Add CSRF protection to cell, history, column and expr commands
This commit is contained in:
parent
51ddd27909
commit
70e37b9085
@ -70,6 +70,10 @@ abstract public class EngineDependentCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Project project = getProject(request);
|
Project project = getProject(request);
|
||||||
|
@ -46,6 +46,10 @@ import com.google.refine.model.Project;
|
|||||||
import com.google.refine.preference.PreferenceStore;
|
import com.google.refine.preference.PreferenceStore;
|
||||||
|
|
||||||
public class GetAllPreferencesCommand extends Command {
|
public class GetAllPreferencesCommand extends Command {
|
||||||
|
/**
|
||||||
|
* The command uses POST (not sure why?) but does not actually modify any state
|
||||||
|
* so it does not require CSRF.
|
||||||
|
*/
|
||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
@ -50,6 +50,10 @@ public class JoinMultiValueCellsCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Project project = getProject(request);
|
Project project = getProject(request);
|
||||||
|
@ -50,6 +50,10 @@ public class KeyValueColumnizeCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Project project = getProject(request);
|
Project project = getProject(request);
|
||||||
|
@ -52,6 +52,10 @@ public class SplitMultiValueCellsCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Project project = getProject(request);
|
Project project = getProject(request);
|
||||||
|
@ -50,6 +50,10 @@ public class TransposeColumnsIntoRowsCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Project project = getProject(request);
|
Project project = getProject(request);
|
||||||
|
@ -50,6 +50,10 @@ public class TransposeRowsIntoColumnsCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Project project = getProject(request);
|
Project project = getProject(request);
|
||||||
|
@ -50,6 +50,10 @@ public class MoveColumnCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Project project = getProject(request);
|
Project project = getProject(request);
|
||||||
|
@ -50,6 +50,10 @@ public class RemoveColumnCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Project project = getProject(request);
|
Project project = getProject(request);
|
||||||
|
@ -50,6 +50,10 @@ public class RenameColumnCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Project project = getProject(request);
|
Project project = getProject(request);
|
||||||
|
@ -48,6 +48,10 @@ public class LogExpressionCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
String expression = request.getParameter("expression");
|
String expression = request.getParameter("expression");
|
||||||
|
@ -111,6 +111,10 @@ public class PreviewExpressionCommand extends Command {
|
|||||||
this.results = evaluated;
|
this.results = evaluated;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
/**
|
||||||
|
* The command uses POST but does not actually modify any state so it does
|
||||||
|
* not require CSRF.
|
||||||
|
*/
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
|
@ -40,6 +40,11 @@ public class ToggleStarredExpressionCommand extends Command {
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
String expression = request.getParameter("expression");
|
String expression = request.getParameter("expression");
|
||||||
|
|
||||||
TopList starredExpressions = ((TopList) ProjectManager.singleton.getPreferenceStore().get(
|
TopList starredExpressions = ((TopList) ProjectManager.singleton.getPreferenceStore().get(
|
||||||
|
@ -54,6 +54,10 @@ public class ApplyOperationsCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
Project project = getProject(request);
|
Project project = getProject(request);
|
||||||
String jsonString = request.getParameter("operations");
|
String jsonString = request.getParameter("operations");
|
||||||
|
@ -53,6 +53,10 @@ public class CancelProcessesCommand extends Command {
|
|||||||
if( response == null ) {
|
if( response == null ) {
|
||||||
throw new IllegalArgumentException("parameter 'request' should not be null");
|
throw new IllegalArgumentException("parameter 'request' should not be null");
|
||||||
}
|
}
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Project project = getProject(request);
|
Project project = getProject(request);
|
||||||
|
@ -48,6 +48,10 @@ public class UndoRedoCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
Project project = getProject(request);
|
Project project = getProject(request);
|
||||||
|
|
||||||
|
@ -48,6 +48,10 @@ public class CancelImportingJobCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
long jobID = Long.parseLong(request.getParameter("jobID"));
|
long jobID = Long.parseLong(request.getParameter("jobID"));
|
||||||
ImportingJob job = ImportingManager.getJob(jobID);
|
ImportingJob job = ImportingManager.getJob(jobID);
|
||||||
|
@ -52,6 +52,10 @@ public class CreateImportingJobCommand extends Command {
|
|||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
if(!hasValidCSRFToken(request)) {
|
||||||
|
respondCSRFError(response);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
long id = ImportingManager.createJob().id;
|
long id = ImportingManager.createJob().id;
|
||||||
|
|
||||||
|
@ -49,6 +49,10 @@ public class GetImportingConfigurationCommand extends Command {
|
|||||||
@JsonProperty("config")
|
@JsonProperty("config")
|
||||||
ImportingConfiguration config = new ImportingConfiguration();
|
ImportingConfiguration config = new ImportingConfiguration();
|
||||||
}
|
}
|
||||||
|
/**
|
||||||
|
* This command uses POST but does not actually modify any state so
|
||||||
|
* it is not CSRF-protected.
