s434730/RandomSec
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

CSRF protection for ImportingController

Browse Source
This commit is contained in:
Antonin Delpeuch 2019-10-11 13:53:43 +01:00
parent 70e37b9085
commit 91cead27f8
7 changed files with 221 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
main/src/com/google/refine/commands/importing/ImportingControllerCommand.java
View File

@ -56,6 +56,10 @@ public class ImportingControllerCommand extends Command {
@Override @Override
public void doPost(HttpServletRequest request, HttpServletResponse response) public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException { throws ServletException, IOException {
if(!checkCSRF(request)) {
respondCSRFError(response);
return;
}
ImportingController controller = getController(request); ImportingController controller = getController(request);
if (controller != null) { if (controller != null) {
@ -92,4 +96,14 @@ public class ImportingControllerCommand extends Command {
} }
return null; return null;
} }
/**
* Checks the validity of a CSRF token, without reading the whole POST body.
* See above for details.
*/
private boolean checkCSRF(HttpServletRequest request) {
Properties options = ParsingUtilities.parseUrlParameters(request);
String token = options.getProperty("csrf_token");
return token != null && csrfFactory.validToken(token);
}
} }

24
main/tests/server/src/com/google/refine/commands/importing/ImportingControllerCommandTests.java Normal file
View File

@ -0,0 +1,24 @@
package com.google.refine.commands.importing;
import com.google.refine.commands.CommandTestBase;
import java.io.IOException;
import javax.servlet.ServletException;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
public class ImportingControllerCommandTests extends CommandTestBase {
@BeforeMethod
public void setUpCommand() {
command = new ImportingControllerCommand();
}
@Test
public void testCSRFProtection() throws ServletException, IOException {
command.doPost(request, response);
assertCSRFCheckFailed();
}
}

19
main/webapp/modules/core/scripts/dialogs/expression-preview-dialog.js
View File

@ -157,15 +157,13 @@ ExpressionPreviewDialog.Widget.prototype.getExpression = function(commit) {
s = this._getLanguage() + ":" + s; s = this._getLanguage() + ":" + s;
if (commit) { if (commit) {
Refine.wrapCSRF(function(token) { Refine.postCSRF(
$.post(
"command/core/log-expression?" + $.param({ project: theProject.id }), "command/core/log-expression?" + $.param({ project: theProject.id }),
{ expression: s, csrf_token: token }, { expression: s },
function(data) { function(data) {
}, },
"json" "json"
); );
});
} }
return s; return s;
@ -286,12 +284,10 @@ ExpressionPreviewDialog.Widget.prototype._renderExpressionHistory = function(dat
.addClass(entry.starred ? "data-table-star-on" : "data-table-star-off") .addClass(entry.starred ? "data-table-star-on" : "data-table-star-off")
.appendTo(tr.insertCell(0)) .appendTo(tr.insertCell(0))
.click(function() { .click(function() {
Refine.wrapCSRF(function(token) { Refine.postCSRF(
$.post(
"command/core/toggle-starred-expression", "command/core/toggle-starred-expression",
{ {
expression: entry.code, expression: entry.code
csrf_token: token
}, },
function(data) { function(data) {
entry.starred = !entry.starred; entry.starred = !entry.starred;
@ -301,7 +297,6 @@ ExpressionPreviewDialog.Widget.prototype._renderExpressionHistory = function(dat
"json" "json"
); );
}); });
});
$('<a href="javascript:{}">'+$.i18n('core-dialogs/reuse')+'</a>').appendTo(tr.insertCell(1)).click(function() { $('<a href="javascript:{}">'+$.i18n('core-dialogs/reuse')+'</a>').appendTo(tr.insertCell(1)).click(function() {
self._elmts.expressionPreviewTextarea[0].value = o.expression; self._elmts.expressionPreviewTextarea[0].value = o.expression;
@ -355,10 +350,9 @@ ExpressionPreviewDialog.Widget.prototype._renderStarredExpressions = function(da
var o = Scripting.parse(entry.code); var o = Scripting.parse(entry.code);
$('<a href="javascript:{}">'+$.i18n('core-dialogs/remove')+'</a>').appendTo(tr.insertCell(0)).click(function() { $('<a href="javascript:{}">'+$.i18n('core-dialogs/remove')+'</a>').appendTo(tr.insertCell(0)).click(function() {
Refine.wrapCSRF(function(token) { Refine.postCSRF(
$.post(
"command/core/toggle-starred-expression", "command/core/toggle-starred-expression",
{ expression: entry.code, returnList: true, csrf_token: token }, { expression: entry.code, returnList: true },
function(data) { function(data) {
self._renderStarredExpressions(data); self._renderStarredExpressions(data);
self._renderExpressionHistoryTab(); self._renderExpressionHistoryTab();
@ -366,7 +360,6 @@ ExpressionPreviewDialog.Widget.prototype._renderStarredExpressions = function(da
"json" "json"
); );
}); });
});
$('<a href="javascript:{}">Reuse</a>').appendTo(tr.insertCell(1)).click(function() { $('<a href="javascript:{}">Reuse</a>').appendTo(tr.insertCell(1)).click(function() {
self._elmts.expressionPreviewTextarea[0].value = o.expression; self._elmts.expressionPreviewTextarea[0].value = o.expression;

