Add CSRF protection to cell, history, column and expr commands
This commit is contained in:
Antonin Delpeuch
parent
51ddd27909
commit
70e37b9085
@ -70,6 +70,10 @@ abstract public class EngineDependentCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
Project project = getProject(request);
|
||||
|
||||
@ -46,6 +46,10 @@ import com.google.refine.model.Project;
|
||||
import com.google.refine.preference.PreferenceStore;
|
||||
|
||||
public class GetAllPreferencesCommand extends Command {
|
||||
/**
|
||||
* The command uses POST (not sure why?) but does not actually modify any state
|
||||
* so it does not require CSRF.
|
||||
*/
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
|
||||
@ -50,6 +50,10 @@ public class JoinMultiValueCellsCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
Project project = getProject(request);
|
||||
|
||||
@ -50,6 +50,10 @@ public class KeyValueColumnizeCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
Project project = getProject(request);
|
||||
|
||||
@ -52,6 +52,10 @@ public class SplitMultiValueCellsCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
Project project = getProject(request);
|
||||
|
||||
@ -50,6 +50,10 @@ public class TransposeColumnsIntoRowsCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
Project project = getProject(request);
|
||||
|
||||
@ -50,6 +50,10 @@ public class TransposeRowsIntoColumnsCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
Project project = getProject(request);
|
||||
|
||||
@ -50,6 +50,10 @@ public class MoveColumnCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
Project project = getProject(request);
|
||||
|
||||
@ -50,6 +50,10 @@ public class RemoveColumnCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
Project project = getProject(request);
|
||||
|
||||
@ -50,6 +50,10 @@ public class RenameColumnCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
Project project = getProject(request);
|
||||
|
||||
@ -48,7 +48,11 @@ public class LogExpressionCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
String expression = request.getParameter("expression");
|
||||
|
||||
|
||||
@ -111,6 +111,10 @@ public class PreviewExpressionCommand extends Command {
|
||||
this.results = evaluated;
|
||||
}
|
||||
}
|
||||
/**
|
||||
* The command uses POST but does not actually modify any state so it does
|
||||
* not require CSRF.
|
||||
*/
|
||||
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
|
||||
@ -40,6 +40,11 @@ public class ToggleStarredExpressionCommand extends Command {
|
||||
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
String expression = request.getParameter("expression");
|
||||
|
||||
TopList starredExpressions = ((TopList) ProjectManager.singleton.getPreferenceStore().get(
|
||||
|
||||
@ -54,6 +54,10 @@ public class ApplyOperationsCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
Project project = getProject(request);
|
||||
String jsonString = request.getParameter("operations");
|
||||
|
||||
@ -53,6 +53,10 @@ public class CancelProcessesCommand extends Command {
|
||||
if( response == null ) {
|
||||
throw new IllegalArgumentException("parameter 'request' should not be null");
|
||||
}
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
Project project = getProject(request);
|
||||
|
||||
@ -48,6 +48,10 @@ public class UndoRedoCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
Project project = getProject(request);
|
||||
|
||||
|
||||
@ -48,6 +48,10 @@ public class CancelImportingJobCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
long jobID = Long.parseLong(request.getParameter("jobID"));
|
||||
ImportingJob job = ImportingManager.getJob(jobID);
|
||||
|
||||
@ -52,6 +52,10 @@ public class CreateImportingJobCommand extends Command {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
long id = ImportingManager.createJob().id;
|
||||
|
||||
|
||||
@ -49,6 +49,10 @@ public class GetImportingConfigurationCommand extends Command {
|
||||
@JsonProperty("config")
|
||||
ImportingConfiguration config = new ImportingConfiguration();
|
||||
}
|
||||
/**
|
||||
* This command uses POST but does not actually modify any state so
|
||||
* it is not CSRF-protected.
|
||||
*/
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
|
||||
@ -66,6 +66,10 @@ public class GetImportingJobStatusCommand extends Command {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* This command uses POST but does not actually modify any state so
|
||||
* it is not CSRF-protected.
