Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Fixes JIRA issues 55, 71, and 72 #34

Closed
wants to merge 10 commits into from
Closed

Security Fixes JIRA issues 55, 71, and 72 #34

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
a8aca74
Adding CSRF protection using withForm/invalidToken/useToken="true"
virtualdogbert Sep 8, 2013
abe0082
Fixed an XSS vulnerability when rendering input errors.
jgibson Oct 7, 2015
c1a3516
Tweaks to make merging cleaner.
jgibson Oct 7, 2015
fc5a2b0
More tweaks to make merging easier.
jgibson Oct 7, 2015
4bf12dc
GPSPRINGSECURITYUI-55: Merge CSRF fixes from Tucker Pelletier (virtua…
jgibson Oct 7, 2015
c307e43
GPSPRINGSECURITYUI-55: Added CSRF protection for delete dialogs.
jgibson Oct 7, 2015
0557b06
GPSPRINGSECURITYUI-55: Added CSRF protection for the registration pages.
jgibson Oct 7, 2015
fd820a3
GPSPRINGSECURITYUI-55: Improved error messages.
jgibson Oct 8, 2015
8850d13
GPSPRINGSECURITYUI-71: Password reset no longer by-passes locked acco…
jgibson Oct 8, 2015
55dcab9
Fixed an XSS vulnerability in role names.
jgibson Nov 3, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 44 additions & 20 deletions grails-app/controllers/grails/plugin/springsecurity/ui/AclClassController.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
Expand All @@ -28,14 +28,22 @@ class AclClassController extends AbstractS2UiController {
}

def save() {
def aclClass = lookupClass().newInstance(params)
if (!aclClass.save(flush: true)) {
render view: 'create', model: [aclClass: aclClass]
withForm {
def aclClass = lookupClass().newInstance(params)
if (!aclClass.save(flush: true)) {
render view: 'create', model: [aclClass: aclClass]
return
}

flash.message = "${message(code: 'default.created.message', args: [message(code: 'aclClass.label', default: 'AclClass'), aclClass.id])}"
redirect action: 'edit', id: aclClass.id
}.invalidToken {
response.status = 400
log.warn("User: ${springSecurityService.currentUser.id} possible CSRF or double submit: $params")
flash.message = "${message(code: 'spring.security.ui.invalid.save.form', args: [lookupClassName()])}"
forward action: 'create', model: []
return
}

flash.message = "${message(code: 'default.created.message', args: [message(code: 'aclClass.label', default: 'AclClass'), aclClass.id])}"
redirect action: 'edit', id: aclClass.id
}

def edit() {
Expand All @@ -46,29 +54,45 @@ class AclClassController extends AbstractS2UiController {
}

def update() {
def aclClass = findById()
if (!aclClass) return
if (!versionCheck('aclClass.label', 'AclClass', aclClass, [aclClass: aclClass])) {
return
}
withForm {
def aclClass = findById()
if (!aclClass) return
if (!versionCheck('aclClass.label', 'AclClass', aclClass, [aclClass: aclClass])) {
return
}

if (!springSecurityUiService.updateAclClass(aclClass, params.className)) {
render view: 'edit', model: [aclClass: aclClass]
return
}

if (!springSecurityUiService.updateAclClass(aclClass, params.className)) {
render view: 'edit', model: [aclClass: aclClass]
flash.message = "${message(code: 'default.updated.message', args: [message(code: 'aclClass.label', default: 'AclClass'), aclClass.id])}"
redirect action: 'edit', id: aclClass.id
}.invalidToken {
response.status = 400
log.warn("User: ${springSecurityService.currentUser.id} possible CSRF or double submit: $params")
flash.message = "${message(code: 'spring.security.ui.invalid.update.form', args: [lookupClassName()])}"
forward action: 'search', model: []
return
}

flash.message = "${message(code: 'default.updated.message', args: [message(code: 'aclClass.label', default: 'AclClass'), aclClass.id])}"
redirect action: 'edit', id: aclClass.id
}

def delete() {
def aclClass = findById()
if (!aclClass) return

try {
springSecurityUiService.deleteAclClass aclClass
flash.message = "${message(code: 'default.deleted.message', args: [message(code: 'aclClass.label', default: 'AclClass'), params.id])}"
redirect action: 'search'
withForm {
springSecurityUiService.deleteAclClass aclClass
flash.message = "${message(code: 'default.deleted.message', args: [message(code: 'aclClass.label', default: 'AclClass'), params.id])}"
redirect action: 'search'
}.invalidToken {
response.status = 400
log.warn("User: ${springSecurityService.currentUser.id} possible CSRF or double submit: $params")
flash.message = "${message(code: 'spring.security.ui.invalid.delete.form', args: [lookupClassName()])}"
forward action: 'search', model: []
return
}
}
catch (DataIntegrityViolationException e) {
flash.error = "${message(code: 'default.not.deleted.message', args: [message(code: 'aclClass.label', default: 'AclClass'), params.id])}"
Expand Down
73 changes: 48 additions & 25 deletions grails-app/controllers/grails/plugin/springsecurity/ui/AclEntryController.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
Expand All @@ -30,14 +30,22 @@ class AclEntryController extends AbstractS2UiController {
}

