Add CSRF protection to cell, history, column and expr commands

main/src/com/google/refine/commands/EngineDependentCommand.java

@@ -70,6 +70,10 @@ abstract public class EngineDependentCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
         
         try {
             Project project = getProject(request);

main/src/com/google/refine/commands/GetAllPreferencesCommand.java

@@ -46,6 +46,10 @@ import com.google.refine.model.Project;
 import com.google.refine.preference.PreferenceStore;
 
 public class GetAllPreferencesCommand extends Command {
+	/**
+	 * The command uses POST (not sure why?) but does not actually modify any state
+	 * so it does not require CSRF.
+	 */
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {

main/src/com/google/refine/commands/cell/JoinMultiValueCellsCommand.java

@@ -50,6 +50,10 @@ public class JoinMultiValueCellsCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
         
         try {
             Project project = getProject(request);

main/src/com/google/refine/commands/cell/KeyValueColumnizeCommand.java

@@ -50,6 +50,10 @@ public class KeyValueColumnizeCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
         
         try {
             Project project = getProject(request);

main/src/com/google/refine/commands/cell/SplitMultiValueCellsCommand.java

@@ -52,6 +52,10 @@ public class SplitMultiValueCellsCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
         
         try {
             Project project = getProject(request);

main/src/com/google/refine/commands/cell/TransposeColumnsIntoRowsCommand.java

@@ -50,6 +50,10 @@ public class TransposeColumnsIntoRowsCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
         
         try {
             Project project = getProject(request);

main/src/com/google/refine/commands/cell/TransposeRowsIntoColumnsCommand.java

@@ -50,6 +50,10 @@ public class TransposeRowsIntoColumnsCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
         
         try {
             Project project = getProject(request);

main/src/com/google/refine/commands/column/MoveColumnCommand.java

@@ -50,6 +50,10 @@ public class MoveColumnCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
         
         try {
             Project project = getProject(request);

main/src/com/google/refine/commands/column/RemoveColumnCommand.java

@@ -50,6 +50,10 @@ public class RemoveColumnCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
         
         try {
             Project project = getProject(request);

main/src/com/google/refine/commands/column/RenameColumnCommand.java

@@ -50,6 +50,10 @@ public class RenameColumnCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
         
         try {
             Project project = getProject(request);

main/src/com/google/refine/commands/expr/LogExpressionCommand.java

@@ -48,6 +48,10 @@ public class LogExpressionCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
     	
         try {
             String expression = request.getParameter("expression");

main/src/com/google/refine/commands/expr/PreviewExpressionCommand.java

@@ -111,6 +111,10 @@ public class PreviewExpressionCommand extends Command {
             this.results = evaluated;
         }
     }
+    /**
+     * The command uses POST but does not actually modify any state so it does
+     * not require CSRF.
+     */
     
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)

main/src/com/google/refine/commands/expr/ToggleStarredExpressionCommand.java

@@ -40,6 +40,11 @@ public class ToggleStarredExpressionCommand extends Command {
 
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
+    	
         String expression = request.getParameter("expression");
 
         TopList starredExpressions = ((TopList) ProjectManager.singleton.getPreferenceStore().get(

main/src/com/google/refine/commands/history/ApplyOperationsCommand.java

@@ -54,6 +54,10 @@ public class ApplyOperationsCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
         
         Project project = getProject(request);
         String jsonString = request.getParameter("operations");

main/src/com/google/refine/commands/history/CancelProcessesCommand.java

@@ -53,6 +53,10 @@ public class CancelProcessesCommand extends Command {
         if( response == null ) {
             throw new IllegalArgumentException("parameter 'request' should not be null");
         }
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
 
         try {
             Project project = getProject(request);

main/src/com/google/refine/commands/history/UndoRedoCommand.java

@@ -48,6 +48,10 @@ public class UndoRedoCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
         
