OFBiz OFBiz - Notifications

[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17022230#comment-17022230 ]

Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------

Hi James,

About SetTimeZoneFromBrowser I wrote:
bq. I have generalised things and will commit tomorrow

Actually I went too far and had to turn back. It's better to not touch too much things regarding Ajax and POST. For security reason as explained in CommonEvents::writeJSONtoResponse and in detail at https://haacked.com/archive/2009/06/25/json-hijacking.aspx/.

So a simple solution for you is to add
in csrfutil::checkToken add {{!"GET".equals(request.getMethod()}} at
{code:java}
if ("XMLHttpRequest".equals(request.getHeader("X-Requested-With")) && !"GET".equals(request.getMethod())) {
{code}
completing what I wrote above.

The idea is we should not use GET for Ajax calls except if it's only for non sensitive data (Time Zones are not). So by default better let the user us POST and handle it as explained in CommonEvents::writeJSONtoResponse if they need it as we do with SetTimeZoneFromBrowser

Thanks!

I'll review your last patch "now"...

> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class.
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token field.
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to X-CSRF-Token in request header.
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token check during Ajax POST call.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Free forum by Nabble Edit this page