CSRF protection for database extension

2019-10-17 09:10:28 +01:00 · 2019-10-17 09:10:28 +01:00 · b52c009491
commit b52c009491
parent 9ae6a7a581
13 changed files with 227 additions and 122 deletions
--- a/extensions/database/module/scripts/database-extension.js
+++ b/extensions/database/module/scripts/database-extension.js
@ -69,7 +69,7 @@ DatabaseExtension.handleConnectClicked = function(connectionName) {
                     databaseConfig.initialDatabase = savedConfig.databaseName;
                     databaseConfig.initialSchema = savedConfig.databaseSchema;
-                        $.post(
+                        Refine.postCSRF(
                                "command/database/connect",
                                 databaseConfig,
@ -101,8 +101,8 @@ DatabaseExtension.handleConnectClicked = function(connectionName) {
                                    }
                                },
-                                "json"
+                                "json",
-                      ).fail(function( jqXhr, textStatus, errorThrown ){
+                                function( jqXhr, textStatus, errorThrown ){
                                    alert( textStatus + ':' + errorThrown );
                     });
--- a/extensions/database/module/scripts/index/database-import-controller.js
+++ b/extensions/database/module/scripts/index/database-import-controller.js
@ -65,14 +65,16 @@ Refine.DatabaseImportController.prototype.startImportingDocument = function(quer
    //alert(queryInfo.query);
    var self = this;
-    $.post(
+    Refine.postCSRF(
      "command/core/create-importing-job",
      null,
      function(data) {
        Refine.wrapCSRF(function(token) {
            $.post(
            "command/core/importing-controller?" + $.param({
                "controller": "database/database-import-controller",
-            "subCommand": "initialize-parser-ui"
+                "subCommand": "initialize-parser-ui",
                "csrf_token": token
            }),
            queryInfo,
@ -92,6 +94,7 @@ Refine.DatabaseImportController.prototype.startImportingDocument = function(quer
            },
            "json"
            );
        });
      },
      "json"
    );
@ -248,11 +251,13 @@ Refine.DatabaseImportController.prototype._updatePreview = function() {
    this._queryInfo.options = JSON.stringify(this.getOptions());
    //alert("options:" + this._queryInfo.options);
    Refine.wrapCSRF(function(token) {
        $.post(
        "command/core/importing-controller?" + $.param({
            "controller": "database/database-import-controller",
            "jobID": this._jobID,
-        "subCommand": "parse-preview"
+            "subCommand": "parse-preview",
            "csrf_token": token
        }),
        this._queryInfo,
@ -282,6 +287,7 @@ Refine.DatabaseImportController.prototype._updatePreview = function() {
        },
        "json"
        );
    });
  };
 Refine.DatabaseImportController.prototype._getPreviewData = function(callback, numRows) {
@ -329,11 +335,13 @@ Refine.DatabaseImportController.prototype._createProject = function() {
    options.projectName = projectName;
    this._queryInfo.options = JSON.stringify(options);
    Refine.wrapCSRF(function(token) {
        $.post(
        "command/core/importing-controller?" + $.param({
            "controller": "database/database-import-controller",
            "jobID": this._jobID,
-        "subCommand": "create-project"
+            "subCommand": "create-project",
            "csrf_token": token
        }),
        this._queryInfo,
        function(o) {
@ -376,4 +384,5 @@ Refine.DatabaseImportController.prototype._createProject = function() {
        },
        "json"
        );
    });
 };
--- a/extensions/database/module/scripts/index/database-source-ui.js
+++ b/extensions/database/module/scripts/index/database-source-ui.js
@ -268,7 +268,7 @@ Refine.DatabaseSourceUI.prototype._executeQuery = function(jdbcQueryInfo) {
    var dismiss = DialogSystem.showBusy($.i18n('database-import/checking'));
-    $.post(
+    Refine.postCSRF(
      "command/database/test-query",
      jdbcQueryInfo,
      function(jdbcConnectionResult) {
@ -277,8 +277,8 @@ Refine.DatabaseSourceUI.prototype._executeQuery = function(jdbcQueryInfo) {
          self._controller.startImportingDocument(jdbcQueryInfo);
      },
-      "json"
+      "json",
-    ).fail(function( jqXhr, textStatus, errorThrown ){
+      function( jqXhr, textStatus, errorThrown ){
        dismiss();
        alert( textStatus + ':' + errorThrown );
@ -288,7 +288,7 @@ Refine.DatabaseSourceUI.prototype._executeQuery = function(jdbcQueryInfo) {
 Refine.DatabaseSourceUI.prototype._saveConnection = function(jdbcConnectionInfo) {	
    var self = this;
