s434730/RandomSec
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

CSRF protection for ImportingController

Browse Source
This commit is contained in:
Antonin Delpeuch 2019-10-11 13:53:43 +01:00
parent 70e37b9085
commit 91cead27f8
7 changed files with 221 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
main/src/com/google/refine/commands/importing/ImportingControllerCommand.java
View File

@ -56,6 +56,10 @@ public class ImportingControllerCommand extends Command {
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if(!checkCSRF(request)) {
respondCSRFError(response);
return;
}
ImportingController controller = getController(request);
if (controller != null) {
@ -92,4 +96,14 @@ public class ImportingControllerCommand extends Command {
}
return null;
}
/**
* Checks the validity of a CSRF token, without reading the whole POST body.
* See above for details.
*/
private boolean checkCSRF(HttpServletRequest request) {
Properties options = ParsingUtilities.parseUrlParameters(request);
String token = options.getProperty("csrf_token");
return token != null && csrfFactory.validToken(token);
}
}

24
main/tests/server/src/com/google/refine/commands/importing/ImportingControllerCommandTests.java Normal file
View File

@ -0,0 +1,24 @@
package com.google.refine.commands.importing;
import com.google.refine.commands.CommandTestBase;
import java.io.IOException;
import javax.servlet.ServletException;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
public class ImportingControllerCommandTests extends CommandTestBase {
@BeforeMethod
public void setUpCommand() {
command = new ImportingControllerCommand();
}
@Test
public void testCSRFProtection() throws ServletException, IOException {
command.doPost(request, response);
assertCSRFCheckFailed();
}
}

63
main/webapp/modules/core/scripts/dialogs/expression-preview-dialog.js
View File

@ -157,15 +157,13 @@ ExpressionPreviewDialog.Widget.prototype.getExpression = function(commit) {
s = this._getLanguage() + ":" + s;
if (commit) {
Refine.wrapCSRF(function(token) {
$.post(
"command/core/log-expression?" + $.param({ project: theProject.id }),
{ expression: s, csrf_token: token },
function(data) {
},
"json"
);
});
Refine.postCSRF(
"command/core/log-expression?" + $.param({ project: theProject.id }),
{ expression: s },
function(data) {
},
"json"
);
}
return s;
@ -286,21 +284,18 @@ ExpressionPreviewDialog.Widget.prototype._renderExpressionHistory = function(dat
.addClass(entry.starred ? "data-table-star-on" : "data-table-star-off")
.appendTo(tr.insertCell(0))
.click(function() {
Refine.wrapCSRF(function(token) {
$.post(
"command/core/toggle-starred-expression",
{
expression: entry.code,
csrf_token: token
},
function(data) {
entry.starred = !entry.starred;
renderEntry(self,tr,entry);
self._renderStarredExpressionsTab();
},
"json"
);
});
Refine.postCSRF(
"command/core/toggle-starred-expression",
{
expression: entry.code
},
function(data) {
entry.starred = !entry.starred;
renderEntry(self,tr,entry);
self._renderStarredExpressionsTab();
},
"json"
);
});
$('<a href="javascript:{}">'+$.i18n('core-dialogs/reuse')+'</a>').appendTo(tr.insertCell(1)).click(function() {
@ -355,17 +350,15 @@ ExpressionPreviewDialog.Widget.prototype._renderStarredExpressions = function(da
var o = Scripting.parse(entry.code);
$('<a href="javascript:{}">'+$.i18n('core-dialogs/remove')+'</a>').appendTo(tr.insertCell(0)).click(function() {
Refine.wrapCSRF(function(token) {
$.post(
"command/core/toggle-starred-expression",
{ expression: entry.code, returnList: true, csrf_token: token },
function(data) {
self._renderStarredExpressions(data);
self._renderExpressionHistoryTab();
},
"json"
);
});
Refine.postCSRF(
"command/core/toggle-starred-expression",
{ expression: entry.code, returnList: true },
function(data) {
self._renderStarredExpressions(data);
self._renderExpressionHistoryTab();
},
"json"
);
});
$('<a href="javascript:{}">Reuse</a>').appendTo(tr.insertCell(1)).click(function() {

196
main/webapp/modules/core/scripts/index/default-importing-controller/controller.js
View File

