CSRF protection for database extension

This commit is contained in:
Antonin Delpeuch 2019-10-17 09:10:28 +01:00
parent 9ae6a7a581
commit b52c009491
13 changed files with 227 additions and 122 deletions

View File

@ -69,7 +69,7 @@ DatabaseExtension.handleConnectClicked = function(connectionName) {
databaseConfig.initialDatabase = savedConfig.databaseName;
databaseConfig.initialSchema = savedConfig.databaseSchema;
$.post(
Refine.postCSRF(
"command/database/connect",
databaseConfig,
@ -101,8 +101,8 @@ DatabaseExtension.handleConnectClicked = function(connectionName) {
}
},
"json"
).fail(function( jqXhr, textStatus, errorThrown ){
"json",
function( jqXhr, textStatus, errorThrown ){
alert( textStatus + ':' + errorThrown );
});

View File

@ -65,14 +65,16 @@ Refine.DatabaseImportController.prototype.startImportingDocument = function(quer
//alert(queryInfo.query);
var self = this;
$.post(
Refine.postCSRF(
"command/core/create-importing-job",
null,
function(data) {
Refine.wrapCSRF(function(token) {
$.post(
"command/core/importing-controller?" + $.param({
"controller": "database/database-import-controller",
"subCommand": "initialize-parser-ui"
"subCommand": "initialize-parser-ui",
"csrf_token": token
}),
queryInfo,
@ -92,6 +94,7 @@ Refine.DatabaseImportController.prototype.startImportingDocument = function(quer
},
"json"
);
});
},
"json"
);
@ -248,11 +251,13 @@ Refine.DatabaseImportController.prototype._updatePreview = function() {
this._queryInfo.options = JSON.stringify(this.getOptions());
//alert("options:" + this._queryInfo.options);
Refine.wrapCSRF(function(token) {
$.post(
"command/core/importing-controller?" + $.param({
"controller": "database/database-import-controller",
"jobID": this._jobID,
"subCommand": "parse-preview"
"subCommand": "parse-preview",
"csrf_token": token
}),
this._queryInfo,
@ -282,6 +287,7 @@ Refine.DatabaseImportController.prototype._updatePreview = function() {
},
"json"
);
});
};
Refine.DatabaseImportController.prototype._getPreviewData = function(callback, numRows) {
@ -329,11 +335,13 @@ Refine.DatabaseImportController.prototype._createProject = function() {
options.projectName = projectName;
this._queryInfo.options = JSON.stringify(options);
Refine.wrapCSRF(function(token) {
$.post(
"command/core/importing-controller?" + $.param({
"controller": "database/database-import-controller",
"jobID": this._jobID,
"subCommand": "create-project"
"subCommand": "create-project",
"csrf_token": token
}),
this._queryInfo,
function(o) {
@ -376,4 +384,5 @@ Refine.DatabaseImportController.prototype._createProject = function() {
},
"json"
);
});
};

