You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by ju...@apache.org on 2022/07/12 21:03:40 UTC

[jspwiki] 07/25: new jspwiki-http module

This is an automated email from the ASF dual-hosted git repository.

juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git

commit 7c1255e2ec77cb000fc0abd411fc931758784abc
Author: Juan Pablo Santos Rodríguez <ju...@gmail.com>
AuthorDate: Tue Jul 12 22:45:42 2022 +0200

    new jspwiki-http module
    
    eventually it will contain all JSPWiki servlets, filters, listeners, etc. As for now it only contains a CSRF protection filter
---
 jspwiki-bom/pom.xml                                |  6 ++
 jspwiki-http/pom.xml                               | 91 ++++++++++++++++++++++
 .../wiki/http/filter/CsrfProtectionFilter.java     | 63 +++++++++++++++
 .../src/main/resources/META-INF/web-fragment.xml   | 34 ++++++++
 4 files changed, 194 insertions(+)

diff --git a/jspwiki-bom/pom.xml b/jspwiki-bom/pom.xml
index 3b85fea19..06729610f 100644
--- a/jspwiki-bom/pom.xml
+++ b/jspwiki-bom/pom.xml
@@ -73,6 +73,12 @@
         <version>${jspwiki.version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>org.apache.jspwiki</groupId>
+        <artifactId>jspwiki-http</artifactId>
+        <version>${jspwiki.version}</version>
+      </dependency>
+
       <dependency>
         <groupId>org.apache.jspwiki</groupId>
         <artifactId>jspwiki-kendra-searchprovider</artifactId>
diff --git a/jspwiki-http/pom.xml b/jspwiki-http/pom.xml
new file mode 100644
index 000000000..d3d4fd993
--- /dev/null
+++ b/jspwiki-http/pom.xml
@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+  <parent>
+    <groupId>org.apache.jspwiki</groupId>
+    <artifactId>jspwiki-builder</artifactId>
+    <version>2.11.3-SNAPSHOT</version>
+  </parent>
+
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>jspwiki-http</artifactId>
+  <name>Apache JSPWiki http servlet and filters</name>
+
+  <dependencies>
+    <dependency>
+      <groupId>${project.groupId}</groupId>
+      <artifactId>jspwiki-api</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+
+	<dependency>
+      <groupId>${project.groupId}</groupId>
+      <artifactId>jspwiki-util</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-api</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-1.2-api</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>javax.servlet</groupId>
+      <artifactId>javax.servlet-api</artifactId>
+      <scope>provided</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-params</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-engine</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-junit-jupiter</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+</project>
diff --git a/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java b/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java
new file mode 100644
index 000000000..aed2ca8e4
--- /dev/null
+++ b/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java
@@ -0,0 +1,63 @@
+package org.apache.wiki.http.filter;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.apache.wiki.api.core.Engine;
+import org.apache.wiki.api.core.Session;
+import org.apache.wiki.api.spi.Wiki;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.io.PrintWriter;
+
+
+/**
+ * CSRF protection Filter which uses the synchronizer token pattern – an anti-CSRF token is created and stored in the
+ * user session and in a hidden field on subsequent form submits. At every submit the server checks the token from the
+ * session matches the one submitted from the form.
+ */
+public class CsrfProtectionFilter implements Filter {
+
+    private static final Logger LOG = LogManager.getLogger( CsrfProtectionFilter.class );
+
+    public static final String ANTICSRF_PARAM = "X-XSRF-TOKEN";
+
+    /** {@inheritDoc} */
+    @Override
+    public void init( final FilterConfig filterConfig ) {
+    }
+
+    /** {@inheritDoc} */
+    @Override
+    public void doFilter( final ServletRequest request, final ServletResponse response, final FilterChain chain ) throws IOException, ServletException {
+        if( "POST".equalsIgnoreCase( ( ( HttpServletRequest ) request ).getMethod() ) ) {
+            final Engine engine = Wiki.engine().find( request.getServletContext(), null );
+            final Session session = Wiki.session().find( engine, ( HttpServletRequest ) request );
+            if( !session.antiCsrfToken().equals( request.getParameter( ANTICSRF_PARAM ) ) ) {
+                LOG.error( "Incorrect {} param with value '{}' received for {}",
+                           ANTICSRF_PARAM, request.getParameter( ANTICSRF_PARAM ), ( ( HttpServletRequest ) request ).getPathInfo() );
+                final PrintWriter out = response.getWriter();
+                out.print("<!DOCTYPE html><html lang=\"en\"><head><title>Fatal problem with JSPWiki</title></head>");
+                out.print("<body>");
+                out.print("<h1>CSRF injection detected</h1>");
+                out.print("<p>A CSRF injection has been detected, so the request has been stopped</p>");
+                out.print("<p>Please check your system logs to pinpoint the request origin, someone's trying to mess with your installation.</p>");
+                out.print("</body></html>");
+                return;
+            }
+        }
+        chain.doFilter( request, response );
+    }
+
+    /** {@inheritDoc} */
+    @Override
+    public void destroy() {
+    }
+
+}
diff --git a/jspwiki-http/src/main/resources/META-INF/web-fragment.xml b/jspwiki-http/src/main/resources/META-INF/web-fragment.xml
new file mode 100644
index 000000000..606e68b10
--- /dev/null
+++ b/jspwiki-http/src/main/resources/META-INF/web-fragment.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<web-fragment xmlns="http://java.sun.com/xml/ns/javaee"
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-fragment_3_0.xsd"
+              version="3.0">
+    <filter>
+      <filter-name>CsrfProtectionFilter</filter-name>
+      <filter-class>org.apache.wiki.http.filter.CsrfProtectionFilter</filter-class>
+    </filter>
+
+    <filter-mapping>
+      <filter-name>CsrfProtectionFilter</filter-name>
+      <url-pattern>/*</url-pattern>
+    </filter-mapping>
+</web-fragment>
\ No newline at end of file