|
||||||
|
*/
|
||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
@ -66,6 +66,10 @@ public class GetImportingJobStatusCommand extends Command {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This command uses POST but does not actually modify any state so
|
||||||
|
* it is not CSRF-protected.
|
||||||
|
*/
|
||||||
@Override
|
@Override
|
||||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||||
throws ServletException, IOException {
|
throws ServletException, IOException {
|
||||||
|
@ -0,0 +1,41 @@
|
|||||||
|
package com.google.refine.commands;
|
||||||
|
|
||||||
|
import static org.mockito.Mockito.mock;
|
||||||
|
import static org.mockito.Mockito.when;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.PrintWriter;
|
||||||
|
import java.io.StringWriter;
|
||||||
|
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
|
||||||
|
import com.google.refine.util.TestUtils;
|
||||||
|
|
||||||
|
public class CommandTestBase {
|
||||||
|
protected HttpServletRequest request = null;
|
||||||
|
protected HttpServletResponse response = null;
|
||||||
|
protected Command command = null;
|
||||||
|
protected StringWriter writer = null;
|
||||||
|
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpRequestResponse() {
|
||||||
|
request = mock(HttpServletRequest.class);
|
||||||
|
response = mock(HttpServletResponse.class);
|
||||||
|
writer = new StringWriter();
|
||||||
|
try {
|
||||||
|
when(response.getWriter()).thenReturn(new PrintWriter(writer));
|
||||||
|
} catch (IOException e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Convenience method to check that CSRF protection was triggered
|
||||||
|
*/
|
||||||
|
protected void assertCSRFCheckFailed() {
|
||||||
|
TestUtils.assertEqualAsJson("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", writer.toString());
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,38 @@
|
|||||||
|
package com.google.refine.commands;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
import com.google.refine.browsing.EngineConfig;
|
||||||
|
import com.google.refine.model.AbstractOperation;
|
||||||
|
import com.google.refine.model.Project;
|
||||||
|
|
||||||
|
public class EngineDependentCommandTests extends CommandTestBase {
|
||||||
|
|
||||||
|
private static class EngineDependentCommandStub extends EngineDependentCommand {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected AbstractOperation createOperation(Project project, HttpServletRequest request,
|
||||||
|
EngineConfig engineConfig) throws Exception {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new EngineDependentCommandStub();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,25 @@
|
|||||||
|
package com.google.refine.commands.cell;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
import com.google.refine.commands.cell.JoinMultiValueCellsCommand;
|
||||||
|
|
||||||
|
public class JoinMultiValueCellsCommandTests extends CommandTestBase {
|
||||||
|
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new JoinMultiValueCellsCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,24 @@
|
|||||||
|
package com.google.refine.commands.cell;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
|
||||||
|
public class KeyValueColumnizeCommandTests extends CommandTestBase {
|
||||||
|
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new KeyValueColumnizeCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,23 @@
|
|||||||
|
package com.google.refine.commands.cell;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
|
||||||
|
public class SplitMultiValueCellsCommandTests extends CommandTestBase {
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new SplitMultiValueCellsCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,23 @@
|
|||||||
|
package com.google.refine.commands.cell;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
|
||||||
|
public class TransposeColumnsIntoRowsCommandTests extends CommandTestBase {
