|
||||
async : false,
|
||||
data : {
|
||||
name : "userLang",
|
||||
value : JSON.stringify($("#langDD option:selected").val()),
|
||||
csrf_token: token
|
||||
},
|
||||
success : function(data) {
|
||||
alert($.i18n('core-index-lang/page-reload'));
|
||||
location.reload(true);
|
||||
}
|
||||
});
|
||||
});
|
||||
});
|
||||
};
|
||||
|
||||
|
||||
@ -78,7 +78,7 @@ function PreferenceUI(tr, key, value) {
|
||||
}
|
||||
$(td1).text(newValue);
|
||||
|
||||
$.post(
|
||||
Refine.postCSRF(
|
||||
"command/core/set-preference",
|
||||
{
|
||||
name : key,
|
||||
@ -96,7 +96,7 @@ function PreferenceUI(tr, key, value) {
|
||||
|
||||
$('<button class="button">').text($.i18n('core-index/delete')).appendTo(td2).click(function() {
|
||||
if (window.confirm($.i18n('core-index/delete-key')+" " + key + "?")) {
|
||||
$.post(
|
||||
Refine.postCSRF(
|
||||
"command/core/set-preference",
|
||||
{
|
||||
name : key
|
||||
@ -154,7 +154,7 @@ function populatePreferences(prefs) {
|
||||
value = deDupUserMetaData(value);
|
||||
}
|
||||
|
||||
$.post(
|
||||
Refine.postCSRF(
|
||||
"command/core/set-preference",
|
||||
{
|
||||
name : key,
|
||||
|
||||
@ -113,17 +113,22 @@ ReconciliationManager.unregisterService = function(service, f) {
|
||||
};
|
||||
|
||||
ReconciliationManager.save = function(f) {
|
||||
$.ajax({
|
||||
async: false,
|
||||
type: "POST",
|
||||
url: "command/core/set-preference?" + $.param({
|
||||
name: "reconciliation.standardServices"
|
||||
}),
|
||||
data: { "value" : JSON.stringify(ReconciliationManager.standardServices) },
|
||||
success: function(data) {
|
||||
if (f) { f(); }
|
||||
},
|
||||
dataType: "json"
|
||||
Refine.wrapCSRF(function(token) {
|
||||
$.ajax({
|
||||
async: false,
|
||||
type: "POST",
|
||||
url: "command/core/set-preference?" + $.param({
|
||||
name: "reconciliation.standardServices"
|
||||
}),
|
||||
data: {
|
||||
"value" : JSON.stringify(ReconciliationManager.standardServices),
|
||||
csrf_token: token
|
||||
},
|
||||
success: function(data) {
|
||||
if (f) { f(); }
|
||||
},
|
||||
dataType: "json"
|
||||
});
|
||||
});
|
||||
};
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user