         Project project = getProject(request);
         

main/src/com/google/refine/commands/importing/CancelImportingJobCommand.java

@@ -48,6 +48,10 @@ public class CancelImportingJobCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
 
         long jobID = Long.parseLong(request.getParameter("jobID"));
         ImportingJob job = ImportingManager.getJob(jobID);

main/src/com/google/refine/commands/importing/CreateImportingJobCommand.java

@@ -52,6 +52,10 @@ public class CreateImportingJobCommand extends Command {
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
+    	if(!hasValidCSRFToken(request)) {
+    		respondCSRFError(response);
+    		return;
+    	}
 
         long id = ImportingManager.createJob().id;
         

main/src/com/google/refine/commands/importing/GetImportingConfigurationCommand.java

@@ -49,6 +49,10 @@ public class GetImportingConfigurationCommand extends Command {
         @JsonProperty("config")
         ImportingConfiguration config = new ImportingConfiguration();
     }
+    /**
+     * This command uses POST but does not actually modify any state so
+     * it is not CSRF-protected.
+     */
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {

main/src/com/google/refine/commands/importing/GetImportingJobStatusCommand.java

@@ -66,6 +66,10 @@ public class GetImportingJobStatusCommand extends Command {
         }
     }
     
+    /**
+     * This command uses POST but does not actually modify any state so
+     * it is not CSRF-protected.
+     */
     @Override
     public void doPost(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {

main/tests/server/src/com/google/refine/commands/CommandTestBase.java

@@ -0,0 +1,41 @@
+package com.google.refine.commands;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.testng.annotations.BeforeMethod;
+
+import com.google.refine.util.TestUtils;
+
+public class CommandTestBase {
+	protected HttpServletRequest request = null;
+    protected HttpServletResponse response = null;
+    protected Command command = null;
+    protected StringWriter writer = null;
+    
+	@BeforeMethod
+	public void setUpRequestResponse() {
+		request = mock(HttpServletRequest.class);
+		response = mock(HttpServletResponse.class);
+		writer = new StringWriter();
+		try {
+            when(response.getWriter()).thenReturn(new PrintWriter(writer));
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+	}
+	
+	/** 
+	 * Convenience method to check that CSRF protection was triggered
+	 */
+	protected void assertCSRFCheckFailed() {
+		TestUtils.assertEqualAsJson("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", writer.toString());
+	}
+}

main/tests/server/src/com/google/refine/commands/EngineDependentCommandTests.java

@@ -0,0 +1,38 @@
+package com.google.refine.commands;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import com.google.refine.browsing.EngineConfig;
+import com.google.refine.model.AbstractOperation;
+import com.google.refine.model.Project;
+
+public class EngineDependentCommandTests extends CommandTestBase {
+	
+	private static class EngineDependentCommandStub extends EngineDependentCommand {
+
+		@Override
+		protected AbstractOperation createOperation(Project project, HttpServletRequest request,
+				EngineConfig engineConfig) throws Exception {
+			return null;
+		}
+		
+	}
+	
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new EngineDependentCommandStub();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}
+

main/tests/server/src/com/google/refine/commands/cell/JoinMultiValueCellsCommandTests.java

@@ -0,0 +1,25 @@
+package com.google.refine.commands.cell;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import com.google.refine.commands.CommandTestBase;
+import com.google.refine.commands.cell.JoinMultiValueCellsCommand;
+
+public class JoinMultiValueCellsCommandTests extends CommandTestBase {
+	
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new JoinMultiValueCellsCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}

main/tests/server/src/com/google/refine/commands/cell/KeyValueColumnizeCommandTests.java

@@ -0,0 +1,24 @@
+package com.google.refine.commands.cell;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import com.google.refine.commands.CommandTestBase;
+
+public class KeyValueColumnizeCommandTests extends CommandTestBase {
+	
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new KeyValueColumnizeCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}

main/tests/server/src/com/google/refine/commands/cell/SplitMultiValueCellsCommandTests.java

@@ -0,0 +1,23 @@
+package com.google.refine.commands.cell;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import com.google.refine.commands.CommandTestBase;
+
+public class SplitMultiValueCellsCommandTests extends CommandTestBase {
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new SplitMultiValueCellsCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}

main/tests/server/src/com/google/refine/commands/cell/TransposeColumnsIntoRowsCommandTests.java

