You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/04/12 11:18:00 UTC

[jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)

    [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17081753#comment-17081753 ] 

ASF subversion and git services commented on OFBIZ-11306:
---------------------------------------------------------

Commit e4871226249b7c5dcb51931b81bf5cdb79d7810f in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=e487122 ]

Fixed: "entity/list" request is not handled well

(OFBIZ-11593)

The "entity/list" request has been put in with OFBIZ-11007. It's used to call
the entitymaint view and so is a demo/didactic duplicate of entitymaint request.
It's only used in FindGeneric screen (look for WebtoolsBackToEntityList label).
It's problematic because since the CSRF token defense was put in you can no
longer filter the entities from the entities list screen, even when the default
NoCsrfDefenseStrategy is used. It works if you use the entitymaint request
instead.

Anyway, 2020-01-19 I proposed in OFBIZ-11306 a solution for such cases.
It was not used because 2020-02-14 I thought it was no longer needed,
but it's necessary for this case, and maybe others not already detected.

Here it's implementation (only trunk)


> POC for CSRF Token (CVE-2019-0235)
> ----------------------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, CsrfUtil.java, OFBIZ-11306-alternative merged with James's.patch, OFBIZ-11306-alternative merged with James's.patch, OFBIZ-11306-alternative merged with James's.patch, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, partyTokenMap.webtools.txt
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the change. Using <@ofbizUrl> macro to generate the CSRF token means there is no need to manually add the CSRF token field to each form in the ftl files. It will save time for users doing custom implementation and maintenance.  While there is CSRF token in the form URL, the token is invalidated during form submission. So it's unique and harmless even though the CSRF token of the form submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF token check. (Note there are discussions that RequestMap with ‘all’ method should also not be subjected to CSRF token check. This will be done after ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the general rules above.
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside the constructor of RequestMap class) when determining the final securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)