Permalink
Show file tree
Hide file tree
26 changes: 23 additions & 3 deletions
26
console/src/main/java/org/togglz/console/handlers/edit/EditPageHandler.java
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Added CSRF protection to the togglz console via a CSRF token passed b…
…etween the server and the clinet. This remediates the vulnerabilty CVE-2020-28191 by blocking CSRF attacks as the attcker will not be able to guess the CSRF token value. (#495) This has been implemented with either the session timeout of the application the togglz console is embedded in. Or if no user session is available it defaults to a 10 minute timeout for the CSRF token. This CSRF token does not interfere with either OWASP's CSRFGuard or Spring-Security's CSRF protection if they are used within the application. Co-authored-by: Joseph Beeton <joseph.p.beeton1@aexp.com>
- Loading branch information
Showing
10 changed files
with
124 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
32 changes: 32 additions & 0 deletions
32
console/src/main/java/org/togglz/console/security/TogglzCSRFTokenCache.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| package org.togglz.console.security; | ||
|
|
||
| import java.util.HashMap; | ||
| import java.util.concurrent.TimeUnit; | ||
|
|
||
| import org.apache.commons.collections4.map.PassiveExpiringMap; | ||
| import org.togglz.servlet.spi.CSRFToken; | ||
|
|
||
| public class TogglzCSRFTokenCache { | ||
|
|
||
| private static final PassiveExpiringMap<String, CSRFToken> expiringMap; | ||
| private static final Object lock = new Object(); | ||
| static { | ||
| PassiveExpiringMap.ConstantTimeToLiveExpirationPolicy<String, CSRFToken> | ||
| expirationPolicy = new PassiveExpiringMap.ConstantTimeToLiveExpirationPolicy<>( | ||
| 10, TimeUnit.MINUTES); | ||
| expiringMap = new PassiveExpiringMap<>(expirationPolicy, new HashMap<>()); | ||
| } | ||
|
|
||
| public static void cacheToken(CSRFToken token) { | ||
| synchronized (lock) { | ||
| expiringMap.put(token.getValue(), token); | ||
| } | ||
| } | ||
|
|
||
| public static boolean isTokenInCache(CSRFToken token) { | ||
| synchronized (lock) { | ||
| return expiringMap.containsKey(token.getValue()); | ||
| } | ||
| } | ||
|
|
||
| } |
25 changes: 25 additions & 0 deletions
25
console/src/main/java/org/togglz/console/security/TogglzCSRFTokenProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| package org.togglz.console.security; | ||
|
|
||
| import java.util.UUID; | ||
|
|
||
| import javax.servlet.http.HttpServletRequest; | ||
|
|
||
| import org.togglz.servlet.spi.CSRFToken; | ||
| import org.togglz.servlet.spi.CSRFTokenProvider; | ||
|
|
||
| import static org.togglz.console.security.TogglzCSRFTokenValidator.CSRF_TOKEN_NAME; | ||
|
|
||
| public class TogglzCSRFTokenProvider implements CSRFTokenProvider { | ||
|
|
||
| @Override | ||
| public CSRFToken getToken(HttpServletRequest request) { | ||
| CSRFToken token; | ||
| if (request.getAttribute(CSRF_TOKEN_NAME) == null) { | ||
| token = new CSRFToken(CSRF_TOKEN_NAME, UUID.randomUUID().toString()); | ||
| TogglzCSRFTokenCache.cacheToken(token); | ||
| } else { | ||
| token = new CSRFToken(CSRF_TOKEN_NAME, request.getAttribute(CSRF_TOKEN_NAME).toString()); | ||
| } | ||
| return token; | ||
| } | ||
| } |
22 changes: 22 additions & 0 deletions
22
console/src/main/java/org/togglz/console/security/TogglzCSRFTokenValidator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| package org.togglz.console.security; | ||
|
|
||
| import javax.servlet.http.HttpServletRequest; | ||
|
|
||
| import org.togglz.servlet.spi.CSRFToken; | ||
| import org.togglz.servlet.spi.CSRFTokenValidator; | ||
|
|
||
| public class TogglzCSRFTokenValidator implements CSRFTokenValidator { | ||
|
|
||
|
|
||
| public static final String CSRF_TOKEN_NAME = "togglz_csrf"; | ||
|
|
||
| @Override | ||
| public boolean isTokenValid(HttpServletRequest request) { | ||
| String token = request.getParameter(CSRF_TOKEN_NAME); | ||
| if(token==null) { | ||
| return false; | ||
| } else { | ||
| return TogglzCSRFTokenCache.isTokenInCache(new CSRFToken(CSRF_TOKEN_NAME,token)); | ||
| } | ||
| } | ||
| } |
1 change: 1 addition & 0 deletions
1
console/src/main/resources/META-INF/services/org.togglz.servlet.spi.CSRFTokenProvider
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| org.togglz.console.security.TogglzCSRFTokenProvider |
1 change: 1 addition & 0 deletions
1
console/src/main/resources/META-INF/services/org.togglz.servlet.spi.CSRFTokenValidator
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| org.togglz.console.security.TogglzCSRFTokenValidator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| <div style="text-align: center;"> | ||
| <h1>ERROR</h1> | ||
| <h1><small>Invalid CSRF Token, please refresh browser from the main Togglz page.</small></h1> | ||
| </div> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 changes: 9 additions & 0 deletions
9
servlet/src/main/java/org/togglz/servlet/spi/CSRFTokenValidator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| package org.togglz.servlet.spi; | ||
|
|
||
| import javax.servlet.http.HttpServletRequest; | ||
|
|
||
| public interface CSRFTokenValidator { | ||
|
|
||
|
|
||
| boolean isTokenValid(HttpServletRequest request); | ||
| } |