def save() {
def aclEntry = lookupClass().newInstance(params)
if (!aclEntry.save(flush: true)) {
render view: 'create', model: [aclEntry: aclEntry, sids: lookupAclSidClass().list()]
withForm {
def aclEntry = lookupClass().newInstance(params)
if (!aclEntry.save(flush: true)) {
render view: 'create', model: [aclEntry: aclEntry, sids: lookupAclSidClass().list()]
return
}

flash.message = "${message(code: 'default.created.message', args: [message(code: 'aclEntry.label', default: 'AclEntry'), aclEntry.id])}"
redirect action: 'edit', id: aclEntry.id
}.invalidToken {
response.status = 400
log.warn("User: ${springSecurityService.currentUser.id} possible CSRF or double submit: $params")
flash.message = "${message(code: 'spring.security.ui.invalid.save.form', args: [lookupClassName()])}"
forward action: 'create', model: []
return
}

flash.message = "${message(code: 'default.created.message', args: [message(code: 'aclEntry.label', default: 'AclEntry'), aclEntry.id])}"
redirect action: 'edit', id: aclEntry.id
}

def edit() {
Expand All @@ -48,34 +56,49 @@ class AclEntryController extends AbstractS2UiController {
}

def update() {
withForm {
def aclEntry = findById()
if (!aclEntry) return
if (!versionCheck('aclEntry.label', 'AclEntry', aclEntry, [aclEntry: aclEntry])) {
return
}

def aclEntry = findById()
if (!aclEntry) return
if (!versionCheck('aclEntry.label', 'AclEntry', aclEntry, [aclEntry: aclEntry])) {
return
}
Long parentId = params.parent?.id ? params.parent.id.toLong() : null
Long ownerId = params.owner?.id ? params.owner.id.toLong() : null
if (!springSecurityUiService.updateAclEntry(aclEntry, params.aclObjectIdentity.id.toLong(),
params.sid.id.toLong(), params.int('aceOrder'), params.int('mask'),
params.granting == 'on', params.auditSuccess == 'on', params.auditFailure == 'on')) {
render view: 'edit', model: [aclEntry: aclEntry, sids: lookupAclSidClass().list()]
return
}

Long parentId = params.parent?.id ? params.parent.id.toLong() : null
Long ownerId = params.owner?.id ? params.owner.id.toLong() : null
if (!springSecurityUiService.updateAclEntry(aclEntry, params.aclObjectIdentity.id.toLong(),
params.sid.id.toLong(), params.int('aceOrder'), params.int('mask'),
params.granting == 'on', params.auditSuccess == 'on', params.auditFailure == 'on')) {
render view: 'edit', model: [aclEntry: aclEntry, sids: lookupAclSidClass().list()]
flash.message = "${message(code: 'default.updated.message', args: [message(code: 'aclEntry.label', default: 'AclEntry'), aclEntry.id])}"
redirect action: 'edit', id: aclEntry.id
}.invalidToken {
response.status = 400
log.warn("User: ${springSecurityService.currentUser.id} possible CSRF or double submit: $params")
flash.message = "${message(code: 'spring.security.ui.invalid.update.form', args: [lookupClassName()])}"
forward action: 'search', model: []
return
}

flash.message = "${message(code: 'default.updated.message', args: [message(code: 'aclEntry.label', default: 'AclEntry'), aclEntry.id])}"
redirect action: 'edit', id: aclEntry.id
}

def delete() {
def aclEntry = findById()
if (!aclEntry) return

try {
springSecurityUiService.deleteAclEntry aclEntry
flash.message = "${message(code: 'default.deleted.message', args: [message(code: 'aclEntry.label', default: 'AclEntry'), params.id])}"
redirect action: 'search'
withForm {
springSecurityUiService.deleteAclEntry aclEntry
flash.message = "${message(code: 'default.deleted.message', args: [message(code: 'aclEntry.label', default: 'AclEntry'), params.id])}"
redirect action: 'search'
}.invalidToken {
response.status = 400
log.warn("User: ${springSecurityService.currentUser.id} possible CSRF or double submit: $params")
flash.message = "${message(code: 'spring.security.ui.invalid.delete.form', args: [lookupClassName()])}"
forward action: 'search', model: []
return
}
}
catch (DataIntegrityViolationException e) {
flash.error = "${message(code: 'default.not.deleted.message', args: [message(code: 'aclEntry.label', default: 'AclEntry'), params.id])}"
Expand Down Expand Up @@ -141,7 +164,7 @@ class AclEntryController extends AbstractS2UiController {
order(params.sort,params.order ?: 'ASC')
}
}