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new TransposeColumnsIntoRowsCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,22 @@
|
|||||||
|
package com.google.refine.commands.cell;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
|
||||||
|
public class TransposeRowsIntoColumnsCommandTests extends CommandTestBase {
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new TransposeRowsIntoColumnsCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,24 @@
|
|||||||
|
package com.google.refine.commands.column;
|
||||||
|
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
public class MoveColumnCommandTests extends CommandTestBase {
|
||||||
|
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new MoveColumnCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,23 @@
|
|||||||
|
package com.google.refine.commands.column;
|
||||||
|
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
public class RemoveColumnCommandTests extends CommandTestBase {
|
||||||
|
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new RemoveColumnCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,23 @@
|
|||||||
|
package com.google.refine.commands.column;
|
||||||
|
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
public class RenameColumnCommandTests extends CommandTestBase {
|
||||||
|
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new RenameColumnCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,23 @@
|
|||||||
|
package com.google.refine.commands.expr;
|
||||||
|
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
public class LogExpressionCommandTests extends CommandTestBase {
|
||||||
|
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new LogExpressionCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
@ -35,7 +35,9 @@ import javax.servlet.ServletException;
|
|||||||
import org.testng.annotations.BeforeMethod;
|
import org.testng.annotations.BeforeMethod;
|
||||||
import org.testng.annotations.Test;
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
import com.google.refine.commands.Command;
|
||||||
import com.google.refine.commands.expr.ToggleStarredExpressionCommand;
|
import com.google.refine.commands.expr.ToggleStarredExpressionCommand;
|
||||||
|
import com.google.refine.util.TestUtils;
|
||||||
|
|
||||||
public class ToggleStarredExpressionCommandTests extends ExpressionCommandTestBase {
|
public class ToggleStarredExpressionCommandTests extends ExpressionCommandTestBase {
|
||||||
|
|
||||||
@ -70,7 +72,14 @@ public class ToggleStarredExpressionCommandTests extends ExpressionCommandTestBa
|
|||||||
" }";
|
" }";
|
||||||
when(request.getParameter("expression")).thenReturn("grel:facetCount(value, 'value', 'Column 1')");
|
when(request.getParameter("expression")).thenReturn("grel:facetCount(value, 'value', 'Column 1')");
|
||||||
when(request.getParameter("returnList")).thenReturn("yes");
|
when(request.getParameter("returnList")).thenReturn("yes");
|
||||||
|
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||||
command.doPost(request, response);
|
command.doPost(request, response);
|
||||||
assertResponseJsonIs(json);
|
assertResponseJsonIs(json);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
TestUtils.assertEqualAsJson("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", writer.toString());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -0,0 +1,24 @@
|
|||||||
|
package com.google.refine.commands.history;
|
||||||
|
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
public class ApplyOperationsCommandTests extends CommandTestBase {
|
||||||
|
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new ApplyOperationsCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,23 @@
|
|||||||
|
package com.google.refine.commands.history;
|
||||||
|
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
public class CancelProcessesCommandTests extends CommandTestBase {
|
||||||
|
