CSRF protection for database extension
This commit is contained in:
parent
9ae6a7a581
commit
b52c009491
@ -69,7 +69,7 @@ DatabaseExtension.handleConnectClicked = function(connectionName) {
|
||||
databaseConfig.initialDatabase = savedConfig.databaseName;
|
||||
databaseConfig.initialSchema = savedConfig.databaseSchema;
|
||||
|
||||
$.post(
|
||||
Refine.postCSRF(
|
||||
"command/database/connect",
|
||||
databaseConfig,
|
||||
|
||||
@ -101,8 +101,8 @@ DatabaseExtension.handleConnectClicked = function(connectionName) {
|
||||
}
|
||||
|
||||
},
|
||||
"json"
|
||||
).fail(function( jqXhr, textStatus, errorThrown ){
|
||||
"json",
|
||||
function( jqXhr, textStatus, errorThrown ){
|
||||
alert( textStatus + ':' + errorThrown );
|
||||
});
|
||||
|
||||
|
@ -65,14 +65,16 @@ Refine.DatabaseImportController.prototype.startImportingDocument = function(quer
|
||||
//alert(queryInfo.query);
|
||||
var self = this;
|
||||
|
||||
$.post(
|
||||
Refine.postCSRF(
|
||||
"command/core/create-importing-job",
|
||||
null,
|
||||
function(data) {
|
||||
Refine.wrapCSRF(function(token) {
|
||||
$.post(
|
||||
"command/core/importing-controller?" + $.param({
|
||||
"controller": "database/database-import-controller",
|
||||
"subCommand": "initialize-parser-ui"
|
||||
"subCommand": "initialize-parser-ui",
|
||||
"csrf_token": token
|
||||
}),
|
||||
queryInfo,
|
||||
|
||||
@ -92,6 +94,7 @@ Refine.DatabaseImportController.prototype.startImportingDocument = function(quer
|
||||
},
|
||||
"json"
|
||||
);
|
||||
});
|
||||
},
|
||||
"json"
|
||||
);
|
||||
@ -248,11 +251,13 @@ Refine.DatabaseImportController.prototype._updatePreview = function() {
|
||||
this._queryInfo.options = JSON.stringify(this.getOptions());
|
||||
//alert("options:" + this._queryInfo.options);
|
||||
|
||||
Refine.wrapCSRF(function(token) {
|
||||
$.post(
|
||||
"command/core/importing-controller?" + $.param({
|
||||
"controller": "database/database-import-controller",
|
||||
"jobID": this._jobID,
|
||||
"subCommand": "parse-preview"
|
||||
"subCommand": "parse-preview",
|
||||
"csrf_token": token
|
||||
}),
|
||||
|
||||
this._queryInfo,
|
||||
@ -282,6 +287,7 @@ Refine.DatabaseImportController.prototype._updatePreview = function() {
|
||||
},
|
||||
"json"
|
||||
);
|
||||
});
|
||||
};
|
||||
|
||||
Refine.DatabaseImportController.prototype._getPreviewData = function(callback, numRows) {
|
||||
@ -329,11 +335,13 @@ Refine.DatabaseImportController.prototype._createProject = function() {
|
||||
options.projectName = projectName;
|
||||
|
||||
this._queryInfo.options = JSON.stringify(options);
|
||||
Refine.wrapCSRF(function(token) {
|
||||
$.post(
|
||||
"command/core/importing-controller?" + $.param({
|
||||
"controller": "database/database-import-controller",
|
||||
"jobID": this._jobID,
|
||||
"subCommand": "create-project"
|
||||
"subCommand": "create-project",
|
||||
"csrf_token": token
|
||||
}),
|
||||
this._queryInfo,
|
||||
function(o) {
|
||||
@ -376,4 +384,5 @@ Refine.DatabaseImportController.prototype._createProject = function() {
|
||||
},
|
||||
"json"
|
||||
);
|
||||
});
|
||||
};
|
||||
|
@ -268,7 +268,7 @@ Refine.DatabaseSourceUI.prototype._executeQuery = function(jdbcQueryInfo) {
|
||||
|
||||
var dismiss = DialogSystem.showBusy($.i18n('database-import/checking'));
|
||||
|
||||
$.post(
|
||||
Refine.postCSRF(
|
||||
"command/database/test-query",
|
||||
jdbcQueryInfo,
|
||||
function(jdbcConnectionResult) {
|
||||
@ -277,8 +277,8 @@ Refine.DatabaseSourceUI.prototype._executeQuery = function(jdbcQueryInfo) {
|
||||
self._controller.startImportingDocument(jdbcQueryInfo);
|
||||
|
||||
},
|
||||
"json"
|
||||
).fail(function( jqXhr, textStatus, errorThrown ){
|
||||
"json",
|
||||
function( jqXhr, textStatus, errorThrown ){
|
||||
|
||||
dismiss();
|
||||
alert( textStatus + ':' + errorThrown );
|
||||
@ -288,7 +288,7 @@ Refine.DatabaseSourceUI.prototype._executeQuery = function(jdbcQueryInfo) {
|
||||
|
||||
Refine.DatabaseSourceUI.prototype._saveConnection = function(jdbcConnectionInfo) {
|
||||
var self = this;
|
||||
$.post(
|
||||
Refine.postCSRF(
|
||||
"command/database/saved-connection",
|
||||
