Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-vx5q-cp9v-427v
add CSRF protection in admin api's
  • Loading branch information
gkwang committed Nov 5, 2020
2 parents 0f8387b + 6eb26ae commit 8b79363
Show file tree
Hide file tree
Showing 9 changed files with 95 additions and 19 deletions.
9 changes: 7 additions & 2 deletions admin/public/site.js
Expand Up @@ -86,6 +86,7 @@
$('#profile-mapper-alerts').html('');

$.post('/profile-mapper', {
_csrf: document.getElementById('csrf').value,
code: code.getValue()
}).always(function() {
btn.button('reset');
Expand Down Expand Up @@ -131,7 +132,9 @@
$("#logs-clear").click(function(e) {
e.preventDefault();

$.post('/logs/clear');
$.post('/logs/clear', {
_csrf: document.getElementById('csrf').value
});
$('#logs').text('');
});

Expand Down Expand Up @@ -238,7 +241,9 @@
$("#update-run-form").submit(function(e) {
e.preventDefault();

$.post('/updater/run');
$.post('/updater/run', {
_csrf: document.getElementById('csrf').value,
});

update = 'Started';
$('#update-logs').text('');
Expand Down
21 changes: 12 additions & 9 deletions admin/server.js
Expand Up @@ -5,6 +5,7 @@ var unzipper = require('unzipper');
var path = require('path');
var archiver = require('archiver');
var cas = require('../lib/add_certs');
var csrf = require('csurf');
var os = require('os');
var fs = require('fs');
var http = require('http');
Expand All @@ -31,7 +32,7 @@ app.use(cookieParser());
app.use(session({
secret: 'sojo sut ed oterces le'
}));

var csrfProtection = csrf({ cookie: true });
var detected_settings = {};

if (process.platform === 'win32') {
Expand Down Expand Up @@ -113,18 +114,20 @@ function run(cmd, args, callback) {
});
}

app.get('/', set_current_config, function(req, res) {
app.get('/', set_current_config, csrfProtection, function(req, res) {
console.log(req.session.LDAP_RESULTS);
res.render('index', xtend(req.current_config, {
SUCCESS: req.query && req.query.s === '1',
LDAP_RESULTS: req.session.LDAP_RESULTS
}, {
detected: detected_settings
}, {
csrfToken: req.csrfToken()
}));
delete req.session.LDAP_RESULTS;
});

app.post('/ldap', set_current_config, function(req, res, next) {
app.post('/ldap', set_current_config, csrfProtection, function(req, res, next) {
// Convert ENABLE_WRITE_BACK and ENABLE_ACTIVE_DIRECTORY_UNICODE_PASSWORD to boolean.
req.body.ENABLE_WRITE_BACK = !!(req.body.ENABLE_WRITE_BACK && req.body.ENABLE_WRITE_BACK === 'on');
req.body.ENABLE_ACTIVE_DIRECTORY_UNICODE_PASSWORD = !!(req.body.ENABLE_ACTIVE_DIRECTORY_UNICODE_PASSWORD && req.body.ENABLE_ACTIVE_DIRECTORY_UNICODE_PASSWORD === 'on');
Expand All @@ -149,7 +152,7 @@ app.post('/ldap', set_current_config, function(req, res, next) {
});
}, merge_config);

app.post('/server', multipart(), set_current_config, function(req, res, next) {
app.post('/server', multipart(), set_current_config, csrfProtection, function(req, res, next) {
if (req.body.PORT || req.current_config.PORT) return next();
freeport(function(er, port) {
req.body.PORT = port;
Expand All @@ -165,7 +168,7 @@ app.post('/server', multipart(), set_current_config, function(req, res, next) {
});
}, merge_config);

app.post('/ticket', set_current_config, function(req, res, next) {
app.post('/ticket', set_current_config, csrfProtection, function(req, res, next) {
if (!req.body.PROVISIONING_TICKET) {
return res.render('index', xtend(req.current_config, {
ERROR: 'The ticket url ' + req.body.PROVISIONING_TICKET + ' is not vaild.'
Expand Down Expand Up @@ -257,7 +260,7 @@ app.get('/export', set_current_config, function(req, res) {
archive.finalize();
});

app.post('/import', set_current_config, multipart(), function(req, res, next) {
app.post('/import', set_current_config, csrfProtection, multipart(), function(req, res, next) {
console.log('Importing configuration.');

if (!req.files || !req.files.IMPORT_FILE || req.files.IMPORT_FILE.size === 0) {
Expand Down Expand Up @@ -312,7 +315,7 @@ app.get('/logs', function(req, res) {
});
});

