From: Felix Dörre Date: Sat, 5 Jul 2014 00:03:16 +0000 (+0200) Subject: Implement CSRF check on "Assure someone" X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=dc56db5699a7381aadbc5d167aa03ce037bc9b4f Implement CSRF check on "Assure someone" (and implement it in test) --- diff --git a/src/org/cacert/gigi/output/Form.java b/src/org/cacert/gigi/output/Form.java index b86b6dcb..69fb2287 100644 --- a/src/org/cacert/gigi/output/Form.java +++ b/src/org/cacert/gigi/output/Form.java @@ -22,12 +22,12 @@ public abstract class Form implements Outputable { Map vars) { out.println("
"); outputContent(out, l, vars); - out.println("
"); } - public abstract void outputContent(PrintWriter out, Language l, + protected abstract void outputContent(PrintWriter out, Language l, Map vars); protected void outputError(PrintWriter out, ServletRequest req, String text) { @@ -36,8 +36,16 @@ public abstract class Form implements Outputable { out.println(""); } - public String getCSRFToken() { + protected String getCSRFToken() { return csrf; } + protected void checkCSRF(HttpServletRequest req) { + if (!csrf.equals(req.getParameter("csrf"))) { + throw new CSRFError(); + } + } + + public class CSRFError extends Error { + } } diff --git a/src/org/cacert/gigi/pages/wot/AssuranceForm.java b/src/org/cacert/gigi/pages/wot/AssuranceForm.java index 5819eb4d..be7be716 100644 --- a/src/org/cacert/gigi/pages/wot/AssuranceForm.java +++ b/src/org/cacert/gigi/pages/wot/AssuranceForm.java @@ -48,6 +48,8 @@ public class AssuranceForm extends Form { @Override public boolean submit(PrintWriter out, HttpServletRequest req) { + checkCSRF(req); + out.println("
"); boolean failed = false; @@ -117,4 +119,5 @@ public class AssuranceForm extends Form { out.println("
"); return false; } + } diff --git a/src/org/cacert/gigi/pages/wot/AssurePage.java b/src/org/cacert/gigi/pages/wot/AssurePage.java index 8862535c..01502960 100644 --- a/src/org/cacert/gigi/pages/wot/AssurePage.java +++ b/src/org/cacert/gigi/pages/wot/AssurePage.java @@ -16,6 +16,7 @@ import org.cacert.gigi.User; import org.cacert.gigi.database.DatabaseConnection; import org.cacert.gigi.output.DateSelector; import org.cacert.gigi.output.Template; +import org.cacert.gigi.output.Form.CSRFError; import org.cacert.gigi.pages.LoginPage; import org.cacert.gigi.pages.Page; import org.cacert.gigi.util.Notary; @@ -79,7 +80,12 @@ public class AssurePage extends Page { out.println("No form found. This is an Error. Fill in the form again."); return; } - form.submit(out, req); + try { + form.submit(out, req); + } catch (CSRFError e) { + resp.sendError(500, "CSRF Failed"); + out.println(translate(req, "CSRF Token failed.")); + } return; } diff --git a/tests/org/cacert/gigi/pages/wot/TestAssurance.java b/tests/org/cacert/gigi/pages/wot/TestAssurance.java index 54a85d8b..769767cd 100644 --- a/tests/org/cacert/gigi/pages/wot/TestAssurance.java +++ b/tests/org/cacert/gigi/pages/wot/TestAssurance.java @@ -141,10 +141,11 @@ public class TestAssurance extends ManagedTest { + assuree); URLConnection uc = u.openConnection(); uc.addRequestProperty("Cookie", cookie); - uc.getInputStream();// request form + String csrf = getCSRF(uc); uc = u.openConnection(); uc.addRequestProperty("Cookie", cookie); uc.setDoOutput(true); + uc.getOutputStream().write(("csrf=" + csrf + "&").getBytes()); return uc; } diff --git a/tests/org/cacert/gigi/testUtils/ManagedTest.java b/tests/org/cacert/gigi/testUtils/ManagedTest.java index a9e10015..2d164f58 100644 --- a/tests/org/cacert/gigi/testUtils/ManagedTest.java +++ b/tests/org/cacert/gigi/testUtils/ManagedTest.java @@ -13,6 +13,7 @@ import java.io.UnsupportedEncodingException; import java.net.HttpURLConnection; import java.net.InetSocketAddress; import java.net.URL; +import java.net.URLConnection; import java.net.URLEncoder; import java.nio.file.Files; import java.nio.file.Paths; @@ -20,6 +21,8 @@ import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.util.Properties; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import org.cacert.gigi.DevelLauncher; import org.cacert.gigi.database.DatabaseConnection; @@ -273,4 +276,14 @@ public class ManagedTest { headerField = headerField.substring(0, headerField.indexOf(';')); return headerField; } + + public String getCSRF(URLConnection u) throws IOException { + String content = IOUtils.readURL(u); + Pattern p = Pattern.compile(""); + Matcher m = p.matcher(content); + if (!m.find()) { + throw new Error("New CSRF Token"); + } + return m.group(1); + } }