mirror of
https://github.com/scm-manager/scm-manager.git
synced 2025-11-12 00:15:44 +01:00
merge with branch issue-793
This commit is contained in:
Sebastian Sdorra
@@ -164,6 +164,7 @@ import sonia.scm.net.ahc.ContentTransformer;
|
||||
import sonia.scm.net.ahc.DefaultAdvancedHttpClient;
|
||||
import sonia.scm.net.ahc.JsonContentTransformer;
|
||||
import sonia.scm.net.ahc.XmlContentTransformer;
|
||||
import sonia.scm.security.XsrfProtectionFilter;
|
||||
import sonia.scm.web.UserAgentParser;
|
||||
|
||||
/**
|
||||
@@ -370,6 +371,9 @@ public class ScmServletModule extends ServletModule
|
||||
filter(PATTERN_ALL).through(LoggingFilter.class);
|
||||
}
|
||||
|
||||
// protect api agains xsrf attacks
|
||||
filter(PATTERN_RESTAPI).through(XsrfProtectionFilter.class);
|
||||
|
||||
/*
|
||||
* filter(PATTERN_PAGE,
|
||||
* PATTERN_STATIC_RESOURCES).through(StaticResourceFilter.class);
|
||||
|
||||
@@ -79,9 +79,11 @@ import sonia.scm.util.HttpUtil;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import javax.servlet.http.Cookie;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.servlet.http.HttpSession;
|
||||
|
||||
import javax.ws.rs.DefaultValue;
|
||||
import javax.ws.rs.FormParam;
|
||||
@@ -96,6 +98,7 @@ import javax.ws.rs.core.Response;
|
||||
import javax.xml.bind.annotation.XmlAccessType;
|
||||
import javax.xml.bind.annotation.XmlAccessorType;
|
||||
import javax.xml.bind.annotation.XmlRootElement;
|
||||
import sonia.scm.security.XsrfCookies;
|
||||
|
||||
/**
|
||||
*
|
||||
@@ -261,6 +264,9 @@ public class AuthenticationResource
|
||||
public Response logout(@Context HttpServletRequest request,
|
||||
@Context HttpServletResponse response)
|
||||
{
|
||||
// remove xsrf token
|
||||
XsrfCookies.remove(request, response);
|
||||
|
||||
Subject subject = SecurityUtils.getSubject();
|
||||
|
||||
subject.logout();
|
||||
|
||||
87
scm-webapp/src/main/java/sonia/scm/security/XsrfCookies.java
Normal file
87
scm-webapp/src/main/java/sonia/scm/security/XsrfCookies.java
Normal file
@@ -0,0 +1,87 @@
|
||||
/**
|
||||
* Copyright (c) 2014, Sebastian Sdorra
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of SCM-Manager; nor the names of its
|
||||
* contributors may be used to endorse or promote products derived from this
|
||||
* software without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
* DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
|
||||
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
|
||||
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
* http://bitbucket.org/sdorra/scm-manager
|
||||
*
|
||||
*/
|
||||
package sonia.scm.security;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
/**
|
||||
* Util methods to handle XsrfCookies.
|
||||
*
|
||||
* @author Sebastian Sdorra
|
||||
* @version 1.47
|
||||
*/
|
||||
public final class XsrfCookies
|
||||
{
|
||||
|
||||
private XsrfCookies()
|
||||
{
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a new xsrf protection cookie and add it to the response.
|
||||
*
|
||||
* @param request http servlet request
|
||||
* @param response http servlet response
|
||||
* @param token xsrf token
|
||||
*/
|
||||
public static void create(HttpServletRequest request, HttpServletResponse response, String token){
|
||||
applyCookie(request, response, new Cookie(XsrfProtectionFilter.KEY, token));
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Removes the current xsrf protection cookie from response.