def model = [results: results, totalCount: results.totalCount, searched: true,
sids: lookupAclSidClass().list(), permissionFactory: aclPermissionFactory]
// add query params to model for paging
Expand Down
74 changes: 48 additions & 26 deletions grails-app/controllers/grails/plugin/springsecurity/ui/AclObjectIdentityController.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,16 +27,24 @@ class AclObjectIdentityController extends AbstractS2UiController {
}

def save() {
def aclObjectIdentity = lookupClass().newInstance(params)
if (!aclObjectIdentity.save(flush: true)) {
render view: 'create', model: [aclObjectIdentity: aclObjectIdentity,
classes: lookupAclClassClass().list(),
sids: lookupAclSidClass().list()]
withForm {
def aclObjectIdentity = lookupClass().newInstance(params)
if (!aclObjectIdentity.save(flush: true)) {
render view: 'create', model: [aclObjectIdentity: aclObjectIdentity,
classes: lookupAclClassClass().list(),
sids: lookupAclSidClass().list()]
return
}

flash.message = "${message(code: 'default.created.message', args: [message(code: 'aclObjectIdentity.label', default: 'AclObjectIdentity'), aclObjectIdentity.id])}"
redirect action: 'edit', id: aclObjectIdentity.id
}.invalidToken {
response.status = 400
log.warn("User: ${springSecurityService.currentUser.id} possible CSRF or double submit: $params")
flash.message = "${message(code: 'spring.security.ui.invalid.save.form', args: [lookupClassName()])}"
forward action: 'create', model: []
return
}

flash.message = "${message(code: 'default.created.message', args: [message(code: 'aclObjectIdentity.label', default: 'AclObjectIdentity'), aclObjectIdentity.id])}"
redirect action: 'edit', id: aclObjectIdentity.id
}

def edit() {
Expand All @@ -50,36 +58,50 @@ class AclObjectIdentityController extends AbstractS2UiController {

def update() {

def aclObjectIdentity = findById()
if (!aclObjectIdentity) return
if (!versionCheck('aclObjectIdentity.label', 'AclObjectIdentity', aclObjectIdentity, [aclObjectIdentity: aclObjectIdentity])) {
withForm {
def aclObjectIdentity = findById()
if (!aclObjectIdentity) return
if (!versionCheck('aclObjectIdentity.label', 'AclObjectIdentity', aclObjectIdentity, [aclObjectIdentity: aclObjectIdentity])) {
return
}

Long parentId = params.parent?.id ? params.parent.id.toLong() : null
Long ownerId = params.owner?.id ? params.owner.id.toLong() : null
if (!springSecurityUiService.updateAclObjectIdentity(aclObjectIdentity, params.long('objectId'),
params.aclClass.id.toLong(), parentId, ownerId, params.entriesInheriting == 'on')) {
render view: 'edit', model: [aclObjectIdentity: aclObjectIdentity,
classes: lookupAclClassClass().list(),
sids: lookupAclSidClass().list()]
return
}

Long parentId = params.parent?.id ? params.parent.id.toLong() : null
Long ownerId = params.owner?.id ? params.owner.id.toLong() : null
if (!springSecurityUiService.updateAclObjectIdentity(aclObjectIdentity, params.long('objectId'),
params.aclClass.id.toLong(), parentId, ownerId, params.entriesInheriting == 'on')) {
render view: 'edit', model: [aclObjectIdentity: aclObjectIdentity,
classes: lookupAclClassClass().list(),
sids: lookupAclSidClass().list()]
flash.message = "${message(code: 'default.updated.message', args: [message(code: 'aclObjectIdentity.label', default: 'AclObjectIdentity'), aclObjectIdentity.id])}"
redirect action: 'edit', id: aclObjectIdentity.id
}.invalidToken {
response.status = 400
log.warn("User: ${springSecurityService.currentUser.id} possible CSRF or double submit: $params")
flash.message = "${message(code: 'spring.security.ui.invalid.update.form', args: [lookupClassName()])}"
forward action: 'search', model: []
return
}

flash.message = "${message(code: 'default.updated.message', args: [message(code: 'aclObjectIdentity.label', default: 'AclObjectIdentity'), aclObjectIdentity.id])}"
redirect action: 'edit', id: aclObjectIdentity.id
}

