[tomcat] branch 8.5.x updated: Improve CSRF prevention filter by exposing the request's current nonce to the request.

schultz Sat, 16 Nov 2019 07:58:49 -0800

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/8.5.x by this push:
     new 8c143ab  Improve CSRF prevention filter by exposing the request's 
current nonce to the request.
8c143ab is described below

commit 8c143abae26f9b0c49b233c3e7a9cb6cc5b1b0ed
Author: Christopher Schultz <ch...@christopherschultz.net>
AuthorDate: Sat Nov 16 10:54:36 2019 -0500

    Improve CSRF prevention filter by exposing the request's current nonce to 
the request.
---
 java/org/apache/catalina/filters/Constants.java    | 33 ++++++++++++++++++++++
 .../catalina/filters/CsrfPreventionFilter.java     |  5 ++++
 .../catalina/filters/CsrfPreventionFilterBase.java | 10 +++++++
 3 files changed, 48 insertions(+)

diff --git a/java/org/apache/catalina/filters/Constants.java 
b/java/org/apache/catalina/filters/Constants.java
index 4fe41cd..87dd6c4 100644
--- a/java/org/apache/catalina/filters/Constants.java
+++ b/java/org/apache/catalina/filters/Constants.java
@@ -25,12 +25,34 @@ package org.apache.catalina.filters;
  */
 public final class Constants {
 
+    /**
+     * The session attribute key under which the CSRF nonce
+     * cache will be stored.
+     */
     public static final String CSRF_NONCE_SESSION_ATTR_NAME =
         "org.apache.catalina.filters.CSRF_NONCE";
 
+    /**
+     * The request attribute key under which the current
+     * requests's CSRF nonce can be found.
+     */
+    public static final String CSRF_NONCE_REQUEST_ATTR_NAME =
+        "org.apache.catalina.filters.CSRF_REQUEST_NONCE";
+
+    /**
+     * The name of the request parameter which carries CSRF nonces
+     * from the client to the server for validation.
+     */
     public static final String CSRF_NONCE_REQUEST_PARAM =
         "org.apache.catalina.filters.CSRF_NONCE";
 
+    /**
+     * The servlet context attribute key under which the
+     * CSRF request parameter name can be found.
+     */
+    public static final String CSRF_NONCE_REQUEST_PARAM_NAME_KEY =
+        "org.apache.catalina.filters.CSRF_NONCE_PARAM_NAME";
+
     public static final String METHOD_GET = "GET";
 
     public static final String CSRF_REST_NONCE_HEADER_NAME = "X-CSRF-Token";
@@ -39,6 +61,17 @@ public final class Constants {
 
     public static final String CSRF_REST_NONCE_HEADER_REQUIRED_VALUE = 
"Required";
 
+    /**
+     * The session attribute key under which the CSRF REST nonce
+     * cache will be stored.
+     */
     public static final String CSRF_REST_NONCE_SESSION_ATTR_NAME =
         "org.apache.catalina.filters.CSRF_REST_NONCE";
+
+    /**
+     * The servlet context attribute key under which the
+     * CSRF REST header name can be found.
+     */
+    public static final String CSRF_REST_NONCE_HEDAER_NAME_KEY =
+        "org.apache.catalina.filters.CSRF_REST_NONCE_HEADER_NAME";
 }
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilter.java 
b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
index 6833ed4..e09bdea 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java
@@ -128,6 +128,11 @@ public class CsrfPreventionFilter extends 
CsrfPreventionFilterBase {
 
             nonceCache.add(newNonce);
 
+            // Take this request's nonce and put it into the request
+            // attributes so pages can make direct use of it, rather than
+            // requiring the use of response.encodeURL.
+            request.setAttribute(Constants.CSRF_NONCE_REQUEST_ATTR_NAME, 
newNonce);
+
             wResponse = new CsrfResponseWrapper(res, newNonce);
         } else {
             wResponse = response;
diff --git a/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java 
b/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java
index c0083f0..8d401af 100644
--- a/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java
+++ b/java/org/apache/catalina/filters/CsrfPreventionFilterBase.java
@@ -78,6 +78,16 @@ public abstract class CsrfPreventionFilterBase extends 
FilterBase {
         // Set the parameters
         super.init(filterConfig);
 
+        // Put the expected request parameter name into the application scope
+        filterConfig.getServletContext().setAttribute(
+                Constants.CSRF_NONCE_REQUEST_PARAM_NAME_KEY,
+                Constants.CSRF_NONCE_REQUEST_PARAM);
+
+        // Put the expected request header name into the application scope
+        filterConfig.getServletContext().setAttribute(
+                Constants.CSRF_REST_NONCE_HEDAER_NAME_KEY,
+                Constants.CSRF_REST_NONCE_HEADER_NAME);
+
         try {
             Class<?> clazz = Class.forName(randomClass);
             randomSource = (Random) clazz.getConstructor().newInstance();


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated: Improve CSRF prevention filter by exposing the request's current nonce to the request.

Reply via email to