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new CancelProcessesCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,23 @@
|
|||||||
|
package com.google.refine.commands.history;
|
||||||
|
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
public class UndoRedoCommandTests extends CommandTestBase {
|
||||||
|
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new UndoRedoCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,22 @@
|
|||||||
|
package com.google.refine.commands.importing;
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
public class CancelImportingJobCommandTests extends CommandTestBase {
|
||||||
|
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new CancelImportingJobCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,23 @@
|
|||||||
|
package com.google.refine.commands.importing;
|
||||||
|
|
||||||
|
import com.google.refine.commands.CommandTestBase;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
|
import org.testng.annotations.BeforeMethod;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
public class CreateImportingJobCommandTests extends CommandTestBase {
|
||||||
|
|
||||||
|
@BeforeMethod
|
||||||
|
public void setUpCommand() {
|
||||||
|
command = new CreateImportingJobCommand();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCSRFProtection() throws ServletException, IOException {
|
||||||
|
command.doPost(request, response);
|
||||||
|
assertCSRFCheckFailed();
|
||||||
|
}
|
||||||
|
}
|
@ -56,6 +56,7 @@ import org.testng.annotations.Test;
|
|||||||
|
|
||||||
import com.google.refine.ProjectManager;
|
import com.google.refine.ProjectManager;
|
||||||
import com.google.refine.RefineTest;
|
import com.google.refine.RefineTest;
|
||||||
|
import com.google.refine.commands.Command;
|
||||||
import com.google.refine.commands.history.CancelProcessesCommand;
|
import com.google.refine.commands.history.CancelProcessesCommand;
|
||||||
import com.google.refine.model.Project;
|
import com.google.refine.model.Project;
|
||||||
import com.google.refine.process.ProcessManager;
|
import com.google.refine.process.ProcessManager;
|
||||||
@ -159,6 +160,7 @@ public class CancelProcessesCommandTests extends RefineTest {
|
|||||||
|
|
||||||
// mock dependencies
|
// mock dependencies
|
||||||
when(request.getParameter("project")).thenReturn(PROJECT_ID);
|
when(request.getParameter("project")).thenReturn(PROJECT_ID);
|
||||||
|
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||||
when(projMan.getProject(anyLong())).thenReturn(proj);
|
when(projMan.getProject(anyLong())).thenReturn(proj);
|
||||||
when(proj.getProcessManager()).thenReturn(processMan);
|
when(proj.getProcessManager()).thenReturn(processMan);
|
||||||
try {
|
try {
|
||||||
@ -197,6 +199,7 @@ public class CancelProcessesCommandTests extends RefineTest {
|
|||||||
public void doPostThrowsIfCommand_getProjectReturnsNull(){
|
public void doPostThrowsIfCommand_getProjectReturnsNull(){
|
||||||
// mock dependencies
|
// mock dependencies
|
||||||
when(request.getParameter("project")).thenReturn(PROJECT_ID);
|
when(request.getParameter("project")).thenReturn(PROJECT_ID);
|
||||||
|
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||||
when(projMan.getProject(anyLong()))
|
when(projMan.getProject(anyLong()))
|
||||||
.thenReturn(null);
|
.thenReturn(null);
|
||||||
try {
|
try {
|
||||||
@ -225,6 +228,7 @@ public class CancelProcessesCommandTests extends RefineTest {
|
|||||||
|
|
||||||
// mock dependencies
|
// mock dependencies
|
||||||
when(request.getParameter("project")).thenReturn(PROJECT_ID);
|
when(request.getParameter("project")).thenReturn(PROJECT_ID);
|
||||||
|
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||||
when(projMan.getProject(anyLong())).thenReturn(proj);
|
when(projMan.getProject(anyLong())).thenReturn(proj);
|
||||||
when(proj.getProcessManager()).thenReturn(processMan);
|
when(proj.getProcessManager()).thenReturn(processMan);
