Skip to content

Commit

Permalink
CSRF protection for database extension
Browse files Browse the repository at this point in the history
  • Loading branch information
@wetneb
wetneb committed Oct 17, 2019
1 parent 9ae6a7a commit b52c009
Show file tree
Hide file tree
Showing 13 changed files with 227 additions and 122 deletions.
10 changes: 5 additions & 5 deletions extensions/database/module/scripts/database-extension.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ DatabaseExtension.handleConnectClicked = function(connectionName) {
databaseConfig.initialDatabase = savedConfig.databaseName;
databaseConfig.initialSchema = savedConfig.databaseSchema;

$.post(
Refine.postCSRF(
"command/database/connect",
databaseConfig,

Expand Down Expand Up @@ -101,10 +101,10 @@ DatabaseExtension.handleConnectClicked = function(connectionName) {
}

},
"json"
).fail(function( jqXhr, textStatus, errorThrown ){
alert( textStatus + ':' + errorThrown );
});
"json",
function( jqXhr, textStatus, errorThrown ){
alert( textStatus + ':' + errorThrown );
});

}

Expand Down
211 changes: 110 additions & 101 deletions extensions/database/module/scripts/index/database-import-controller.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,33 +65,36 @@ Refine.DatabaseImportController.prototype.startImportingDocument = function(quer
//alert(queryInfo.query);
var self = this;

$.post(
Refine.postCSRF(
"command/core/create-importing-job",
null,
function(data) {
$.post(
"command/core/importing-controller?" + $.param({
"controller": "database/database-import-controller",
"subCommand": "initialize-parser-ui"
}),
queryInfo,

function(data2) {
dismiss();
Refine.wrapCSRF(function(token) {
$.post(
"command/core/importing-controller?" + $.param({
"controller": "database/database-import-controller",
"subCommand": "initialize-parser-ui",
"csrf_token": token
}),
queryInfo,

if (data2.status == 'ok') {
self._queryInfo = queryInfo;
self._jobID = data.jobID;
self._options = data2.options;

self._showParsingPanel();

} else {
alert(data2.message);
}
},
"json"
);
function(data2) {
dismiss();

if (data2.status == 'ok') {
self._queryInfo = queryInfo;
self._jobID = data.jobID;
self._options = data2.options;

self._showParsingPanel();

} else {
alert(data2.message);
}
},
"json"
);
});
},
"json"
);
Expand Down Expand Up @@ -248,40 +251,43 @@ Refine.DatabaseImportController.prototype._updatePreview = function() {
this._queryInfo.options = JSON.stringify(this.getOptions());
//alert("options:" + this._queryInfo.options);

$.post(
"command/core/importing-controller?" + $.param({
"controller": "database/database-import-controller",
"jobID": this._jobID,
"subCommand": "parse-preview"
}),

this._queryInfo,

function(result) {
if (result.status == "ok") {
self._getPreviewData(function(projectData) {
self._parsingPanelElmts.progressPanel.hide();
self._parsingPanelElmts.dataPanel.show();
Refine.wrapCSRF(function(token) {
$.post(
"command/core/importing-controller?" + $.param({
"controller": "database/database-import-controller",
"jobID": this._jobID,
"subCommand": "parse-preview",
"csrf_token": token
}),

this._queryInfo,

function(result) {
if (result.status == "ok") {
self._getPreviewData(function(projectData) {
self._parsingPanelElmts.progressPanel.hide();
self._parsingPanelElmts.dataPanel.show();

new Refine.PreviewTable(projectData, self._parsingPanelElmts.dataPanel.unbind().empty());
});
} else {

alert('Errors:\n' + (result.message) ? result.message : Refine.CreateProjectUI.composeErrorMessage(job));
self._parsingPanelElmts.progressPanel.hide();

Refine.CreateProjectUI.cancelImportingJob(self._jobID);

delete self._jobID;
delete self._options;

self._createProjectUI.showSourceSelectionPanel();


}
},
"json"
);
new Refine.PreviewTable(projectData, self._parsingPanelElmts.dataPanel.unbind().empty());
});
} else {

alert('Errors:\n' + (result.message) ? result.message : Refine.CreateProjectUI.composeErrorMessage(job));
self._parsingPanelElmts.progressPanel.hide();