-    $.post(
+    Refine.postCSRF(
      "command/database/saved-connection",
      jdbcConnectionInfo,
      function(settings) {
@ -307,8 +307,8 @@ Refine.DatabaseSourceUI.prototype._saveConnection = function(jdbcConnectionInfo)
          }
      },
-      "json"
+      "json",
-    ).fail(function( jqXhr, textStatus, errorThrown ){
+      function( jqXhr, textStatus, errorThrown ){
        alert( textStatus + ':' + errorThrown );
    });
@ -346,7 +346,7 @@ Refine.DatabaseSourceUI.prototype._loadSavedConnections = function() {
 Refine.DatabaseSourceUI.prototype._testDatabaseConnect = function(jdbcConnectionInfo) {
    var self = this;
-    $.post(
+    Refine.postCSRF(
      "command/database/test-connect",
      jdbcConnectionInfo,
      function(jdbcConnectionResult) {
@ -357,8 +357,8 @@ Refine.DatabaseSourceUI.prototype._testDatabaseConnect = function(jdbcConnection
          }
      },
-      "json"
+      "json",
-    ).fail(function( jqXhr, textStatus, errorThrown ){
+      function( jqXhr, textStatus, errorThrown ){
        alert( textStatus + ':' + errorThrown );
    });
 };
@ -366,7 +366,7 @@ Refine.DatabaseSourceUI.prototype._testDatabaseConnect = function(jdbcConnection
 Refine.DatabaseSourceUI.prototype._connect = function(jdbcConnectionInfo) {
    var self = this;
-    $.post(
+    Refine.postCSRF(
      "command/database/connect",
      jdbcConnectionInfo,
      function(databaseInfo) {
@ -398,8 +398,8 @@ Refine.DatabaseSourceUI.prototype._connect = function(jdbcConnectionInfo) {
          }
      },
-      "json"
+      "json",
-    ).fail(function( jqXhr, textStatus, errorThrown ){
+      function( jqXhr, textStatus, errorThrown ){
        alert( textStatus + ':' + errorThrown );
    });
--- a/extensions/database/src/com/google/refine/extension/database/cmd/ConnectCommand.java
+++ b/extensions/database/src/com/google/refine/extension/database/cmd/ConnectCommand.java
@ -56,6 +56,10 @@ public class ConnectCommand extends DatabaseCommand {
    @Override
    public void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
    	if(!hasValidCSRFToken(request)) {
    		respondCSRFError(response);
    		return;
    	}
        DatabaseConfiguration databaseConfiguration = getJdbcConfiguration(request);
        if(logger.isDebugEnabled()) {
--- a/extensions/database/src/com/google/refine/extension/database/cmd/ExecuteQueryCommand.java
+++ b/extensions/database/src/com/google/refine/extension/database/cmd/ExecuteQueryCommand.java
@ -56,7 +56,10 @@ public class ExecuteQueryCommand extends DatabaseCommand {
    @Override
    public void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
-        
+    	if(!hasValidCSRFToken(request)) {
    		respondCSRFError(response);
    		return;
    	}
        DatabaseConfiguration databaseConfiguration = getJdbcConfiguration(request);
        String query = request.getParameter("queryString");
--- a/extensions/database/src/com/google/refine/extension/database/cmd/SavedConnectionCommand.java
+++ b/extensions/database/src/com/google/refine/extension/database/cmd/SavedConnectionCommand.java
@ -228,6 +228,10 @@ public class SavedConnectionCommand extends DatabaseCommand {
    @Override
    public void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
    	if(!hasValidCSRFToken(request)) {
    		respondCSRFError(response);
    		return;
    	}
        if(logger.isDebugEnabled()) {
            logger.debug("doPost Connection: {}", request.getParameter("connectionName"));
--- a/extensions/database/src/com/google/refine/extension/database/cmd/TestConnectCommand.java
+++ b/extensions/database/src/com/google/refine/extension/database/cmd/TestConnectCommand.java
@ -54,7 +54,10 @@ public class TestConnectCommand extends DatabaseCommand {
    @Override
    public void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
-        
+    	if(!hasValidCSRFToken(request)) {
    		respondCSRFError(response);
    		return;
    	}
        DatabaseConfiguration databaseConfiguration = getJdbcConfiguration(request);
        if(logger.isDebugEnabled()) {
--- a/extensions/database/src/com/google/refine/extension/database/cmd/TestQueryCommand.java
+++ b/extensions/database/src/com/google/refine/extension/database/cmd/TestQueryCommand.java
@ -56,6 +56,10 @@ public class TestQueryCommand extends DatabaseCommand {
    @Override
    public void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
    	if(!hasValidCSRFToken(request)) {
    		respondCSRFError(response);
    		return;
    	}
        DatabaseConfiguration dbConfig = getJdbcConfiguration(request);
        String query = request.getParameter("query");
--- a/extensions/database/tests/src/com/google/refine/extension/database/cmd/ConnectCommandTest.java
