Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-13 08:55:44 +01:00
Code Issues Packages Projects Releases Activity

enable xrfs protection only on write request

Browse Source 
This change is required in order to fix the image viewer and download of editor plugin
This commit is contained in:
Sebastian Sdorra
2020-01-14 13:28:17 +01:00
parent a2c9eeb858
commit 1cade825af
2 changed files with 110 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
scm-webapp/src/main/java/sonia/scm/security/XsrfAccessTokenValidator.java
View File

@@ -30,12 +30,15 @@
*/
package sonia.scm.security;
import com.google.common.collect.ImmutableSet;
import sonia.scm.plugin.Extension;
import javax.inject.Inject;
import javax.inject.Provider;
import javax.servlet.http.HttpServletRequest;
import java.util.Locale;
import java.util.Optional;
import java.util.Set;
/**
* Validates xsrf protected access tokens. The validator check if the current request contains an xsrf key which is
@@ -47,7 +50,11 @@ import java.util.Optional;
*/
@Extension
public class XsrfAccessTokenValidator implements AccessTokenValidator {
private static final Set<String> ALLOWED_METHOD = ImmutableSet.of(
"GET", "HEAD", "OPTIONS"
);
private final Provider<HttpServletRequest> requestProvider;
@@ -65,8 +72,10 @@ public class XsrfAccessTokenValidator implements AccessTokenValidator {
public boolean validate(AccessToken accessToken) {
Optional<String> xsrfClaim = accessToken.getCustom(Xsrf.TOKEN_KEY);
if (xsrfClaim.isPresent()) {
String xsrfHeaderValue = requestProvider.get().getHeader(Xsrf.HEADER_KEY);
return xsrfClaim.get().equals(xsrfHeaderValue);
HttpServletRequest request = requestProvider.get();
String xsrfHeaderValue = request.getHeader(Xsrf.HEADER_KEY);
return ALLOWED_METHOD.contains(request.getMethod().toUpperCase(Locale.ENGLISH))
|| xsrfClaim.get().equals(xsrfHeaderValue);
}
return true;
}