Refine.CreateProjectUI.cancelImportingJob(self._jobID);

delete self._jobID;
delete self._options;

self._createProjectUI.showSourceSelectionPanel();


}
},
"json"
);
});
};

Refine.DatabaseImportController.prototype._getPreviewData = function(callback, numRows) {
Expand Down Expand Up @@ -329,51 +335,54 @@ Refine.DatabaseImportController.prototype._createProject = function() {
options.projectName = projectName;

this._queryInfo.options = JSON.stringify(options);
$.post(
"command/core/importing-controller?" + $.param({
"controller": "database/database-import-controller",
"jobID": this._jobID,
"subCommand": "create-project"
}),
this._queryInfo,
function(o) {
if (o.status == 'error') {
alert(o.message);
} else {
var start = new Date();
var timerID = window.setInterval(
function() {
self._createProjectUI.pollImportJob(
start,
self._jobID,
timerID,
function(job) {
return "projectID" in job.config;
},
function(jobID, job) {
//alert("jobID::" + jobID + " job :" + job);
window.clearInterval(timerID);
Refine.CreateProjectUI.cancelImportingJob(jobID);
document.location = "project?project=" + job.config.projectID;
},
function(job) {
alert(Refine.CreateProjectUI.composeErrorMessage(job));
}
);
},
1000
);
self._createProjectUI.showImportProgressPanel($.i18n('database-import/creating'), function() {
// stop the timed polling
window.clearInterval(timerID);
Refine.wrapCSRF(function(token) {
$.post(
"command/core/importing-controller?" + $.param({
"controller": "database/database-import-controller",
"jobID": this._jobID,
"subCommand": "create-project",
"csrf_token": token
}),
this._queryInfo,
function(o) {
if (o.status == 'error') {
alert(o.message);
} else {
var start = new Date();
var timerID = window.setInterval(
function() {
self._createProjectUI.pollImportJob(
start,
self._jobID,
timerID,
function(job) {
return "projectID" in job.config;
},
function(jobID, job) {
//alert("jobID::" + jobID + " job :" + job);
window.clearInterval(timerID);
Refine.CreateProjectUI.cancelImportingJob(jobID);
document.location = "project?project=" + job.config.projectID;
},
function(job) {
alert(Refine.CreateProjectUI.composeErrorMessage(job));
}
);
},
1000
);
self._createProjectUI.showImportProgressPanel($.i18n('database-import/creating'), function() {
// stop the timed polling
window.clearInterval(timerID);

// explicitly cancel the import job
Refine.CreateProjectUI.cancelImportingJob(jobID);
// explicitly cancel the import job
Refine.CreateProjectUI.cancelImportingJob(jobID);

self._createProjectUI.showSourceSelectionPanel();
});
}
},
"json"
);
self._createProjectUI.showSourceSelectionPanel();
});
}
},
"json"
);
});
};
24 changes: 12 additions & 12 deletions extensions/database/module/scripts/index/database-source-ui.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -268,7 +268,7 @@ Refine.DatabaseSourceUI.prototype._executeQuery = function(jdbcQueryInfo) {

var dismiss = DialogSystem.showBusy($.i18n('database-import/checking'));

$.post(
Refine.postCSRF(
"command/database/test-query",
jdbcQueryInfo,
function(jdbcConnectionResult) {
Expand All @@ -277,8 +277,8 @@ Refine.DatabaseSourceUI.prototype._executeQuery = function(jdbcQueryInfo) {
self._controller.startImportingDocument(jdbcQueryInfo);

},
"json"
).fail(function( jqXhr, textStatus, errorThrown ){
"json",
function( jqXhr, textStatus, errorThrown ){

dismiss();
alert( textStatus + ':' + errorThrown );
Expand All @@ -288,7 +288,7 @@ Refine.DatabaseSourceUI.prototype._executeQuery = function(jdbcQueryInfo) {