|
||||
*/
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
|
||||
@ -0,0 +1,41 @@
|
||||
package com.google.refine.commands;
|
||||
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.PrintWriter;
|
||||
import java.io.StringWriter;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
|
||||
import com.google.refine.util.TestUtils;
|
||||
|
||||
public class CommandTestBase {
|
||||
protected HttpServletRequest request = null;
|
||||
protected HttpServletResponse response = null;
|
||||
protected Command command = null;
|
||||
protected StringWriter writer = null;
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpRequestResponse() {
|
||||
request = mock(HttpServletRequest.class);
|
||||
response = mock(HttpServletResponse.class);
|
||||
writer = new StringWriter();
|
||||
try {
|
||||
when(response.getWriter()).thenReturn(new PrintWriter(writer));
|
||||
} catch (IOException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Convenience method to check that CSRF protection was triggered
|
||||
*/
|
||||
protected void assertCSRFCheckFailed() {
|
||||
TestUtils.assertEqualAsJson("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", writer.toString());
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,38 @@
|
||||
package com.google.refine.commands;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
import com.google.refine.browsing.EngineConfig;
|
||||
import com.google.refine.model.AbstractOperation;
|
||||
import com.google.refine.model.Project;
|
||||
|
||||
public class EngineDependentCommandTests extends CommandTestBase {
|
||||
|
||||
private static class EngineDependentCommandStub extends EngineDependentCommand {
|
||||
|
||||
@Override
|
||||
protected AbstractOperation createOperation(Project project, HttpServletRequest request,
|
||||
EngineConfig engineConfig) throws Exception {
|
||||
return null;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new EngineDependentCommandStub();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
|
||||
@ -0,0 +1,25 @@
|
||||
package com.google.refine.commands.cell;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
import com.google.refine.commands.cell.JoinMultiValueCellsCommand;
|
||||
|
||||
public class JoinMultiValueCellsCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new JoinMultiValueCellsCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,24 @@
|
||||
package com.google.refine.commands.cell;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
|
||||
public class KeyValueColumnizeCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new KeyValueColumnizeCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,23 @@
|
||||
package com.google.refine.commands.cell;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
|
||||
public class SplitMultiValueCellsCommandTests extends CommandTestBase {
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new SplitMultiValueCellsCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,23 @@
|
||||
package com.google.refine.commands.cell;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
|
||||
public class TransposeColumnsIntoRowsCommandTests extends CommandTestBase {
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new TransposeColumnsIntoRowsCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,22 @@
|
||||
package com.google.refine.commands.cell;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
|
||||
public class TransposeRowsIntoColumnsCommandTests extends CommandTestBase {
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new TransposeRowsIntoColumnsCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,24 @@
|
||||
package com.google.refine.commands.column;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
public class MoveColumnCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new MoveColumnCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
|
||||
@ -0,0 +1,23 @@
|
||||
package com.google.refine.commands.column;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
public class RemoveColumnCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new RemoveColumnCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,23 @@
|
||||
package com.google.refine.commands.column;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
public class RenameColumnCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new RenameColumnCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,23 @@