@ -92,7 +92,8 @@ Refine.DefaultImportingController.prototype.startImportJob = function(form, prog
.attr("action", "command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller",
"jobID": jobID,
"subCommand": "load-raw-data"
"subCommand": "load-raw-data",
"csrf_token": token
}));
form[0].submit();
@ -182,27 +183,30 @@ Refine.DefaultImportingController.prototype._ensureFormatParserUIHasInitializati
if (!(format in this._parserOptions)) {
var self = this;
var dismissBusy = DialogSystem.showBusy($.i18n('core-index-import/inspecting'));
$.post(
"command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller",
"jobID": this._jobID,
"subCommand": "initialize-parser-ui",
"format": format
}),
null,
function(data) {
dismissBusy();
Refine.wrapCSRF(function(token) {
$.post(
"command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller",
"jobID": this._jobID,
"subCommand": "initialize-parser-ui",
"format": format,
"csrf_token": token
}),
null,
function(data) {
dismissBusy();
if (data.options) {
self._parserOptions[format] = data.options;
onDone();
}
},
"json"
)
.fail(function() {
dismissBusy();
alert($.i18n('core-views/check-format'));
if (data.options) {
self._parserOptions[format] = data.options;
onDone();
}
},
"json"
)
.fail(function() {
dismissBusy();
alert($.i18n('core-views/check-format'));
});
});
} else {
onDone();
@ -211,32 +215,35 @@ Refine.DefaultImportingController.prototype._ensureFormatParserUIHasInitializati
Refine.DefaultImportingController.prototype.updateFormatAndOptions = function(options, callback, finallyCallBack) {
var self = this;
$.post(
"command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller",
"jobID": this._jobID,
"subCommand": "update-format-and-options"
}),
{
"format" : this._format,
"options" : JSON.stringify(options)
},
function(o) {
if (o.status == 'error') {
if (o.message) {
alert(o.message);
Refine.wrapCSRF(function(token) {
$.post(
"command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller",
"jobID": this._jobID,
"subCommand": "update-format-and-options",
"csrf_token": token
}),
{
"format" : this._format,
"options" : JSON.stringify(options)
},
function(o) {
if (o.status == 'error') {
if (o.message) {
alert(o.message);
} else {
var messages = [];
$.each(o.errors, function() { messages.push(this.message); });
alert(messages.join('\n\n'));
}
finallyCallBack();
} else {
var messages = [];
$.each(o.errors, function() { messages.push(this.message); });
alert(messages.join('\n\n'));
callback(o);
}
finallyCallBack();
} else {
callback(o);
}
},
"json"
);
},
"json"
);
});
};
Refine.DefaultImportingController.prototype.getPreviewData = function(callback, numRows) {
@ -286,56 +293,59 @@ Refine.DefaultImportingController.prototype._createProject = function() {
var options = this._formatParserUI.getOptions();
options.projectName = projectName;
options.projectTags = projectTags;
$.post(
"command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller",
"jobID": this._jobID,
"subCommand": "create-project"
}),
{
"format" : this._format,
"options" : JSON.stringify(options)
},
function(o) {
if (o.status == 'error') {
alert(o.message);
return;
}
var start = new Date();
var timerID = window.setInterval(
function() {
self._createProjectUI.pollImportJob(
start,
self._jobID,
timerID,
function(job) {
return "projectID" in job.config;
},
function(jobID, job) {
Refine.CreateProjectUI.cancelImportingJob(jobID);
document.location = "project?project=" + job.config.projectID;
},
function(job) {
alert($.i18n('core-index-import/errors')+'\n' + Refine.CreateProjectUI.composeErrorMessage(job));
self._onImportJobReady();
}
Refine.wrapCSRF(function(token) {
$.post(
"command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller",
"jobID": this._jobID,
"subCommand": "create-project",
"csrf_token": token
}),
{
"format" : this._format,
"options" : JSON.stringify(options)
},
function(o) {
if (o.status == 'error') {
alert(o.message);
return;
}
var start = new Date();
var timerID = window.setInterval(
function() {
self._createProjectUI.pollImportJob(
start,
self._jobID,
timerID,
function(job) {
return "projectID" in job.config;
},
function(jobID, job) {
Refine.CreateProjectUI.cancelImportingJob(jobID);
document.location = "project?project=" + job.config.projectID;
},
function(job) {
alert($.i18n('core-index-import/errors')+'\n' + Refine.CreateProjectUI.composeErrorMessage(job));
self._onImportJobReady();
}
);
},
1000
);
},
1000
self._createProjectUI.showImportProgressPanel($.i18n('core-index-import/creating-proj'), function() {
// stop the timed polling
window.clearInterval(timerID);
// explicitly cancel the import job
Refine.CreateProjectUI.cancelImportingJob(self._jobID);
self._createProjectUI.showSourceSelectionPanel();
});
},
"json"
);
self._createProjectUI.showImportProgressPanel($.i18n('core-index-import/creating-proj'), function() {
// stop the timed polling
window.clearInterval(timerID);
// explicitly cancel the import job
Refine.CreateProjectUI.cancelImportingJob(self._jobID);
self._createProjectUI.showSourceSelectionPanel();
});
},
"json"
);
});
}
};