18
main/webapp/modules/core/scripts/index/default-importing-controller/controller.js
View File

@ -92,7 +92,8 @@ Refine.DefaultImportingController.prototype.startImportJob = function(form, prog
.attr("action", "command/core/importing-controller?" + $.param({ .attr("action", "command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller", "controller": "core/default-importing-controller",
"jobID": jobID, "jobID": jobID,
"subCommand": "load-raw-data" "subCommand": "load-raw-data",
"csrf_token": token
})); }));
form[0].submit(); form[0].submit();
@ -182,12 +183,14 @@ Refine.DefaultImportingController.prototype._ensureFormatParserUIHasInitializati
if (!(format in this._parserOptions)) { if (!(format in this._parserOptions)) {
var self = this; var self = this;
var dismissBusy = DialogSystem.showBusy($.i18n('core-index-import/inspecting')); var dismissBusy = DialogSystem.showBusy($.i18n('core-index-import/inspecting'));
Refine.wrapCSRF(function(token) {
$.post( $.post(
"command/core/importing-controller?" + $.param({ "command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller", "controller": "core/default-importing-controller",
"jobID": this._jobID, "jobID": this._jobID,
"subCommand": "initialize-parser-ui", "subCommand": "initialize-parser-ui",
"format": format "format": format,
"csrf_token": token
}), }),
null, null,
function(data) { function(data) {
@ -204,6 +207,7 @@ Refine.DefaultImportingController.prototype._ensureFormatParserUIHasInitializati
dismissBusy(); dismissBusy();
alert($.i18n('core-views/check-format')); alert($.i18n('core-views/check-format'));
}); });
});
} else { } else {
onDone(); onDone();
} }
@ -211,11 +215,13 @@ Refine.DefaultImportingController.prototype._ensureFormatParserUIHasInitializati
Refine.DefaultImportingController.prototype.updateFormatAndOptions = function(options, callback, finallyCallBack) { Refine.DefaultImportingController.prototype.updateFormatAndOptions = function(options, callback, finallyCallBack) {
var self = this; var self = this;
Refine.wrapCSRF(function(token) {
$.post( $.post(
"command/core/importing-controller?" + $.param({ "command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller", "controller": "core/default-importing-controller",
"jobID": this._jobID, "jobID": this._jobID,
"subCommand": "update-format-and-options" "subCommand": "update-format-and-options",
"csrf_token": token
}), }),
{ {
"format" : this._format, "format" : this._format,
@ -237,6 +243,7 @@ Refine.DefaultImportingController.prototype.updateFormatAndOptions = function(op
}, },
"json" "json"
); );
});
}; };
Refine.DefaultImportingController.prototype.getPreviewData = function(callback, numRows) { Refine.DefaultImportingController.prototype.getPreviewData = function(callback, numRows) {
@ -286,11 +293,13 @@ Refine.DefaultImportingController.prototype._createProject = function() {
var options = this._formatParserUI.getOptions(); var options = this._formatParserUI.getOptions();
options.projectName = projectName; options.projectName = projectName;
options.projectTags = projectTags; options.projectTags = projectTags;
Refine.wrapCSRF(function(token) {
$.post( $.post(
"command/core/importing-controller?" + $.param({ "command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller", "controller": "core/default-importing-controller",
"jobID": this._jobID, "jobID": this._jobID,
"subCommand": "create-project" "subCommand": "create-project",
"csrf_token": token
}), }),
{ {
"format" : this._format, "format" : this._format,
@ -336,6 +345,7 @@ Refine.DefaultImportingController.prototype._createProject = function() {
}, },
"json" "json"
); );
});
} }
}; };