jdbcConnectionInfo,
|
||||
function(settings) {
|
||||
@ -307,8 +307,8 @@ Refine.DatabaseSourceUI.prototype._saveConnection = function(jdbcConnectionInfo)
|
||||
}
|
||||
|
||||
},
|
||||
"json"
|
||||
).fail(function( jqXhr, textStatus, errorThrown ){
|
||||
"json",
|
||||
function( jqXhr, textStatus, errorThrown ){
|
||||
alert( textStatus + ':' + errorThrown );
|
||||
});
|
||||
|
||||
@ -346,7 +346,7 @@ Refine.DatabaseSourceUI.prototype._loadSavedConnections = function() {
|
||||
Refine.DatabaseSourceUI.prototype._testDatabaseConnect = function(jdbcConnectionInfo) {
|
||||
|
||||
var self = this;
|
||||
$.post(
|
||||
Refine.postCSRF(
|
||||
"command/database/test-connect",
|
||||
jdbcConnectionInfo,
|
||||
function(jdbcConnectionResult) {
|
||||
@ -357,8 +357,8 @@ Refine.DatabaseSourceUI.prototype._testDatabaseConnect = function(jdbcConnection
|
||||
}
|
||||
|
||||
},
|
||||
"json"
|
||||
).fail(function( jqXhr, textStatus, errorThrown ){
|
||||
"json",
|
||||
function( jqXhr, textStatus, errorThrown ){
|
||||
alert( textStatus + ':' + errorThrown );
|
||||
});
|
||||
};
|
||||
@ -366,7 +366,7 @@ Refine.DatabaseSourceUI.prototype._testDatabaseConnect = function(jdbcConnection
|
||||
Refine.DatabaseSourceUI.prototype._connect = function(jdbcConnectionInfo) {
|
||||
|
||||
var self = this;
|
||||
$.post(
|
||||
Refine.postCSRF(
|
||||
"command/database/connect",
|
||||
jdbcConnectionInfo,
|
||||
function(databaseInfo) {
|
||||
@ -398,8 +398,8 @@ Refine.DatabaseSourceUI.prototype._connect = function(jdbcConnectionInfo) {
|
||||
}
|
||||
|
||||
},
|
||||
"json"
|
||||
).fail(function( jqXhr, textStatus, errorThrown ){
|
||||
"json",
|
||||
function( jqXhr, textStatus, errorThrown ){
|
||||
alert( textStatus + ':' + errorThrown );
|
||||
});
|
||||
|
||||
|
@ -56,6 +56,10 @@ public class ConnectCommand extends DatabaseCommand {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
DatabaseConfiguration databaseConfiguration = getJdbcConfiguration(request);
|
||||
if(logger.isDebugEnabled()) {
|
||||
|
@ -56,7 +56,10 @@ public class ExecuteQueryCommand extends DatabaseCommand {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
DatabaseConfiguration databaseConfiguration = getJdbcConfiguration(request);
|
||||
String query = request.getParameter("queryString");
|
||||
|
@ -228,6 +228,10 @@ public class SavedConnectionCommand extends DatabaseCommand {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
if(logger.isDebugEnabled()) {
|
||||
logger.debug("doPost Connection: {}", request.getParameter("connectionName"));
|
||||
|
@ -54,7 +54,10 @@ public class TestConnectCommand extends DatabaseCommand {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
DatabaseConfiguration databaseConfiguration = getJdbcConfiguration(request);
|
||||
if(logger.isDebugEnabled()) {
|
||||
|
@ -56,6 +56,10 @@ public class TestQueryCommand extends DatabaseCommand {
|
||||
@Override
|
||||
public void doPost(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
if(!hasValidCSRFToken(request)) {
|
||||
respondCSRFError(response);
|
||||
return;
|
||||
}
|
||||
|
||||
DatabaseConfiguration dbConfig = getJdbcConfiguration(request);
|
||||
String query = request.getParameter("query");
|
||||
|
@ -20,6 +20,7 @@ import org.testng.annotations.Parameters;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
import com.fasterxml.jackson.databind.node.ObjectNode;
|
||||
import com.google.refine.commands.Command;
|
||||
import com.google.refine.extension.database.DBExtensionTests;
|
||||
import com.google.refine.extension.database.DatabaseConfiguration;
|
||||
import com.google.refine.extension.database.DatabaseService;
|
||||
@ -75,6 +76,7 @@ public class ConnectCommandTest extends DBExtensionTests {
|
||||
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
|
||||
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
|
||||
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
|
||||
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||
|
||||
StringWriter sw = new StringWriter();
|
||||
PrintWriter pw = new PrintWriter(sw);
|
||||
@ -94,5 +96,18 @@ public class ConnectCommandTest extends DBExtensionTests {
|
||||