|
||||||
try {
|
try {
|
||||||
|
@ -157,13 +157,15 @@ ExpressionPreviewDialog.Widget.prototype.getExpression = function(commit) {
|
|||||||
|
|
||||||
s = this._getLanguage() + ":" + s;
|
s = this._getLanguage() + ":" + s;
|
||||||
if (commit) {
|
if (commit) {
|
||||||
|
Refine.wrapCSRF(function(token) {
|
||||||
$.post(
|
$.post(
|
||||||
"command/core/log-expression?" + $.param({ project: theProject.id }),
|
"command/core/log-expression?" + $.param({ project: theProject.id }),
|
||||||
{ expression: s },
|
{ expression: s, csrf_token: token },
|
||||||
function(data) {
|
function(data) {
|
||||||
},
|
},
|
||||||
"json"
|
"json"
|
||||||
);
|
);
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
return s;
|
return s;
|
||||||
@ -284,9 +286,13 @@ ExpressionPreviewDialog.Widget.prototype._renderExpressionHistory = function(dat
|
|||||||
.addClass(entry.starred ? "data-table-star-on" : "data-table-star-off")
|
.addClass(entry.starred ? "data-table-star-on" : "data-table-star-off")
|
||||||
.appendTo(tr.insertCell(0))
|
.appendTo(tr.insertCell(0))
|
||||||
.click(function() {
|
.click(function() {
|
||||||
|
Refine.wrapCSRF(function(token) {
|
||||||
$.post(
|
$.post(
|
||||||
"command/core/toggle-starred-expression",
|
"command/core/toggle-starred-expression",
|
||||||
{ expression: entry.code },
|
{
|
||||||
|
expression: entry.code,
|
||||||
|
csrf_token: token
|
||||||
|
},
|
||||||
function(data) {
|
function(data) {
|
||||||
entry.starred = !entry.starred;
|
entry.starred = !entry.starred;
|
||||||
renderEntry(self,tr,entry);
|
renderEntry(self,tr,entry);
|
||||||
@ -295,6 +301,7 @@ ExpressionPreviewDialog.Widget.prototype._renderExpressionHistory = function(dat
|
|||||||
"json"
|
"json"
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
});
|
||||||
|
|
||||||
$('<a href="javascript:{}">'+$.i18n('core-dialogs/reuse')+'</a>').appendTo(tr.insertCell(1)).click(function() {
|
$('<a href="javascript:{}">'+$.i18n('core-dialogs/reuse')+'</a>').appendTo(tr.insertCell(1)).click(function() {
|
||||||
self._elmts.expressionPreviewTextarea[0].value = o.expression;
|
self._elmts.expressionPreviewTextarea[0].value = o.expression;
|
||||||
@ -348,9 +355,10 @@ ExpressionPreviewDialog.Widget.prototype._renderStarredExpressions = function(da
|
|||||||
var o = Scripting.parse(entry.code);
|
var o = Scripting.parse(entry.code);
|
||||||
|
|
||||||
$('<a href="javascript:{}">'+$.i18n('core-dialogs/remove')+'</a>').appendTo(tr.insertCell(0)).click(function() {
|
$('<a href="javascript:{}">'+$.i18n('core-dialogs/remove')+'</a>').appendTo(tr.insertCell(0)).click(function() {
|
||||||
|
Refine.wrapCSRF(function(token) {
|
||||||
$.post(
|
$.post(
|
||||||
"command/core/toggle-starred-expression",
|
"command/core/toggle-starred-expression",
|
||||||
{ expression: entry.code, returnList: true },
|
{ expression: entry.code, returnList: true, csrf_token: token },
|
||||||
function(data) {
|
function(data) {
|
||||||
self._renderStarredExpressions(data);
|
self._renderStarredExpressions(data);
|
||||||
self._renderExpressionHistoryTab();
|
self._renderExpressionHistoryTab();
|
||||||
@ -358,6 +366,7 @@ ExpressionPreviewDialog.Widget.prototype._renderStarredExpressions = function(da
|
|||||||
"json"
|
"json"
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
});
|
||||||
|
|
||||||
$('<a href="javascript:{}">Reuse</a>').appendTo(tr.insertCell(1)).click(function() {
|
$('<a href="javascript:{}">Reuse</a>').appendTo(tr.insertCell(1)).click(function() {
|
||||||
self._elmts.expressionPreviewTextarea[0].value = o.expression;
|
self._elmts.expressionPreviewTextarea[0].value = o.expression;
|
||||||
|
@ -271,5 +271,8 @@ Refine.CreateProjectUI.composeErrorMessage = function(job) {
|
|||||||
};
|
};
|
||||||
|
|
||||||
Refine.CreateProjectUI.cancelImportingJob = function(jobID) {
|
Refine.CreateProjectUI.cancelImportingJob = function(jobID) {
|
||||||