View File

@ -268,7 +268,7 @@ Refine.DatabaseSourceUI.prototype._executeQuery = function(jdbcQueryInfo) {
var dismiss = DialogSystem.showBusy($.i18n('database-import/checking'));
$.post(
Refine.postCSRF(
"command/database/test-query",
jdbcQueryInfo,
function(jdbcConnectionResult) {
@ -277,8 +277,8 @@ Refine.DatabaseSourceUI.prototype._executeQuery = function(jdbcQueryInfo) {
self._controller.startImportingDocument(jdbcQueryInfo);
},
"json"
).fail(function( jqXhr, textStatus, errorThrown ){
"json",
function( jqXhr, textStatus, errorThrown ){
dismiss();
alert( textStatus + ':' + errorThrown );
@ -288,7 +288,7 @@ Refine.DatabaseSourceUI.prototype._executeQuery = function(jdbcQueryInfo) {
Refine.DatabaseSourceUI.prototype._saveConnection = function(jdbcConnectionInfo) {
var self = this;
$.post(
Refine.postCSRF(
"command/database/saved-connection",
jdbcConnectionInfo,
function(settings) {
@ -307,8 +307,8 @@ Refine.DatabaseSourceUI.prototype._saveConnection = function(jdbcConnectionInfo)
}
},
"json"
).fail(function( jqXhr, textStatus, errorThrown ){
"json",
function( jqXhr, textStatus, errorThrown ){
alert( textStatus + ':' + errorThrown );
});
@ -346,7 +346,7 @@ Refine.DatabaseSourceUI.prototype._loadSavedConnections = function() {
Refine.DatabaseSourceUI.prototype._testDatabaseConnect = function(jdbcConnectionInfo) {
var self = this;
$.post(
Refine.postCSRF(
"command/database/test-connect",
jdbcConnectionInfo,
function(jdbcConnectionResult) {
@ -357,8 +357,8 @@ Refine.DatabaseSourceUI.prototype._testDatabaseConnect = function(jdbcConnection
}
},
"json"
).fail(function( jqXhr, textStatus, errorThrown ){
"json",
function( jqXhr, textStatus, errorThrown ){
alert( textStatus + ':' + errorThrown );
});
};
@ -366,7 +366,7 @@ Refine.DatabaseSourceUI.prototype._testDatabaseConnect = function(jdbcConnection
Refine.DatabaseSourceUI.prototype._connect = function(jdbcConnectionInfo) {
var self = this;
$.post(
Refine.postCSRF(
"command/database/connect",
jdbcConnectionInfo,
function(databaseInfo) {
@ -398,8 +398,8 @@ Refine.DatabaseSourceUI.prototype._connect = function(jdbcConnectionInfo) {
}
},
"json"
).fail(function( jqXhr, textStatus, errorThrown ){
"json",
function( jqXhr, textStatus, errorThrown ){
alert( textStatus + ':' + errorThrown );
});

View File

@ -56,6 +56,10 @@ public class ConnectCommand extends DatabaseCommand {
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if(!hasValidCSRFToken(request)) {
respondCSRFError(response);
return;
}
DatabaseConfiguration databaseConfiguration = getJdbcConfiguration(request);
if(logger.isDebugEnabled()) {

View File

@ -56,7 +56,10 @@ public class ExecuteQueryCommand extends DatabaseCommand {
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if(!hasValidCSRFToken(request)) {
respondCSRFError(response);
return;
}
DatabaseConfiguration databaseConfiguration = getJdbcConfiguration(request);
String query = request.getParameter("queryString");

View File

@ -228,6 +228,10 @@ public class SavedConnectionCommand extends DatabaseCommand {
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if(!hasValidCSRFToken(request)) {
respondCSRFError(response);
return;
}
if(logger.isDebugEnabled()) {
logger.debug("doPost Connection: {}", request.getParameter("connectionName"));

View File

@ -54,7 +54,10 @@ public class TestConnectCommand extends DatabaseCommand {
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if(!hasValidCSRFToken(request)) {
respondCSRFError(response);
return;
}
DatabaseConfiguration databaseConfiguration = getJdbcConfiguration(request);
if(logger.isDebugEnabled()) {

View File

@ -56,6 +56,10 @@ public class TestQueryCommand extends DatabaseCommand {
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if(!hasValidCSRFToken(request)) {
respondCSRFError(response);
return;
}
DatabaseConfiguration dbConfig = getJdbcConfiguration(request);
String query = request.getParameter("query");

View File

@ -20,6 +20,7 @@ import org.testng.annotations.Parameters;
import org.testng.annotations.Test;
import com.fasterxml.jackson.databind.node.ObjectNode;
import com.google.refine.commands.Command;
import com.google.refine.extension.database.DBExtensionTests;
import com.google.refine.extension.database.DatabaseConfiguration;
import com.google.refine.extension.database.DatabaseService;
@ -75,6 +76,7 @@ public class ConnectCommandTest extends DBExtensionTests {
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
@ -94,5 +96,18 @@ public class ConnectCommandTest extends DBExtensionTests {
Assert.assertNotNull(databaseInfo);
}
@Test
public void testCsrfProtection() throws ServletException, IOException {
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
when(response.getWriter()).thenReturn(pw);
ConnectCommand connectCommand = new ConnectCommand();
connectCommand.doPost(request, response);
Assert.assertEquals(
ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
}
}

