QA-14409: Switch to updated csrfguard v4.3.0 (#73)

* QA-14409: Switch to updated csrfguard v4.3.0 * Add differences to properties and template files and add compressed version
Jahia · Jun 6, 2023 · 4ba02b8 · 4ba02b8
1 parent 24f54b2
commit 4ba02b8
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 4 deletions.
diff --git a/pom.xml b/pom.xml
@@ -39,7 +39,7 @@
     </scm>
 
     <properties>
-        <csrfguard.version>4.1.4-jahia1-SNAPSHOT</csrfguard.version>
+        <csrfguard.version>4.3.0</csrfguard.version>
         <jahia.plugin.version>6.0</jahia.plugin.version>
         <jahia-module-type>system</jahia-module-type>
         <require-capability>osgi.extender;filter:="(osgi.extender=org.jahia.bundles.blueprint.extender.config)"</require-capability>

diff --git a/src/main/resources/META-INF/csrfguard.template.js b/src/main/resources/META-INF/csrfguard.template.js
diff --git a/src/main/resources/META-INF/csrfguard.template.uncompressed.js b/src/main/resources/META-INF/csrfguard.template.uncompressed.js
@@ -225,10 +225,19 @@ if (owaspCSRFGuardScriptHasLoaded !== true) {
 
         /**
          *  check if valid domain based on domainStrict
+         *  @param target can either be a string or list of domain origins as array
          */
         function isValidDomain(current, target) {
             var result = false;
 
+            if (target && target.constructor === Array) {
+                for (var i = 0; i < target.length; i++) {
+                    if (isValidDomain(current, target[i])) {
+                        return true;
+                    }
+                }
+            }
+
             /* check exact or subdomain match */
             if (current === target) {
                 result = true;
@@ -600,7 +609,8 @@ if (owaspCSRFGuardScriptHasLoaded !== true) {
          * The token is now removed and fetched using another POST request to solve,
          * the token hijacking problem.
          */
-        if (isValidDomain(document.domain, '%DOMAIN_ORIGIN%')) {
+        var target = '%DOMAIN_ORIGIN%'.split(',')
+        if (isValidDomain(document.domain, target)) {
             var tokenName = '%TOKEN_NAME%';
             var masterTokenValue = '%TOKEN_VALUE%';
             //console.debug('Master token [' + tokenName + ']: ', masterTokenValue);

diff --git a/src/main/resources/Owasp.CsrfGuard.properties b/src/main/resources/Owasp.CsrfGuard.properties
@@ -273,7 +273,7 @@ org.owasp.csrfguard.Ajax = true
 # org.owasp.csrfguard.action.Error.Message = Security violation.
 
 org.owasp.csrfguard.action.Log = org.owasp.csrfguard.action.Log
-org.owasp.csrfguard.action.Log.Message = potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
+org.owasp.csrfguard.action.Log.Message = Potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
 
 org.owasp.csrfguard.action.Redirect = org.owasp.csrfguard.action.Redirect
 org.owasp.csrfguard.action.Redirect.Page = %servletContext%/error.html
@@ -490,3 +490,10 @@ org.owasp.csrfguard.PageTokenSynchronizationTolerance = 2000
 #
 # Defaults to False.
 org.owasp.csrfguard.forceSynchronousAjax = false
+
+# If there are properties prefixed with "org.owasp.csrfguard.bannedUserAgentProperty.", their values will be used to match against HTTP User-Agent request headers.
+# In case of a match, the request will be discarded, and a 403 Forbidden response will be returned to the client.
+# The purpose of this feature is to provide a way to prevent Internet Explorer users from accessing the web application.
+# Internet Explorer is identified using the "msie" and "trident" strings.
+org.owasp.csrfguard.bannedUserAgentProperty.InternetExplorer1 = msie
+org.owasp.csrfguard.bannedUserAgentProperty.InternetExplorer2 = trident