|
||||
package com.google.refine.commands.expr;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
public class LogExpressionCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new LogExpressionCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
@ -35,7 +35,9 @@ import javax.servlet.ServletException;
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
import com.google.refine.commands.Command;
|
||||
import com.google.refine.commands.expr.ToggleStarredExpressionCommand;
|
||||
import com.google.refine.util.TestUtils;
|
||||
|
||||
public class ToggleStarredExpressionCommandTests extends ExpressionCommandTestBase {
|
||||
|
||||
@ -70,7 +72,14 @@ public class ToggleStarredExpressionCommandTests extends ExpressionCommandTestBa
|
||||
" }";
|
||||
when(request.getParameter("expression")).thenReturn("grel:facetCount(value, 'value', 'Column 1')");
|
||||
when(request.getParameter("returnList")).thenReturn("yes");
|
||||
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||
command.doPost(request, response);
|
||||
assertResponseJsonIs(json);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
TestUtils.assertEqualAsJson("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", writer.toString());
|
||||
}
|
||||
}
|
||||
|
||||
@ -0,0 +1,24 @@
|
||||
package com.google.refine.commands.history;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
public class ApplyOperationsCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new ApplyOperationsCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
|
||||
@ -0,0 +1,23 @@
|
||||
package com.google.refine.commands.history;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
public class CancelProcessesCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new CancelProcessesCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,23 @@
|
||||
package com.google.refine.commands.history;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
public class UndoRedoCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new UndoRedoCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,22 @@
|
||||
package com.google.refine.commands.importing;
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
public class CancelImportingJobCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new CancelImportingJobCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,23 @@
|
||||
package com.google.refine.commands.importing;
|
||||
|
||||
import com.google.refine.commands.CommandTestBase;
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
|
||||
import org.testng.annotations.BeforeMethod;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
public class CreateImportingJobCommandTests extends CommandTestBase {
|
||||
|
||||
@BeforeMethod
|
||||
public void setUpCommand() {
|
||||
command = new CreateImportingJobCommand();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCSRFProtection() throws ServletException, IOException {
|
||||
command.doPost(request, response);
|
||||
assertCSRFCheckFailed();
|
||||
}
|
||||
}
|
||||
@ -56,6 +56,7 @@ import org.testng.annotations.Test;
|
||||
|
||||
import com.google.refine.ProjectManager;
|
||||
import com.google.refine.RefineTest;
|
||||
import com.google.refine.commands.Command;
|
||||
import com.google.refine.commands.history.CancelProcessesCommand;
|
||||
import com.google.refine.model.Project;
|
||||
import com.google.refine.process.ProcessManager;
|
||||
@ -159,6 +160,7 @@ public class CancelProcessesCommandTests extends RefineTest {
|
||||
|
||||
// mock dependencies
|
||||
when(request.getParameter("project")).thenReturn(PROJECT_ID);
|
||||
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||
when(projMan.getProject(anyLong())).thenReturn(proj);
|
||||
when(proj.getProcessManager()).thenReturn(processMan);
|
||||
try {
|
||||
@ -197,6 +199,7 @@ public class CancelProcessesCommandTests extends RefineTest {
|
||||
public void doPostThrowsIfCommand_getProjectReturnsNull(){
|
||||
// mock dependencies
|
||||
when(request.getParameter("project")).thenReturn(PROJECT_ID);
|
||||
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||
when(projMan.getProject(anyLong()))
|
||||
.thenReturn(null);
|
||||
try {
|
||||
@ -225,6 +228,7 @@ public class CancelProcessesCommandTests extends RefineTest {
|
||||
|
||||
// mock dependencies
|
||||
when(request.getParameter("project")).thenReturn(PROJECT_ID);
|
||||
