s434730/RandomSec
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add CSRF protection to remaining commands

Browse Source
This commit is contained in:
Antonin Delpeuch 2019-10-14 14:28:00 +01:00
parent 3559eeb11f
commit 5dc005749a
11 changed files with 121 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
main/src/com/google/refine/commands/SetPreferenceCommand.java
View File

@ -49,6 +49,10 @@ public class SetPreferenceCommand extends Command {
@Override @Override
public void doPost(HttpServletRequest request, HttpServletResponse response) public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException { throws ServletException, IOException {
if(!hasValidCSRFToken(request)) {
respondCSRFError(response);
return;
}
Project project = request.getParameter("project") != null ? getProject(request) : null; Project project = request.getParameter("project") != null ? getProject(request) : null;
PreferenceStore ps = project != null ? PreferenceStore ps = project != null ?

4
main/src/com/google/refine/commands/row/AnnotateOneRowCommand.java
View File

@ -50,6 +50,10 @@ public class AnnotateOneRowCommand extends Command {
@Override @Override
public void doPost(HttpServletRequest request, HttpServletResponse response) public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException { throws ServletException, IOException {
if(!hasValidCSRFToken(request)) {
respondCSRFError(response);
return;
}
response.setCharacterEncoding("UTF-8"); response.setCharacterEncoding("UTF-8");
response.setHeader("Content-Type", "application/json"); response.setHeader("Content-Type", "application/json");

4
main/src/com/google/refine/commands/row/DenormalizeCommand.java
View File

@ -50,6 +50,10 @@ public class DenormalizeCommand extends Command {
@Override @Override
public void doPost(HttpServletRequest request, HttpServletResponse response) public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException { throws ServletException, IOException {
if(!hasValidCSRFToken(request)) {
respondCSRFError(response);
return;
}
try { try {
Project project = getProject(request); Project project = getProject(request);

4
main/src/com/google/refine/commands/row/GetRowsCommand.java
View File

@ -111,6 +111,10 @@ public class GetRowsCommand extends Command {
} }
} }
/**
* This command accepts both POST and GET. It is not CSRF-protected as it does not incur any state change.
*/
@Override @Override
public void doPost(HttpServletRequest request, HttpServletResponse response) public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException { throws ServletException, IOException {

24
main/tests/server/src/com/google/refine/commands/SetPreferenceCommandTests.java Normal file
View File

@ -0,0 +1,24 @@
package com.google.refine.commands;
import com.google.refine.commands.CommandTestBase;
import java.io.IOException;
import javax.servlet.ServletException;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
public class SetPreferenceCommandTests extends CommandTestBase {
@BeforeMethod
public void setUpCommand() {
command = new SetPreferenceCommand();
}
@Test
public void testCSRFProtection() throws ServletException, IOException {
command.doPost(request, response);
assertCSRFCheckFailed();
}
}

22
main/tests/server/src/com/google/refine/commands/row/AnnotateOneRowCommandTests.java Normal file
View File

@ -0,0 +1,22 @@
package com.google.refine.commands.row;
import com.google.refine.commands.CommandTestBase;
import java.io.IOException;
import javax.servlet.ServletException;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
public class AnnotateOneRowCommandTests extends CommandTestBase {
@BeforeMethod
public void setUpCommand() {
command = new AnnotateOneRowCommand();
}
@Test
public void testCSRFProtection() throws ServletException, IOException {
command.doPost(request, response);
assertCSRFCheckFailed();
}
}

23
main/tests/server/src/com/google/refine/commands/row/DenormalizeCommandTests.java Normal file
View File

@ -0,0 +1,23 @@
package com.google.refine.commands.row;
import com.google.refine.commands.CommandTestBase;
import java.io.IOException;
import javax.servlet.ServletException;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
public class DenormalizeCommandTests extends CommandTestBase {
@BeforeMethod
public void setUpCommand() {
command = new DenormalizeCommand();
}
@Test
public void testCSRFProtection() throws ServletException, IOException {
command.doPost(request, response);
assertCSRFCheckFailed();
}
}

2
main/webapp/modules/core/scripts/facets/list-facet.js
View File

@ -721,7 +721,7 @@ ListFacet.prototype._setChoiceCountLimit = function(choiceCount) {
if (!isNaN(n)) { if (!isNaN(n)) {
var self = this; var self = this;
$.post( Refine.postCSRF(
"command/core/set-preference", "command/core/set-preference",
{ {
name : "ui.browsing.listFacet.limit", name : "ui.browsing.listFacet.limit",

29
main/webapp/modules/core/scripts/index/lang-settings-ui.js
View File

@ -28,19 +28,22 @@ Refine.SetLanguageUI = function(elmt) {
}); });
this._elmts.set_lan_btn.bind('click', function(e) { this._elmts.set_lan_btn.bind('click', function(e) {
$.ajax({ Refine.wrapCSRF(function(token) {
url : "command/core/set-preference?", $.ajax({
type : "POST", url : "command/core/set-preference?",
async : false, type : "POST",
data : { async : false,
name : "userLang", data : {
value : JSON.stringify($("#langDD option:selected").val()) name : "userLang",
}, value : JSON.stringify($("#langDD option:selected").val()),
success : function(data) { csrf_token: token
alert($.i18n('core-index-lang/page-reload')); },
location.reload(true); success : function(data) {
} alert($.i18n('core-index-lang/page-reload'));
}); location.reload(true);
}
});
});
}); });
}; };

6
main/webapp/modules/core/scripts/preferences.js
View File

@ -78,7 +78,7 @@ function PreferenceUI(tr, key, value) {
} }
$(td1).text(newValue); $(td1).text(newValue);
$.post( Refine.postCSRF(
"command/core/set-preference", "command/core/set-preference",
{ {
name : key, name : key,
@ -96,7 +96,7 @@ function PreferenceUI(tr, key, value) {
$('<button class="button">').text($.i18n('core-index/delete')).appendTo(td2).click(function() { $('<button class="button">').text($.i18n('core-index/delete')).appendTo(td2).click(function() {
if (window.confirm($.i18n('core-index/delete-key')+" " + key + "?")) { if (window.confirm($.i18n('core-index/delete-key')+" " + key + "?")) {
$.post( Refine.postCSRF(
"command/core/set-preference", "command/core/set-preference",
{ {
name : key name : key
@ -154,7 +154,7 @@ function populatePreferences(prefs) {
value = deDupUserMetaData(value); value = deDupUserMetaData(value);
} }
$.post( Refine.postCSRF(
"command/core/set-preference", "command/core/set-preference",
{ {
name : key, name : key,

27
main/webapp/modules/core/scripts/reconciliation/recon-manager.js
View File

@ -113,17 +113,22 @@ ReconciliationManager.unregisterService = function(service, f) {
}; };
ReconciliationManager.save = function(f) { ReconciliationManager.save = function(f) {
$.ajax({ Refine.wrapCSRF(function(token) {
async: false, $.ajax({
type: "POST", async: false,
url: "command/core/set-preference?" + $.param({ type: "POST",
name: "reconciliation.standardServices" url: "command/core/set-preference?" + $.param({
}), name: "reconciliation.standardServices"
data: { "value" : JSON.stringify(ReconciliationManager.standardServices) }, }),
success: function(data) { data: {
if (f) { f(); } "value" : JSON.stringify(ReconciliationManager.standardServices),
}, csrf_token: token
dataType: "json" },
success: function(data) {
if (f) { f(); }
},
dataType: "json"
});
}); });
}; };