|
||||
*
|
||||
* @param request http servlet request
|
||||
* @param response http servlet response
|
||||
*/
|
||||
public static void remove(HttpServletRequest request, HttpServletResponse response)
|
||||
{
|
||||
Cookie[] cookies = request.getCookies();
|
||||
if ( cookies != null ){
|
||||
for ( Cookie c : cookies ){
|
||||
if ( XsrfProtectionFilter.KEY.equals(c.getName()) ){
|
||||
c.setMaxAge(0);
|
||||
c.setValue(null);
|
||||
applyCookie(request, response, c);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static void applyCookie(HttpServletRequest request, HttpServletResponse response, Cookie cookie){
|
||||
cookie.setPath(request.getContextPath());
|
||||
response.addCookie(cookie);
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,136 @@
|
||||
/**
|
||||
* Copyright (c) 2014, Sebastian Sdorra
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of SCM-Manager; nor the names of its
|
||||
* contributors may be used to endorse or promote products derived from this
|
||||
* software without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
* DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
|
||||
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
|
||||
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
* http://bitbucket.org/sdorra/scm-manager
|
||||
*
|
||||
*/
|
||||
package sonia.scm.security;
|
||||
|
||||
import com.google.common.annotations.VisibleForTesting;
|
||||
import com.google.common.base.Strings;
|
||||
import com.google.inject.Inject;
|
||||
import java.io.IOException;
|
||||
import java.util.UUID;
|
||||
import javax.inject.Singleton;
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.Cookie;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.servlet.http.HttpSession;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import sonia.scm.config.ScmConfiguration;
|
||||
import sonia.scm.util.HttpUtil;
|
||||
import sonia.scm.web.filter.HttpFilter;
|
||||
|
||||
/**
|
||||
* Xsrf protection http filter. The filter will issue an cookie with an xsrf protection token on the first ajax request
|
||||
* of the scm web interface and marks the http session as xsrf protected. On every other request within a protected
|
||||
* session, the web interface has to send the token from the cookie as http header on every request. If the filter
|
||||
* receives an request to a protected session, without proper xsrf header the filter will abort the request and send an
|
||||
* http error code back to the client. If the filter receives an request to a non protected session, from a non web
|
||||
* interface client the filter will call the chain. The {@link XsrfProtectionFilter} is disabled by default and can be
|
||||
* enabled with {@link ScmConfiguration#setEnabledXsrfProtection(boolean)}.
|
||||
*
|
||||
* TODO for scm-manager 2 we have to store the csrf token as part of the jwt token instead of session.
|
||||
*
|
||||
* @see https://bitbucket.org/sdorra/scm-manager/issues/793/json-hijacking-vulnerability-cwe-116-cwe
|
||||
* @author Sebastian Sdorra
|
||||
* @version 1.47
|
||||
*/
|
||||
@Singleton
|
||||
public final class XsrfProtectionFilter extends HttpFilter
|
||||
{
|
||||
|
||||
/**
|
||||
* the logger for XsrfProtectionFilter
|
||||
*/
|
||||
private static final Logger logger = LoggerFactory.getLogger(XsrfProtectionFilter.class);
|
||||
|
||||
/**
|
||||
* Key used for session, header and cookie.
|
||||
*/
|
||||
static final String KEY = "X-XSRF-Token";
|
||||
|
||||
@Inject
|
||||
public XsrfProtectionFilter(ScmConfiguration configuration)
|
||||
{
|
||||
this.configuration = configuration;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws
|
||||
IOException, ServletException
|
||||
{
|
||||
if (configuration.isEnabledXsrfProtection())
|
||||
{
|
||||
doXsrfProtection(request, response, chain);
|
||||
}
|
||||
else
|
||||
{
|
||||
logger.trace("xsrf protection is disabled, skipping check");
|
||||
chain.doFilter(request, response);
|
||||
}
|
||||
}
|
||||
|
||||
private void doXsrfProtection(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws
|
||||
IOException, ServletException
|
||||
{
|
||||
HttpSession session = request.getSession(true);
|
||||
String storedToken = (String) session.getAttribute(KEY);
|
||||
if ( ! Strings.isNullOrEmpty(storedToken) ){
|
||||
String headerToken = request.getHeader(KEY);
|
||||
if ( storedToken.equals(headerToken) ){
|
||||
logger.trace("received valid xsrf protected request");
|
||||
chain.doFilter(request, response);
|
||||
} else {
|
||||
// is forbidden the correct status code?
|
||||
logger.warn("received request to a xsrf protected session without proper xsrf token");
|
||||
response.sendError(HttpServletResponse.SC_FORBIDDEN);
|
||||
}
|
||||
} else if (HttpUtil.isWUIRequest(request)) {
|
||||
logger.debug("received wui request, mark session as xsrf protected and issue a new token");
|
||||
String token = createToken();
|
||||
session.setAttribute(KEY, token);
|
||||
XsrfCookies.create(request, response, token);
|
||||
chain.doFilter(request, response);
|
||||
} else {
|
||||
// handle non webinterface clients, which does not need xsrf protection
|
||||
logger.trace("received request to a non xsrf protected session");
|
||||
chain.doFilter(request, response);
|
||||
}
|
||||
}
|
||||
|
||||
private String createToken()
|
||||
{
|
||||
// TODO create interface and use a better method
|
||||
return UUID.randomUUID().toString();
|
||||
}
|
||||
|
||||
private ScmConfiguration configuration;
|
||||
}
|
||||
Reference in New Issue
Block a user