Assert.assertNotNull(databaseInfo);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCsrfProtection() throws ServletException, IOException {
|
||||
StringWriter sw = new StringWriter();
|
||||
PrintWriter pw = new PrintWriter(sw);
|
||||
|
||||
when(response.getWriter()).thenReturn(pw);
|
||||
ConnectCommand connectCommand = new ConnectCommand();
|
||||
|
||||
connectCommand.doPost(request, response);
|
||||
Assert.assertEquals(
|
||||
ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
|
||||
ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -19,6 +19,7 @@ import org.testng.annotations.Parameters;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
import com.fasterxml.jackson.databind.node.ObjectNode;
|
||||
import com.google.refine.commands.Command;
|
||||
import com.google.refine.extension.database.DBExtensionTests;
|
||||
import com.google.refine.extension.database.DatabaseConfiguration;
|
||||
import com.google.refine.extension.database.DatabaseService;
|
||||
@ -72,6 +73,7 @@ public class ExecuteQueryCommandTest extends DBExtensionTests {
|
||||
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
|
||||
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
|
||||
when(request.getParameter("queryString")).thenReturn("SELECT count(*) FROM " + testTable);
|
||||
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||
|
||||
|
||||
StringWriter sw = new StringWriter();
|
||||
@ -93,4 +95,17 @@ public class ExecuteQueryCommandTest extends DBExtensionTests {
|
||||
Assert.assertNotNull(queryResult);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCsrfProtection() throws ServletException, IOException {
|
||||
StringWriter sw = new StringWriter();
|
||||
PrintWriter pw = new PrintWriter(sw);
|
||||
|
||||
when(response.getWriter()).thenReturn(pw);
|
||||
ConnectCommand connectCommand = new ConnectCommand();
|
||||
|
||||
connectCommand.doPost(request, response);
|
||||
Assert.assertEquals(
|
||||
ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
|
||||
ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
|
||||
}
|
||||
}
|
||||
|
@ -31,6 +31,7 @@ import com.fasterxml.jackson.databind.node.ObjectNode;
|
||||
import com.google.refine.ProjectManager;
|
||||
import com.google.refine.ProjectMetadata;
|
||||
import com.google.refine.RefineServlet;
|
||||
import com.google.refine.commands.Command;
|
||||
import com.google.refine.extension.database.DBExtensionTestUtils;
|
||||
import com.google.refine.extension.database.DBExtensionTests;
|
||||
import com.google.refine.extension.database.DatabaseConfiguration;
|
||||
@ -125,6 +126,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
|
||||
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
|
||||
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
|
||||
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
|
||||
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||
StringWriter sw = new StringWriter();
|
||||
PrintWriter pw = new PrintWriter(sw);
|
||||
|
||||
@ -150,6 +152,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
|
||||
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
|
||||
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
|
||||
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
|
||||
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||
|
||||
StringWriter sw = new StringWriter();
|
||||
PrintWriter pw = new PrintWriter(sw);
|
||||
@ -187,6 +190,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
|
||||
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
|
||||
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
|
||||
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
|
||||
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||
|
||||
StringWriter sw = new StringWriter();
|
||||
PrintWriter pw = new PrintWriter(sw);
|
||||
@ -227,6 +231,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
|
||||
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
|
||||
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
|
||||
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
|
||||
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||
|
||||
SUT.doPut(request, response);
|