def delete() {
def aclObjectIdentity = findById()
if (!aclObjectIdentity) return

try {
springSecurityUiService.deleteAclObjectIdentity aclObjectIdentity
flash.message = "${message(code: 'default.deleted.message', args: [message(code: 'aclObjectIdentity.label', default: 'AclObjectIdentity'), params.id])}"
redirect action: 'search'
}
catch (DataIntegrityViolationException e) {
withForm {
springSecurityUiService.deleteAclObjectIdentity aclObjectIdentity
flash.message = "${message(code: 'default.deleted.message', args: [message(code: 'aclObjectIdentity.label', default: 'AclObjectIdentity'), params.id])}"
redirect action: 'search'
}.invalidToken {
response.status = 400
log.warn("User: ${springSecurityService.currentUser.id} possible CSRF or double submit: $params")
flash.message = "${message(code: 'spring.security.ui.invalid.delete.form', args: [lookupClassName()])}"
forward action: 'search', model: []
}
} catch (DataIntegrityViolationException e) {
flash.error = "${message(code: 'default.not.deleted.message', args: [message(code: 'aclObjectIdentity.label', default: 'AclObjectIdentity'), params.id])}"
redirect action: 'edit', id: params.id
}
Expand Down
61 changes: 42 additions & 19 deletions grails-app/controllers/grails/plugin/springsecurity/ui/AclSidController.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,14 +28,22 @@ class AclSidController extends AbstractS2UiController {
}

def save() {
def aclSid = lookupClass().newInstance(params)
if (!aclSid.save(flush: true)) {
render view: 'create', model: [aclSid: aclSid]
withForm {
def aclSid = lookupClass().newInstance(params)
if (!aclSid.save(flush: true)) {
render view: 'create', model: [aclSid: aclSid]
return
}

flash.message = "${message(code: 'default.created.message', args: [message(code: 'aclSid.label', default: 'AclSid'), aclSid.id])}"
redirect action: 'edit', id: aclSid.id
}.invalidToken {
response.status = 400
log.warn("User: ${springSecurityService.currentUser.id} possible CSRF or double submit: $params")
flash.message = "${message(code: 'spring.security.ui.invalid.save.form', args: [lookupClassName()])}"
forward action: 'create', model: []
return
}

flash.message = "${message(code: 'default.created.message', args: [message(code: 'aclSid.label', default: 'AclSid'), aclSid.id])}"
redirect action: 'edit', id: aclSid.id
}

def edit() {
Expand All @@ -46,29 +54,44 @@ class AclSidController extends AbstractS2UiController {
}

def update() {
def aclSid = findById()
if (!aclSid) return
if (!versionCheck('aclSid.label', 'AclSid', aclSid, [aclSid: aclSid])) {
return
}
withForm {
def aclSid = findById()
if (!aclSid) return
if (!versionCheck('aclSid.label', 'AclSid', aclSid, [aclSid: aclSid])) {
return
}

if (!springSecurityUiService.updateAclSid(aclSid, params.sid, params.principal == 'on')) {
render view: 'edit', model: [aclSid: aclSid]
return
}

if (!springSecurityUiService.updateAclSid(aclSid, params.sid, params.principal == 'on')) {
render view: 'edit', model: [aclSid: aclSid]
flash.message = "${message(code: 'default.updated.message', args: [message(code: 'aclSid.label', default: 'AclSid'), aclSid.id])}"
redirect action: 'edit', id: aclSid.id
}.invalidToken {
response.status = 400
log.warn("User: ${springSecurityService.currentUser.id} possible CSRF or double submit: $params")
flash.message = "${message(code: 'spring.security.ui.invalid.update.form', args: [lookupClassName()])}"
forward action: 'search', model: []
return
}

flash.message = "${message(code: 'default.updated.message', args: [message(code: 'aclSid.label', default: 'AclSid'), aclSid.id])}"
redirect action: 'edit', id: aclSid.id
}

def delete() {
def aclSid = findById()
if (!aclSid) return

try {
springSecurityUiService.deleteAclSid aclSid
flash.message = "${message(code: 'default.deleted.message', args: [message(code: 'aclSid.label', default: 'AclSid'), params.id])}"
redirect action: 'search'
withForm {
springSecurityUiService.deleteAclSid aclSid
flash.message = "${message(code: 'default.deleted.message', args: [message(code: 'aclSid.label', default: 'AclSid'), params.id])}"
redirect action: 'search'
}.invalidToken {
response.status = 400
log.warn("User: ${springSecurityService.currentUser.id} possible CSRF or double submit: $params")
flash.message = "${message(code: 'spring.security.ui.invalid.delete.form', args: [lookupClassName()])}"
forward action: 'search', model: []
}
}
catch (DataIntegrityViolationException e) {
flash.error = "${message(code: 'default.not.deleted.message', args: [message(code: 'aclSid.label', default: 'AclSid'), params.id])}"
Expand Down
Loading