@@ -0,0 +1,23 @@
+package com.google.refine.commands.cell;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import com.google.refine.commands.CommandTestBase;
+
+public class TransposeColumnsIntoRowsCommandTests extends CommandTestBase {
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new TransposeColumnsIntoRowsCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}

main/tests/server/src/com/google/refine/commands/cell/TransposeRowsIntoColumnsCommandTests.java

@@ -0,0 +1,22 @@
+package com.google.refine.commands.cell;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import com.google.refine.commands.CommandTestBase;
+
+public class TransposeRowsIntoColumnsCommandTests extends CommandTestBase {
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new TransposeRowsIntoColumnsCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}

main/tests/server/src/com/google/refine/commands/column/MoveColumnCommandTests.java

@@ -0,0 +1,24 @@
+package com.google.refine.commands.column;
+
+import com.google.refine.commands.CommandTestBase;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+public class MoveColumnCommandTests extends CommandTestBase {
+	
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new MoveColumnCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}
+

main/tests/server/src/com/google/refine/commands/column/RemoveColumnCommandTests.java

@@ -0,0 +1,23 @@
+package com.google.refine.commands.column;
+
+import com.google.refine.commands.CommandTestBase;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+public class RemoveColumnCommandTests extends CommandTestBase {
+	
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new RemoveColumnCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}

main/tests/server/src/com/google/refine/commands/column/RenameColumnCommandTests.java

@@ -0,0 +1,23 @@
+package com.google.refine.commands.column;
+
+import com.google.refine.commands.CommandTestBase;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+public class RenameColumnCommandTests extends CommandTestBase {
+	
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new RenameColumnCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}

main/tests/server/src/com/google/refine/commands/expr/LogExpressionCommandTests.java

@@ -0,0 +1,23 @@
+package com.google.refine.commands.expr;
+
+import com.google.refine.commands.CommandTestBase;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+public class LogExpressionCommandTests extends CommandTestBase {
+	
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new LogExpressionCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}

main/tests/server/src/com/google/refine/commands/expr/ToggleStarredExpressionCommandTests.java

@@ -35,7 +35,9 @@ import javax.servlet.ServletException;
 import org.testng.annotations.BeforeMethod;
 import org.testng.annotations.Test;
 
+import com.google.refine.commands.Command;
 import com.google.refine.commands.expr.ToggleStarredExpressionCommand;
+import com.google.refine.util.TestUtils;
 
 public class ToggleStarredExpressionCommandTests extends ExpressionCommandTestBase {
     
@@ -70,7 +72,14 @@ public class ToggleStarredExpressionCommandTests extends ExpressionCommandTestBa
                 "     }";
         when(request.getParameter("expression")).thenReturn("grel:facetCount(value, 'value', 'Column 1')");
         when(request.getParameter("returnList")).thenReturn("yes");
+        when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
         command.doPost(request, response);
         assertResponseJsonIs(json);
     }
+    
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		TestUtils.assertEqualAsJson("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", writer.toString());
+	}
 }

main/tests/server/src/com/google/refine/commands/history/ApplyOperationsCommandTests.java

@@ -0,0 +1,24 @@
+package com.google.refine.commands.history;
+
+import com.google.refine.commands.CommandTestBase;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+public class ApplyOperationsCommandTests extends CommandTestBase {
+	
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new ApplyOperationsCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}
+

main/tests/server/src/com/google/refine/commands/history/CancelProcessesCommandTests.java

@@ -0,0 +1,23 @@
+package com.google.refine.commands.history;
+
+import com.google.refine.commands.CommandTestBase;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+public class CancelProcessesCommandTests extends CommandTestBase {
+	
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new CancelProcessesCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}

main/tests/server/src/com/google/refine/commands/history/UndoRedoCommandTests.java

@@ -0,0 +1,23 @@
+package com.google.refine.commands.history;
+
+import com.google.refine.commands.CommandTestBase;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+public class UndoRedoCommandTests extends CommandTestBase {
+	
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new UndoRedoCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}

main/tests/server/src/com/google/refine/commands/importing/CancelImportingJobCommandTests.java