$.post("command/core/cancel-importing-job?" + $.param({ "jobID": jobID }));
|
Refine.wrapCSRF(function(token) {
|
||||||
|
$.post("command/core/cancel-importing-job?" + $.param({ "jobID": jobID }),
|
||||||
|
{csrf_token: token});
|
||||||
|
});
|
||||||
};
|
};
|
||||||
|
@ -78,9 +78,10 @@ Refine.DefaultImportingController.prototype.startImportJob = function(form, prog
|
|||||||
return this.value === "";
|
return this.value === "";
|
||||||
}).attr("disabled", "disabled");
|
}).attr("disabled", "disabled");
|
||||||
|
|
||||||
|
Refine.wrapCSRF(function(token) {
|
||||||
$.post(
|
$.post(
|
||||||
"command/core/create-importing-job",
|
"command/core/create-importing-job",
|
||||||
null,
|
{ csrf_token: token },
|
||||||
function(data) {
|
function(data) {
|
||||||
var jobID = self._jobID = data.jobID;
|
var jobID = self._jobID = data.jobID;
|
||||||
|
|
||||||
@ -133,6 +134,7 @@ Refine.DefaultImportingController.prototype.startImportJob = function(form, prog
|
|||||||
},
|
},
|
||||||
"json"
|
"json"
|
||||||
);
|
);
|
||||||
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
Refine.DefaultImportingController.prototype._onImportJobReady = function() {
|
Refine.DefaultImportingController.prototype._onImportJobReady = function() {
|
||||||
|
@ -388,22 +388,18 @@ Refine.postProcess = function(moduleName, command, params, body, updateOptions,
|
|||||||
|
|
||||||
Refine.setAjaxInProgress();
|
Refine.setAjaxInProgress();
|
||||||
|
|
||||||
// Get a CSRF token first
|
Refine.wrapCSRF(
|
||||||
$.get(
|
function(token) {
|
||||||
"command/core/get-csrf-token",
|
|
||||||
{},
|
|
||||||
function(response) {
|
|
||||||
|
|
||||||
// Add it to the body and submit it as a POST request
|
// Add it to the body and submit it as a POST request
|
||||||
body['csrf_token'] = response['token'];
|
body['csrf_token'] = token;
|
||||||
$.post(
|
$.post(
|
||||||
"command/" + moduleName + "/" + command + "?" + $.param(params),
|
"command/" + moduleName + "/" + command + "?" + $.param(params),
|
||||||
body,
|
body,
|
||||||
onDone,
|
onDone,
|
||||||
"json"
|
"json"
|
||||||
);
|
);
|
||||||
},
|
}
|
||||||
"json"
|
|
||||||
);
|
);
|
||||||
|
|
||||||
window.setTimeout(function() {
|
window.setTimeout(function() {
|
||||||
@ -413,6 +409,19 @@ Refine.postProcess = function(moduleName, command, params, body, updateOptions,
|
|||||||
}, 500);
|
}, 500);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
// Requests a CSRF token and calls the supplied callback
|
||||||
|
// with the token
|
||||||
|
Refine.wrapCSRF = function(onCSRF) {
|
||||||
|
$.get(
|
||||||
|
"command/core/get-csrf-token",
|
||||||
|
{},
|
||||||
|
function(response) {
|
||||||
|
onCSRF(response['token']);
|
||||||
|
},
|
||||||
|
"json"
|
||||||
|
);
|
||||||
|
};
|
||||||
|
|
||||||
Refine.setAjaxInProgress = function() {
|
Refine.setAjaxInProgress = function() {
|
||||||
$(document.body).attr("ajax_in_progress", "true");
|
$(document.body).attr("ajax_in_progress", "true");
|
||||||
};
|
};
|
||||||
|
@ -124,15 +124,17 @@ ProcessPanel.prototype.undo = function() {
|
|||||||
|
|
||||||
ProcessPanel.prototype._cancelAll = function() {
|
ProcessPanel.prototype._cancelAll = function() {
|
||||||
var self = this;
|
var self = this;
|
||||||
|
Refine.wrapCSRF(function(token) {
|
||||||
$.post(
|
$.post(
|
||||||
"command/core/cancel-processes?" + $.param({ project: theProject.id }),
|
"command/core/cancel-processes?" + $.param({ project: theProject.id }),
|
||||||
null,
|
{ csrf_token: token },
|
||||||
function(o) {
|
function(o) {
|
||||||
self._data = null;
|
self._data = null;
|
||||||
self._runOnDones();
|
self._runOnDones();
|
||||||
},
|
},
|
||||||
"json"
|
"json"
|
||||||
);
|
);
|
||||||
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
ProcessPanel.prototype._render = function(newData) {
|
ProcessPanel.prototype._render = function(newData) {
|
||||||
|
Loading…
Reference in New Issue
Block a user