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||
when(projMan.getProject(anyLong())).thenReturn(proj);
|
||||
when(proj.getProcessManager()).thenReturn(processMan);
|
||||
try {
|
||||
|
||||
@ -157,13 +157,15 @@ ExpressionPreviewDialog.Widget.prototype.getExpression = function(commit) {
|
||||
|
||||
s = this._getLanguage() + ":" + s;
|
||||
if (commit) {
|
||||
$.post(
|
||||
"command/core/log-expression?" + $.param({ project: theProject.id }),
|
||||
{ expression: s },
|
||||
function(data) {
|
||||
},
|
||||
"json"
|
||||
);
|
||||
Refine.wrapCSRF(function(token) {
|
||||
$.post(
|
||||
"command/core/log-expression?" + $.param({ project: theProject.id }),
|
||||
{ expression: s, csrf_token: token },
|
||||
function(data) {
|
||||
},
|
||||
"json"
|
||||
);
|
||||
});
|
||||
}
|
||||
|
||||
return s;
|
||||
@ -284,16 +286,21 @@ ExpressionPreviewDialog.Widget.prototype._renderExpressionHistory = function(dat
|
||||
.addClass(entry.starred ? "data-table-star-on" : "data-table-star-off")
|
||||
.appendTo(tr.insertCell(0))
|
||||
.click(function() {
|
||||
$.post(
|
||||
"command/core/toggle-starred-expression",
|
||||
{ expression: entry.code },
|
||||
function(data) {
|
||||
entry.starred = !entry.starred;
|
||||
renderEntry(self,tr,entry);
|
||||
self._renderStarredExpressionsTab();
|
||||
},
|
||||
"json"
|
||||
);
|
||||
Refine.wrapCSRF(function(token) {
|
||||
$.post(
|
||||
"command/core/toggle-starred-expression",
|
||||
{
|
||||
expression: entry.code,
|
||||
csrf_token: token
|
||||
},
|
||||
function(data) {
|
||||
entry.starred = !entry.starred;
|
||||
renderEntry(self,tr,entry);
|
||||
self._renderStarredExpressionsTab();
|
||||
},
|
||||
"json"
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
$('<a href="javascript:{}">'+$.i18n('core-dialogs/reuse')+'</a>').appendTo(tr.insertCell(1)).click(function() {
|
||||
@ -348,15 +355,17 @@ ExpressionPreviewDialog.Widget.prototype._renderStarredExpressions = function(da
|
||||
var o = Scripting.parse(entry.code);
|
||||
|
||||
$('<a href="javascript:{}">'+$.i18n('core-dialogs/remove')+'</a>').appendTo(tr.insertCell(0)).click(function() {
|
||||
$.post(
|
||||
"command/core/toggle-starred-expression",
|
||||
{ expression: entry.code, returnList: true },
|
||||
function(data) {
|
||||
self._renderStarredExpressions(data);
|
||||
self._renderExpressionHistoryTab();
|
||||
},
|
||||
"json"
|
||||
);
|
||||
Refine.wrapCSRF(function(token) {
|
||||
$.post(
|
||||
"command/core/toggle-starred-expression",
|
||||
{ expression: entry.code, returnList: true, csrf_token: token },
|
||||
function(data) {
|
||||
self._renderStarredExpressions(data);
|
||||
self._renderExpressionHistoryTab();
|
||||
},
|
||||
"json"
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
$('<a href="javascript:{}">Reuse</a>').appendTo(tr.insertCell(1)).click(function() {
|
||||
|
||||
@ -271,5 +271,8 @@ Refine.CreateProjectUI.composeErrorMessage = function(job) {
|
||||
};
|
||||
|
||||
Refine.CreateProjectUI.cancelImportingJob = function(jobID) {
|
||||
$.post("command/core/cancel-importing-job?" + $.param({ "jobID": jobID }));
|
||||
Refine.wrapCSRF(function(token) {
|
||||
$.post("command/core/cancel-importing-job?" + $.param({ "jobID": jobID }),
|
||||
{csrf_token: token});
|
||||
});
|
||||
};
|
||||
|
||||
@ -78,61 +78,63 @@ Refine.DefaultImportingController.prototype.startImportJob = function(form, prog
|
||||
return this.value === "";
|
||||
}).attr("disabled", "disabled");
|
||||
|
||||
$.post(
|
||||
"command/core/create-importing-job",
|
||||
null,
|
||||
function(data) {
|
||||
var jobID = self._jobID = data.jobID;
|
||||
Refine.wrapCSRF(function(token) {
|
||||
$.post(
|
||||
"command/core/create-importing-job",
|
||||
{ csrf_token: token },
|
||||
function(data) {
|
||||
var jobID = self._jobID = data.jobID;
|
||||
|
||||
form.attr("method", "post")
|
||||
.attr("enctype", "multipart/form-data")
|
||||
.attr("accept-charset", "UTF-8")
|
||||
.attr("target", "create-project-iframe")
|
||||
.attr("action", "command/core/importing-controller?" + $.param({
|
||||
"controller": "core/default-importing-controller",
|
||||
"jobID": jobID,
|
||||
"subCommand": "load-raw-data"
|
||||
}));
|
||||
form[0].submit();
|
||||
form.attr("method", "post")
|
||||
.attr("enctype", "multipart/form-data")
|
||||
.attr("accept-charset", "UTF-8")
|
||||
.attr("target", "create-project-iframe")
|
||||