app.post('/logs/clear', function(req, res) {
app.post('/logs/clear', csrfProtection, function(req, res) {
fs.writeFile(__dirname + '/../logs.log', '', function(err) {
if (err) {
res.status(500);
Expand Down Expand Up @@ -349,7 +352,7 @@ app.get('/profile-mapper', function(req, res) {
});
});

app.post('/profile-mapper', function(req, res) {
app.post('/profile-mapper', csrfProtection, function(req, res) {
fs.writeFile(__dirname + '/../lib/profileMapper.js', req.body.code, function(err) {
if (err) {
res.status(500);
Expand Down Expand Up @@ -440,7 +443,7 @@ app.get('/troubleshooter/export', set_current_config,
archive.finalize();
});

app.post('/updater/run', set_current_config, function(req, res) {
app.post('/updater/run', csrfProtection, set_current_config, function(req, res) {
run(__dirname + '/../update-connector.cmd', [], function(data) {
res.writeHead(200, {
"Content-Type": "text/plain"
Expand Down
1 change: 1 addition & 0 deletions admin/views/form.ejs
@@ -1,4 +1,5 @@
<form class="form-horizontal ldap" method="post" action="/ldap">
<input type="hidden" id="csrf" name="_csrf" value="<%= locals.csrfToken %>">
<p>
Please enter the settings to connect to your LDAP.
This will be saved locally and never send exposed.
Expand Down
6 changes: 3 additions & 3 deletions admin/views/form_import.ejs
@@ -1,6 +1,6 @@
<form method="post" action="/import" enctype="multipart/form-data">
<form method="post" action="/import?_csrf=<%= locals.csrfToken %>" enctype="multipart/form-data">
<p>
Import a previous configuration to the connector.
Import a previous configuration to the connector.
</p>

<div class="control-group" style="border-top:0px;">
Expand All @@ -17,4 +17,4 @@
<button type="submit" class="btn btn-primary">Upload</button>
</div>
</div>
</form>
</form>
5 changes: 3 additions & 2 deletions admin/views/form_server.ejs
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" action="/server" enctype="multipart/form-data">
<input type="hidden" id="csrf" name="_csrf" value="<%= locals.csrfToken %>">
<div class="control-group">
<label class="control-label" for="SERVER_URL">Front Facing URL:</label>
<div class="controls">
Expand Down Expand Up @@ -61,7 +62,7 @@
<span class="help-block">A string of passphrase for the pfx</span>
</div>
</div>

<div class="control-group">
<label class="control-label" for="CA_CERT">CA Certificate(s):</label>
<div class="controls">
Expand All @@ -84,4 +85,4 @@ CA #2...
<button type="submit" class="btn btn-primary">Save</button>
</div>
</div>
</form>
</form>
3 changes: 2 additions & 1 deletion admin/views/form_ticket.ejs
@@ -1,4 +1,5 @@
<form class="form-horizontal" method="post" action="/ticket">
<input type="hidden" id="csrf" name="_csrf" value="<%= locals.csrfToken %>">
<p>
Please enter the ticket url as shown in the instructions provided in the documentation
</p>
Expand All @@ -23,4 +24,4 @@
<button type="submit" class="btn btn-success">Continue</button>
</div>
</div>
</form>
</form>
1 change: 1 addition & 0 deletions admin/views/index.ejs
Expand Up @@ -20,6 +20,7 @@
<div class="wrapper">
<div id="tmp-dialogs"></div>
<div id="content" style="margin-left: 0;">
<input type="hidden" id="csrf" name="_csrf" value="<%= locals.csrfToken %>">
<section id="configuration-section" class="content-page current">
<div id="content-header">
<h1>AD LDAP Connector <span id="connector-version"></span> Configuration</h1>
Expand Down
65 changes: 64 additions & 1 deletion package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion package.json
@@ -1,6 +1,6 @@
{
"name": "ad-ldap-connector",
"version": "5.0.12",
"version": "5.0.13",
"description": "ADLDAP Federation Connector",
"main": "server.js",
"scripts": {
Expand Down Expand Up @@ -32,6 +32,7 @@
"connect-multiparty": "^2.2.0",
"cookie-parser": "^1.4.3",
"cookie-sessions": "github:auth0/cookie-sessions#53a8aae",
"csurf": "1.9.0",
"ejs": "^2.5.5",
"express": "^4.16.4",
"express-passport-logout": "~0.1.0",
Expand Down

0 comments on commit 8b79363

Please sign in to comment.