@@ -0,0 +1,22 @@
+package com.google.refine.commands.importing;
+import com.google.refine.commands.CommandTestBase;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+public class CancelImportingJobCommandTests extends CommandTestBase {
+	
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new CancelImportingJobCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}

main/tests/server/src/com/google/refine/commands/importing/CreateImportingJobCommandTests.java

@@ -0,0 +1,23 @@
+package com.google.refine.commands.importing;
+
+import com.google.refine.commands.CommandTestBase;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+public class CreateImportingJobCommandTests extends CommandTestBase {
+	
+	@BeforeMethod
+	public void setUpCommand() {
+		command = new CreateImportingJobCommand();
+	}
+	
+	@Test
+	public void testCSRFProtection() throws ServletException, IOException {
+		command.doPost(request, response);
+		assertCSRFCheckFailed();
+	}
+}

main/tests/server/src/com/google/refine/commands/util/CancelProcessesCommandTests.java

@@ -56,6 +56,7 @@ import org.testng.annotations.Test;
 
 import com.google.refine.ProjectManager;
 import com.google.refine.RefineTest;
+import com.google.refine.commands.Command;
 import com.google.refine.commands.history.CancelProcessesCommand;
 import com.google.refine.model.Project;
 import com.google.refine.process.ProcessManager;
@@ -159,6 +160,7 @@ public class CancelProcessesCommandTests extends RefineTest {
 
         // mock dependencies
         when(request.getParameter("project")).thenReturn(PROJECT_ID);
+        when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
         when(projMan.getProject(anyLong())).thenReturn(proj);
         when(proj.getProcessManager()).thenReturn(processMan);
         try {
@@ -197,6 +199,7 @@ public class CancelProcessesCommandTests extends RefineTest {
      public void doPostThrowsIfCommand_getProjectReturnsNull(){
         // mock dependencies
         when(request.getParameter("project")).thenReturn(PROJECT_ID);
+        when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
         when(projMan.getProject(anyLong()))
             .thenReturn(null);
         try {
@@ -225,6 +228,7 @@ public class CancelProcessesCommandTests extends RefineTest {
 
         // mock dependencies
             when(request.getParameter("project")).thenReturn(PROJECT_ID);
+            when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
             when(projMan.getProject(anyLong())).thenReturn(proj);
             when(proj.getProcessManager()).thenReturn(processMan);
             try {

main/webapp/modules/core/scripts/dialogs/expression-preview-dialog.js

@@ -157,13 +157,15 @@ ExpressionPreviewDialog.Widget.prototype.getExpression = function(commit) {
     
     s = this._getLanguage() + ":" + s;
     if (commit) {
+        Refine.wrapCSRF(function(token) {
             $.post(
                 "command/core/log-expression?" + $.param({ project: theProject.id }),
-            { expression: s },
+                { expression: s, csrf_token: token },
                 function(data) {
                 },
                 "json"
             );
+        });
     }
     
     return s;
@@ -284,9 +286,13 @@ ExpressionPreviewDialog.Widget.prototype._renderExpressionHistory = function(dat
                 .addClass(entry.starred ? "data-table-star-on" : "data-table-star-off")
                 .appendTo(tr.insertCell(0))
                 .click(function() {
+                    Refine.wrapCSRF(function(token) {
                         $.post(
                             "command/core/toggle-starred-expression",
-                        { expression: entry.code },
+                            {
+                              expression: entry.code,
+                              csrf_token: token
+                            },
                             function(data) {
                                 entry.starred = !entry.starred;
                                 renderEntry(self,tr,entry);
@@ -295,6 +301,7 @@ ExpressionPreviewDialog.Widget.prototype._renderExpressionHistory = function(dat
                             "json"
                         );
                     });
+                });
         
         $('<a href="javascript:{}">'+$.i18n('core-dialogs/reuse')+'</a>').appendTo(tr.insertCell(1)).click(function() {
             self._elmts.expressionPreviewTextarea[0].value = o.expression;
@@ -348,9 +355,10 @@ ExpressionPreviewDialog.Widget.prototype._renderStarredExpressions = function(da
         var o = Scripting.parse(entry.code);
         