.attr("action", "command/core/importing-controller?" + $.param({
|
||||
"controller": "core/default-importing-controller",
|
||||
"jobID": jobID,
|
||||
"subCommand": "load-raw-data"
|
||||
}));
|
||||
form[0].submit();
|
||||
|
||||
var start = new Date();
|
||||
var timerID = window.setInterval(
|
||||
function() {
|
||||
self._createProjectUI.pollImportJob(
|
||||
start, jobID, timerID,
|
||||
function(job) {
|
||||
return job.config.hasData;
|
||||
},
|
||||
function(jobID, job) {
|
||||
self._job = job;
|
||||
self._onImportJobReady();
|
||||
if (callback) {
|
||||
callback(jobID, job);
|
||||
var start = new Date();
|
||||
var timerID = window.setInterval(
|
||||
function() {
|
||||
self._createProjectUI.pollImportJob(
|
||||
start, jobID, timerID,
|
||||
function(job) {
|
||||
return job.config.hasData;
|
||||
},
|
||||
function(jobID, job) {
|
||||
self._job = job;
|
||||
self._onImportJobReady();
|
||||
if (callback) {
|
||||
callback(jobID, job);
|
||||
}
|
||||
},
|
||||
function(job) {
|
||||
alert(job.config.error + '\n' + job.config.errorDetails);
|
||||
self._startOver();
|
||||
}
|
||||
},
|
||||
function(job) {
|
||||
alert(job.config.error + '\n' + job.config.errorDetails);
|
||||
self._startOver();
|
||||
}
|
||||
);
|
||||
},
|
||||
1000
|
||||
);
|
||||
},
|
||||
1000
|
||||
);
|
||||
self._createProjectUI.showImportProgressPanel(progressMessage, function() {
|
||||
// stop the iframe
|
||||
$('#create-project-iframe')[0].contentWindow.stop();
|
||||
self._createProjectUI.showImportProgressPanel(progressMessage, function() {
|
||||
// stop the iframe
|
||||
$('#create-project-iframe')[0].contentWindow.stop();
|
||||
|
||||
// stop the timed polling
|
||||
window.clearInterval(timerID);
|
||||
// stop the timed polling
|
||||
window.clearInterval(timerID);
|
||||
|
||||
// explicitly cancel the import job
|
||||
Refine.CreateProjectUI.cancelImportingJob(jobID);
|
||||
// explicitly cancel the import job
|
||||
Refine.CreateProjectUI.cancelImportingJob(jobID);
|
||||
|
||||
self._createProjectUI.showSourceSelectionPanel();
|
||||
});
|
||||
},
|
||||
"json"
|
||||
);
|
||||
self._createProjectUI.showSourceSelectionPanel();
|
||||
});
|
||||
},
|
||||
"json"
|
||||
);
|
||||
});
|
||||
};
|
||||
|
||||
Refine.DefaultImportingController.prototype._onImportJobReady = function() {
|
||||
|
||||
@ -388,22 +388,18 @@ Refine.postProcess = function(moduleName, command, params, body, updateOptions,
|
||||
|
||||
Refine.setAjaxInProgress();
|
||||
|
||||
// Get a CSRF token first
|
||||
$.get(
|
||||
"command/core/get-csrf-token",
|
||||
{},
|
||||
function(response) {
|
||||
Refine.wrapCSRF(
|
||||
function(token) {
|
||||
|
||||
// Add it to the body and submit it as a POST request
|
||||
body['csrf_token'] = response['token'];
|
||||
body['csrf_token'] = token;
|
||||
$.post(
|
||||
"command/" + moduleName + "/" + command + "?" + $.param(params),
|
||||
body,
|
||||
onDone,
|
||||
"json"
|
||||
);
|
||||
},
|
||||
"json"
|
||||
}
|
||||
);
|
||||
|
||||
window.setTimeout(function() {
|
||||
@ -413,6 +409,19 @@ Refine.postProcess = function(moduleName, command, params, body, updateOptions,
|
||||
}, 500);
|
||||
};
|
||||
|
||||
// Requests a CSRF token and calls the supplied callback
|
||||
// with the token
|
||||
Refine.wrapCSRF = function(onCSRF) {
|
||||
$.get(
|
||||
"command/core/get-csrf-token",
|
||||
{},
|
||||
function(response) {
|
||||
onCSRF(response['token']);
|
||||
},
|
||||
"json"
|
||||
);
|
||||
};
|
||||
|
||||
Refine.setAjaxInProgress = function() {
|
||||
$(document.body).attr("ajax_in_progress", "true");
|
||||
};
|
||||
|
||||
@ -124,15 +124,17 @@ ProcessPanel.prototype.undo = function() {
|
||||
|
||||
ProcessPanel.prototype._cancelAll = function() {
|
||||
var self = this;
|
||||
$.post(
|
||||
"command/core/cancel-processes?" + $.param({ project: theProject.id }),
|
||||
null,
|
||||
function(o) {
|
||||
self._data = null;
|
||||
self._runOnDones();
|
||||
},
|
||||
"json"
|
||||
);
|
||||
Refine.wrapCSRF(function(token) {
|
||||
$.post(
|
||||
"command/core/cancel-processes?" + $.param({ project: theProject.id }),
|
||||
{ csrf_token: token },
|
||||
function(o) {
|
||||
self._data = null;
|
||||
self._runOnDones();
|
||||
},
|
||||
"json"
|
||||
);
|
||||
});
|
||||
};
|
||||
|
||||
ProcessPanel.prototype._render = function(newData) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user