View File

@ -19,6 +19,7 @@ import org.testng.annotations.Parameters;
import org.testng.annotations.Test;
import com.fasterxml.jackson.databind.node.ObjectNode;
import com.google.refine.commands.Command;
import com.google.refine.extension.database.DBExtensionTests;
import com.google.refine.extension.database.DatabaseConfiguration;
import com.google.refine.extension.database.DatabaseService;
@ -72,6 +73,7 @@ public class ExecuteQueryCommandTest extends DBExtensionTests {
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
when(request.getParameter("queryString")).thenReturn("SELECT count(*) FROM " + testTable);
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
StringWriter sw = new StringWriter();
@ -93,4 +95,17 @@ public class ExecuteQueryCommandTest extends DBExtensionTests {
Assert.assertNotNull(queryResult);
}
@Test
public void testCsrfProtection() throws ServletException, IOException {
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
when(response.getWriter()).thenReturn(pw);
ConnectCommand connectCommand = new ConnectCommand();
connectCommand.doPost(request, response);
Assert.assertEquals(
ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
}
}

View File

@ -31,6 +31,7 @@ import com.fasterxml.jackson.databind.node.ObjectNode;
import com.google.refine.ProjectManager;
import com.google.refine.ProjectMetadata;
import com.google.refine.RefineServlet;
import com.google.refine.commands.Command;
import com.google.refine.extension.database.DBExtensionTestUtils;
import com.google.refine.extension.database.DBExtensionTests;
import com.google.refine.extension.database.DatabaseConfiguration;
@ -125,6 +126,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
@ -150,6 +152,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
@ -187,6 +190,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
@ -227,6 +231,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
SUT.doPut(request, response);
@ -309,6 +314,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
@ -320,7 +326,18 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
verify(response, times(1)).sendError(HttpStatus.SC_BAD_REQUEST, "Connection Name is Invalid. Expecting [a-zA-Z0-9._-]");
}
@Test
public void testCsrfProtection() throws ServletException, IOException {
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
when(response.getWriter()).thenReturn(pw);
SUT.doPost(request, response);
Assert.assertEquals(
ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
}
}

View File

@ -19,6 +19,7 @@ import org.testng.annotations.Parameters;
import org.testng.annotations.Test;
import com.fasterxml.jackson.databind.node.ObjectNode;
import com.google.refine.commands.Command;
import com.google.refine.extension.database.DBExtensionTests;
import com.google.refine.extension.database.DatabaseConfiguration;
import com.google.refine.extension.database.DatabaseService;
@ -74,6 +75,7 @@ public class TestConnectCommandTest extends DBExtensionTests{
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
StringWriter sw = new StringWriter();
@ -93,4 +95,18 @@ public class TestConnectCommandTest extends DBExtensionTests{
}
@Test
public void testCsrfProtection() throws ServletException, IOException {
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
when(response.getWriter()).thenReturn(pw);
ConnectCommand connectCommand = new ConnectCommand();
connectCommand.doPost(request, response);
Assert.assertEquals(
ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
}
}

View File

@ -19,6 +19,7 @@ import org.testng.annotations.Parameters;
import org.testng.annotations.Test;
import com.fasterxml.jackson.databind.node.ObjectNode;
import com.google.refine.commands.Command;
import com.google.refine.extension.database.DBExtensionTests;
import com.google.refine.extension.database.DatabaseConfiguration;
import com.google.refine.extension.database.DatabaseService;
@ -73,7 +74,7 @@ public class TestQueryCommandTest extends DBExtensionTests {
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
when(request.getParameter("query")).thenReturn("SELECT count(*) FROM " + testTable);
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
StringWriter sw = new StringWriter();
@ -95,4 +96,18 @@ public class TestQueryCommandTest extends DBExtensionTests {
}
@Test
public void testCsrfProtection() throws ServletException, IOException {
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
when(response.getWriter()).thenReturn(pw);
TestQueryCommand connectCommand = new TestQueryCommand();
connectCommand.doPost(request, response);
Assert.assertEquals(
ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
}
}