         $('<a href="javascript:{}">'+$.i18n('core-dialogs/remove')+'</a>').appendTo(tr.insertCell(0)).click(function() {
+            Refine.wrapCSRF(function(token) {
                 $.post(
                     "command/core/toggle-starred-expression",
-                { expression: entry.code, returnList: true },
+                    { expression: entry.code, returnList: true, csrf_token: token },
                     function(data) {
                         self._renderStarredExpressions(data);
                         self._renderExpressionHistoryTab();
@@ -358,6 +366,7 @@ ExpressionPreviewDialog.Widget.prototype._renderStarredExpressions = function(da
                     "json"
                 );
             });
+        });
         
         $('<a href="javascript:{}">Reuse</a>').appendTo(tr.insertCell(1)).click(function() {
             self._elmts.expressionPreviewTextarea[0].value = o.expression;

main/webapp/modules/core/scripts/index/create-project-ui.js

@@ -271,5 +271,8 @@ Refine.CreateProjectUI.composeErrorMessage = function(job) {
 };
 
 Refine.CreateProjectUI.cancelImportingJob = function(jobID) {
-  $.post("command/core/cancel-importing-job?" + $.param({ "jobID": jobID }));
+  Refine.wrapCSRF(function(token) {
+     $.post("command/core/cancel-importing-job?" + $.param({ "jobID": jobID }),
+           {csrf_token: token});
+  });
 };

main/webapp/modules/core/scripts/index/default-importing-controller/controller.js

@@ -78,9 +78,10 @@ Refine.DefaultImportingController.prototype.startImportJob = function(form, prog
 		return this.value === ""; 
   }).attr("disabled", "disabled");
   
+  Refine.wrapCSRF(function(token) {
     $.post(
         "command/core/create-importing-job",
-      null,
+        { csrf_token: token },
         function(data) {
             var jobID = self._jobID = data.jobID;
 
@@ -133,6 +134,7 @@ Refine.DefaultImportingController.prototype.startImportJob = function(form, prog
         },
         "json"
     );
+  });
 };
 
 Refine.DefaultImportingController.prototype._onImportJobReady = function() {

main/webapp/modules/core/scripts/project.js

@@ -388,22 +388,18 @@ Refine.postProcess = function(moduleName, command, params, body, updateOptions,
 
   Refine.setAjaxInProgress();
 
-  // Get a CSRF token first
+  Refine.wrapCSRF(
-  $.get(
+    function(token) {
-    "command/core/get-csrf-token",
-    {},
-    function(response) {
 
         // Add it to the body and submit it as a POST request
-        body['csrf_token'] = response['token'];
+        body['csrf_token'] = token;
         $.post(
             "command/" + moduleName + "/" + command + "?" + $.param(params),
             body,
             onDone,
             "json"
         );
-    },
+    }
-    "json"
   );
 
   window.setTimeout(function() {
@@ -413,6 +409,19 @@ Refine.postProcess = function(moduleName, command, params, body, updateOptions,
   }, 500);
 };
 
+// Requests a CSRF token and calls the supplied callback
+// with the token
+Refine.wrapCSRF = function(onCSRF) {
+   $.get(
+      "command/core/get-csrf-token",
+      {},
+      function(response) {
+         onCSRF(response['token']);
+      },
+      "json"
+   );
+};
+
 Refine.setAjaxInProgress = function() {
   $(document.body).attr("ajax_in_progress", "true");
 };

main/webapp/modules/core/scripts/project/process-panel.js

@@ -124,15 +124,17 @@ ProcessPanel.prototype.undo = function() {
 
 ProcessPanel.prototype._cancelAll = function() {
   var self = this;
+  Refine.wrapCSRF(function(token) {
     $.post(
         "command/core/cancel-processes?" + $.param({ project: theProject.id }), 
-      null,
+        { csrf_token: token },
         function(o) {
             self._data = null;
             self._runOnDones();
         },
         "json"
     );
+  });
 };
 
 ProcessPanel.prototype._render = function(newData) {