+++ b/extensions/database/tests/src/com/google/refine/extension/database/cmd/ConnectCommandTest.java
@ -20,6 +20,7 @@ import org.testng.annotations.Parameters;
 import org.testng.annotations.Test;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.google.refine.commands.Command;
 import com.google.refine.extension.database.DBExtensionTests;
 import com.google.refine.extension.database.DatabaseConfiguration;
 import com.google.refine.extension.database.DatabaseService;
@ -75,6 +76,7 @@ public class ConnectCommandTest extends DBExtensionTests {
        when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
        when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
        when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
        when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
        StringWriter sw = new StringWriter();
        PrintWriter pw = new PrintWriter(sw);
@ -94,5 +96,18 @@ public class ConnectCommandTest extends DBExtensionTests {
        Assert.assertNotNull(databaseInfo);
    }
    @Test
    public void testCsrfProtection() throws ServletException, IOException {
    	StringWriter sw = new StringWriter();
        PrintWriter pw = new PrintWriter(sw);
        when(response.getWriter()).thenReturn(pw);
        ConnectCommand connectCommand = new ConnectCommand();
        connectCommand.doPost(request, response);
    	Assert.assertEquals(
    			ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
    			ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
    }
 }
--- a/extensions/database/tests/src/com/google/refine/extension/database/cmd/ExecuteQueryCommandTest.java
+++ b/extensions/database/tests/src/com/google/refine/extension/database/cmd/ExecuteQueryCommandTest.java
@ -19,6 +19,7 @@ import org.testng.annotations.Parameters;
 import org.testng.annotations.Test;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.google.refine.commands.Command;
 import com.google.refine.extension.database.DBExtensionTests;
 import com.google.refine.extension.database.DatabaseConfiguration;
 import com.google.refine.extension.database.DatabaseService;
@ -72,6 +73,7 @@ public class ExecuteQueryCommandTest extends DBExtensionTests {
        when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
        when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
        when(request.getParameter("queryString")).thenReturn("SELECT count(*) FROM " + testTable);
        when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
        StringWriter sw = new StringWriter();
@ -93,4 +95,17 @@ public class ExecuteQueryCommandTest extends DBExtensionTests {
        Assert.assertNotNull(queryResult);
    }
    @Test
    public void testCsrfProtection() throws ServletException, IOException {
    	StringWriter sw = new StringWriter();
        PrintWriter pw = new PrintWriter(sw);
        when(response.getWriter()).thenReturn(pw);
        ConnectCommand connectCommand = new ConnectCommand();
        connectCommand.doPost(request, response);
    	Assert.assertEquals(
    			ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
    			ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
    }
 }
--- a/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java
+++ b/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java
@ -31,6 +31,7 @@ import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.google.refine.ProjectManager;
 import com.google.refine.ProjectMetadata;
 import com.google.refine.RefineServlet;
 import com.google.refine.commands.Command;
 import com.google.refine.extension.database.DBExtensionTestUtils;
 import com.google.refine.extension.database.DBExtensionTests;
 import com.google.refine.extension.database.DatabaseConfiguration;
@ -125,6 +126,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
        when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
        when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
        when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
        when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
        StringWriter sw = new StringWriter();
        PrintWriter pw = new PrintWriter(sw);
@ -150,6 +152,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
        when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
        when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
        when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
        when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
        StringWriter sw = new StringWriter();
        PrintWriter pw = new PrintWriter(sw);
@ -187,6 +190,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
        when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
        when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