5
main/webapp/modules/core/scripts/index/default-importing-controller/file-selection-panel.js
View File

@ -328,11 +328,13 @@ Refine.DefaultImportingController.prototype._commitFileSelection = function() {
var self = this; var self = this;
var dismissBusy = DialogSystem.showBusy($.i18n('core-index-import/inspecting-files')); var dismissBusy = DialogSystem.showBusy($.i18n('core-index-import/inspecting-files'));
Refine.wrapCSRF(function(token) {
$.post( $.post(
"command/core/importing-controller?" + $.param({ "command/core/importing-controller?" + $.param({
"controller": "core/default-importing-controller", "controller": "core/default-importing-controller",
"jobID": this._jobID, "jobID": this._jobID,
"subCommand": "update-file-selection" "subCommand": "update-file-selection",
"csrf_token": token
}), }),
{ {
"fileSelection" : JSON.stringify(this._job.config.fileSelection) "fileSelection" : JSON.stringify(this._job.config.fileSelection)
@ -354,4 +356,5 @@ Refine.DefaultImportingController.prototype._commitFileSelection = function() {
}, },
"json" "json"
); );
});
}; };

20
main/webapp/modules/core/scripts/project.js
View File

@ -388,19 +388,12 @@ Refine.postProcess = function(moduleName, command, params, body, updateOptions,
Refine.setAjaxInProgress(); Refine.setAjaxInProgress();
Refine.wrapCSRF( Refine.postCSRF(
function(token) {
// Add it to the body and submit it as a POST request
body['csrf_token'] = token;
$.post(
"command/" + moduleName + "/" + command + "?" + $.param(params), "command/" + moduleName + "/" + command + "?" + $.param(params),
body, body,
onDone, onDone,
"json" "json"
); );
}
);
window.setTimeout(function() { window.setTimeout(function() {
if (!done) { if (!done) {
@ -422,6 +415,17 @@ Refine.wrapCSRF = function(onCSRF) {
); );
}; };
// Performs a POST request where an additional CSRF token
// is supplied in the POST data. The arguments match those
// of $.post().
Refine.postCSRF = function(url, data, success, dataType) {
Refine.wrapCSRF(function(token) {
var fullData = data || {};
data['csrf_token'] = token;
$.post(url, fulldata, success, dataType);
});
};
Refine.setAjaxInProgress = function() { Refine.setAjaxInProgress = function() {
$(document.body).attr("ajax_in_progress", "true"); $(document.body).attr("ajax_in_progress", "true");
}; };

6
main/webapp/modules/core/scripts/project/process-panel.js
View File

@ -124,17 +124,15 @@ ProcessPanel.prototype.undo = function() {
ProcessPanel.prototype._cancelAll = function() { ProcessPanel.prototype._cancelAll = function() {
var self = this; var self = this;
Refine.wrapCSRF(function(token) { Refine.postCSRF(
$.post(
"command/core/cancel-processes?" + $.param({ project: theProject.id }), "command/core/cancel-processes?" + $.param({ project: theProject.id }),
{ csrf_token: token }, { },
function(o) { function(o) {
self._data = null; self._data = null;
self._runOnDones(); self._runOnDones();
}, },
"json" "json"
); );
});
}; };
ProcessPanel.prototype._render = function(newData) { ProcessPanel.prototype._render = function(newData) {