Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-17 18:51:10 +01:00
Code Issues Packages Projects Releases Activity

Disable xsrf for mercurial hook tokens

Browse Source
This commit is contained in:
Sebastian Sdorra
2020-11-08 12:23:15 +01:00
parent d518af4ccc
commit d86b2f70c3
3 changed files with 17 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
scm-plugins/scm-hg-plugin/src/main/java/sonia/scm/repository/DefaultHgEnvironmentBuilder.java
View File

@@ -32,6 +32,7 @@ import sonia.scm.repository.hooks.HookServer;
import sonia.scm.security.AccessToken;
import sonia.scm.security.AccessTokenBuilderFactory;
import sonia.scm.security.CipherUtil;
import sonia.scm.security.Xsrf;
import sonia.scm.web.HgUtil;
import javax.inject.Inject;
@@ -109,11 +110,18 @@ public class DefaultHgEnvironmentBuilder implements HgEnvironmentBuilder {
private void write(ImmutableMap.Builder<String, String> env) {
env.put(ENV_HOOK_PORT, String.valueOf(getHookPort()));
AccessToken accessToken = accessTokenBuilderFactory.create().build();
env.put(ENV_BEARER_TOKEN, CipherUtil.getInstance().encode(accessToken.compact()));
env.put(ENV_BEARER_TOKEN, accessToken());
env.put(ENV_CHALLENGE, hookEnvironment.getChallenge());
}
private String accessToken() {
AccessToken accessToken = accessTokenBuilderFactory.create()
// disable xsrf protection, because we can not access the http servlet request for verification
.custom(Xsrf.TOKEN_KEY, null)
.build();
return CipherUtil.getInstance().encode(accessToken.compact());
}
private synchronized int getHookPort() {
if (hookPort > 0) {
return hookPort;

3
scm-plugins/scm-hg-plugin/src/test/java/sonia/scm/repository/DefaultHgEnvironmentBuilderTest.java
View File

@@ -38,6 +38,7 @@ import sonia.scm.repository.hooks.HookServer;
import sonia.scm.security.AccessToken;
import sonia.scm.security.AccessTokenBuilderFactory;
import sonia.scm.security.CipherUtil;
import sonia.scm.security.Xsrf;
import javax.annotation.Nonnull;
import java.io.File;
@@ -118,7 +119,7 @@ class DefaultHgEnvironmentBuilderTest {
private void applyAccessToken(String compact) {
AccessToken accessToken = mock(AccessToken.class);
when(accessTokenBuilderFactory.create().build()).thenReturn(accessToken);
when(accessTokenBuilderFactory.create().custom(Xsrf.TOKEN_KEY, null).build()).thenReturn(accessToken);
when(accessToken.compact()).thenReturn(compact);
}