Refine.DatabaseSourceUI.prototype._saveConnection = function(jdbcConnectionInfo) {
var self = this;
$.post(
Refine.postCSRF(
"command/database/saved-connection",
jdbcConnectionInfo,
function(settings) {
Expand All @@ -307,8 +307,8 @@ Refine.DatabaseSourceUI.prototype._saveConnection = function(jdbcConnectionInfo)
}

},
"json"
).fail(function( jqXhr, textStatus, errorThrown ){
"json",
function( jqXhr, textStatus, errorThrown ){
alert( textStatus + ':' + errorThrown );
});

Expand Down Expand Up @@ -346,7 +346,7 @@ Refine.DatabaseSourceUI.prototype._loadSavedConnections = function() {
Refine.DatabaseSourceUI.prototype._testDatabaseConnect = function(jdbcConnectionInfo) {

var self = this;
$.post(
Refine.postCSRF(
"command/database/test-connect",
jdbcConnectionInfo,
function(jdbcConnectionResult) {
Expand All @@ -357,16 +357,16 @@ Refine.DatabaseSourceUI.prototype._testDatabaseConnect = function(jdbcConnection
}

},
"json"
).fail(function( jqXhr, textStatus, errorThrown ){
"json",
function( jqXhr, textStatus, errorThrown ){
alert( textStatus + ':' + errorThrown );
});
};

Refine.DatabaseSourceUI.prototype._connect = function(jdbcConnectionInfo) {

var self = this;
$.post(
Refine.postCSRF(
"command/database/connect",
jdbcConnectionInfo,
function(databaseInfo) {
Expand Down Expand Up @@ -398,8 +398,8 @@ Refine.DatabaseSourceUI.prototype._connect = function(jdbcConnectionInfo) {
}

},
"json"
).fail(function( jqXhr, textStatus, errorThrown ){
"json",
function( jqXhr, textStatus, errorThrown ){
alert( textStatus + ':' + errorThrown );
});

Expand Down
4 changes: 4 additions & 0 deletions extensions/database/src/com/google/refine/extension/database/cmd/ConnectCommand.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,10 @@ public class ConnectCommand extends DatabaseCommand {
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if(!hasValidCSRFToken(request)) {
respondCSRFError(response);
return;
}

DatabaseConfiguration databaseConfiguration = getJdbcConfiguration(request);
if(logger.isDebugEnabled()) {
Expand Down
5 changes: 4 additions & 1 deletion extensions/database/src/com/google/refine/extension/database/cmd/ExecuteQueryCommand.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,10 @@ public class ExecuteQueryCommand extends DatabaseCommand {
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {

if(!hasValidCSRFToken(request)) {
respondCSRFError(response);
return;
}

DatabaseConfiguration databaseConfiguration = getJdbcConfiguration(request);
String query = request.getParameter("queryString");
Expand Down
4 changes: 4 additions & 0 deletions extensions/database/src/com/google/refine/extension/database/cmd/SavedConnectionCommand.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,10 @@ private void writeSavedConnectionResponse(HttpServletResponse response) throws I
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if(!hasValidCSRFToken(request)) {
respondCSRFError(response);
return;
}

if(logger.isDebugEnabled()) {
logger.debug("doPost Connection: {}", request.getParameter("connectionName"));
Expand Down
5 changes: 4 additions & 1 deletion extensions/database/src/com/google/refine/extension/database/cmd/TestConnectCommand.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,10 @@ public class TestConnectCommand extends DatabaseCommand {
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {

if(!hasValidCSRFToken(request)) {
respondCSRFError(response);
return;
}

DatabaseConfiguration databaseConfiguration = getJdbcConfiguration(request);
if(logger.isDebugEnabled()) {
Expand Down
4 changes: 4 additions & 0 deletions extensions/database/src/com/google/refine/extension/database/cmd/TestQueryCommand.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,10 @@ public class TestQueryCommand extends DatabaseCommand {
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if(!hasValidCSRFToken(request)) {
respondCSRFError(response);
return;
}

DatabaseConfiguration dbConfig = getJdbcConfiguration(request);
String query = request.getParameter("query");
Expand Down

0 comments on commit b52c009

Please sign in to comment.