||||
|
||||
@ -309,6 +314,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
|
||||
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
|
||||
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
|
||||
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
|
||||
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||
|
||||
StringWriter sw = new StringWriter();
|
||||
PrintWriter pw = new PrintWriter(sw);
|
||||
@ -320,7 +326,18 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
|
||||
verify(response, times(1)).sendError(HttpStatus.SC_BAD_REQUEST, "Connection Name is Invalid. Expecting [a-zA-Z0-9._-]");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCsrfProtection() throws ServletException, IOException {
|
||||
StringWriter sw = new StringWriter();
|
||||
PrintWriter pw = new PrintWriter(sw);
|
||||
|
||||
when(response.getWriter()).thenReturn(pw);
|
||||
|
||||
SUT.doPost(request, response);
|
||||
Assert.assertEquals(
|
||||
ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
|
||||
ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
@ -19,6 +19,7 @@ import org.testng.annotations.Parameters;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
import com.fasterxml.jackson.databind.node.ObjectNode;
|
||||
import com.google.refine.commands.Command;
|
||||
import com.google.refine.extension.database.DBExtensionTests;
|
||||
import com.google.refine.extension.database.DatabaseConfiguration;
|
||||
import com.google.refine.extension.database.DatabaseService;
|
||||
@ -74,6 +75,7 @@ public class TestConnectCommandTest extends DBExtensionTests{
|
||||
when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
|
||||
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
|
||||
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
|
||||
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||
|
||||
|
||||
StringWriter sw = new StringWriter();
|
||||
@ -93,4 +95,18 @@ public class TestConnectCommandTest extends DBExtensionTests{
|
||||
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCsrfProtection() throws ServletException, IOException {
|
||||
StringWriter sw = new StringWriter();
|
||||
PrintWriter pw = new PrintWriter(sw);
|
||||
|
||||
when(response.getWriter()).thenReturn(pw);
|
||||
ConnectCommand connectCommand = new ConnectCommand();
|
||||
|
||||
connectCommand.doPost(request, response);
|
||||
Assert.assertEquals(
|
||||
ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
|
||||
ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -19,6 +19,7 @@ import org.testng.annotations.Parameters;
|
||||
import org.testng.annotations.Test;
|
||||
|
||||
import com.fasterxml.jackson.databind.node.ObjectNode;
|
||||
import com.google.refine.commands.Command;
|
||||
import com.google.refine.extension.database.DBExtensionTests;
|
||||
import com.google.refine.extension.database.DatabaseConfiguration;
|
||||
import com.google.refine.extension.database.DatabaseService;
|
||||
@ -73,7 +74,7 @@ public class TestQueryCommandTest extends DBExtensionTests {
|
||||
when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
|
||||
when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
|
||||
when(request.getParameter("query")).thenReturn("SELECT count(*) FROM " + testTable);
|
||||
|
||||
when(request.getParameter("csrf_token")).thenReturn(Command.csrfFactory.getFreshToken());
|
||||
|
||||
StringWriter sw = new StringWriter();
|
||||
|
||||
@ -95,4 +96,18 @@ public class TestQueryCommandTest extends DBExtensionTests {
|
||||
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCsrfProtection() throws ServletException, IOException {
|
||||
StringWriter sw = new StringWriter();
|
||||
PrintWriter pw = new PrintWriter(sw);
|
||||
|
||||
when(response.getWriter()).thenReturn(pw);
|
||||
TestQueryCommand connectCommand = new TestQueryCommand();
|
||||
|
||||
connectCommand.doPost(request, response);
|
||||
Assert.assertEquals(
|
||||
ParsingUtilities.mapper.readValue("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", ObjectNode.class),
|
||||
ParsingUtilities.mapper.readValue(sw.toString(), ObjectNode.class));
|
||||
}
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user