51
main/webapp/modules/core/scripts/index/default-importing-controller/file-selection-panel.js
View File

@ -328,30 +328,33 @@ Refine.DefaultImportingController.prototype._commitFileSelection = function() {
var self = this;
var dismissBusy = DialogSystem.showBusy($.i18n('core-index-import/inspecting-files'));
$.post(
"command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller",
"jobID": this._jobID,
"subCommand": "update-file-selection"
}),
{
"fileSelection" : JSON.stringify(this._job.config.fileSelection)
},
function(data) {
dismissBusy();
Refine.wrapCSRF(function(token) {
$.post(
"command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller",
"jobID": this._jobID,
"subCommand": "update-file-selection",
"csrf_token": token
}),
{
"fileSelection" : JSON.stringify(this._job.config.fileSelection)
},
function(data) {
dismissBusy();
if (!(data)) {
self._createProjectUI.showImportJobError($.i18n('core-index-import/unknown-err'));
} else if (data.code == "error" || !("job" in data)) {
self._createProjectUI.showImportJobError((data.message) ? ($.i18n('core-index-import/error')+ ' ' + data.message) : $.i18n('core-index-import/unknown-err'));
} else {
// Different files might be selected. We start over again.
delete this._parserOptions;
if (!(data)) {
self._createProjectUI.showImportJobError($.i18n('core-index-import/unknown-err'));
} else if (data.code == "error" || !("job" in data)) {
self._createProjectUI.showImportJobError((data.message) ? ($.i18n('core-index-import/error')+ ' ' + data.message) : $.i18n('core-index-import/unknown-err'));
} else {
// Different files might be selected. We start over again.
delete this._parserOptions;
self._job = data.job;
self._showParsingPanel(true);
}
},
"json"
);
self._job = data.job;
self._showParsingPanel(true);
}
},
"json"
);
});
};

28
main/webapp/modules/core/scripts/project.js
View File

@ -388,18 +388,11 @@ Refine.postProcess = function(moduleName, command, params, body, updateOptions,
Refine.setAjaxInProgress();
Refine.wrapCSRF(
function(token) {
// Add it to the body and submit it as a POST request
body['csrf_token'] = token;
$.post(
"command/" + moduleName + "/" + command + "?" + $.param(params),
body,
onDone,
"json"
);
}
Refine.postCSRF(
"command/" + moduleName + "/" + command + "?" + $.param(params),
body,
onDone,
"json"
);
window.setTimeout(function() {
@ -422,6 +415,17 @@ Refine.wrapCSRF = function(onCSRF) {
);
};
// Performs a POST request where an additional CSRF token
// is supplied in the POST data. The arguments match those
// of $.post().
Refine.postCSRF = function(url, data, success, dataType) {
Refine.wrapCSRF(function(token) {
var fullData = data || {};
data['csrf_token'] = token;
$.post(url, fulldata, success, dataType);
});
};
Refine.setAjaxInProgress = function() {
$(document.body).attr("ajax_in_progress", "true");
};

20
main/webapp/modules/core/scripts/project/process-panel.js
View File

@ -124,17 +124,15 @@ ProcessPanel.prototype.undo = function() {
ProcessPanel.prototype._cancelAll = function() {
var self = this;
Refine.wrapCSRF(function(token) {
$.post(
"command/core/cancel-processes?" + $.param({ project: theProject.id }),
{ csrf_token: token },
function(o) {
self._data = null;
self._runOnDones();
},
"json"
);
});
Refine.postCSRF(
"command/core/cancel-processes?" + $.param({ project: theProject.id }),
{ },
function(o) {
self._data = null;
self._runOnDones();
},
"json"
);
};
ProcessPanel.prototype._render = function(newData) {