        when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
        when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
        StringWriter sw = new StringWriter();
        PrintWriter pw = new PrintWriter(sw);
@ -227,6 +231,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
        when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
        when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
        when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
        when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
        SUT.doPut(request, response);
@ -309,6 +314,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
        when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
        when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
        when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
        when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
        StringWriter sw = new StringWriter();
        PrintWriter pw = new PrintWriter(sw);
@ -320,7 +326,18 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
        verify(response, times(1)).sendError(HttpStatus.SC_BAD_REQUEST, "Connection Name is Invalid. Expecting [a-zA-Z0-9._-]");
    }
    @Test
    public void testCsrfProtection() throws ServletException, IOException {
    	StringWriter sw = new StringWriter();
        PrintWriter pw = new PrintWriter(sw);
        when(response.getWriter()).thenReturn(pw);
        SUT.doPost(request, response);
    	Assert.assertEquals(
    			ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
    			ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
    }
 }
--- a/extensions/database/tests/src/com/google/refine/extension/database/cmd/TestConnectCommandTest.java
+++ b/extensions/database/tests/src/com/google/refine/extension/database/cmd/TestConnectCommandTest.java
@ -19,6 +19,7 @@ import org.testng.annotations.Parameters;
 import org.testng.annotations.Test;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.google.refine.commands.Command;
 import com.google.refine.extension.database.DBExtensionTests;
 import com.google.refine.extension.database.DatabaseConfiguration;
 import com.google.refine.extension.database.DatabaseService;
@ -74,6 +75,7 @@ public class TestConnectCommandTest extends DBExtensionTests{
        when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
        when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
        when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
        when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
        StringWriter sw = new StringWriter();
@ -93,4 +95,18 @@ public class TestConnectCommandTest extends DBExtensionTests{
    }
    @Test
    public void testCsrfProtection() throws ServletException, IOException {
    	StringWriter sw = new StringWriter();
        PrintWriter pw = new PrintWriter(sw);
        when(response.getWriter()).thenReturn(pw);
        ConnectCommand connectCommand = new ConnectCommand();
        connectCommand.doPost(request, response);
    	Assert.assertEquals(
    			ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
    			ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
    }
 }
--- a/extensions/database/tests/src/com/google/refine/extension/database/cmd/TestQueryCommandTest.java
+++ b/extensions/database/tests/src/com/google/refine/extension/database/cmd/TestQueryCommandTest.java
@ -19,6 +19,7 @@ import org.testng.annotations.Parameters;
 import org.testng.annotations.Test;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.google.refine.commands.Command;
 import com.google.refine.extension.database.DBExtensionTests;
 import com.google.refine.extension.database.DatabaseConfiguration;
 import com.google.refine.extension.database.DatabaseService;
@ -73,7 +74,7 @@ public class TestQueryCommandTest extends DBExtensionTests {
        when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
        when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
        when(request.getParameter("query")).thenReturn("SELECT count(*) FROM " + testTable);
-        
+        when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
        StringWriter sw = new StringWriter();
@ -95,4 +96,18 @@ public class TestQueryCommandTest extends DBExtensionTests {
    }
    @Test
    public void testCsrfProtection() throws ServletException, IOException {
    	StringWriter sw = new StringWriter();
        PrintWriter pw = new PrintWriter(sw);
        when(response.getWriter()).thenReturn(pw);
        TestQueryCommand connectCommand = new TestQueryCommand();
        connectCommand.doPost(request, response);
    	Assert.assertEquals(
    			ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
    			ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
    }
 }