MM-860: Implemented anti-csrf tokens for OpenMRS protection against C…

…SRF attacks
openmrs · Jul 16, 2021 · bbdb15e · bbdb15e
1 parent 241f1d5
commit bbdb15e
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 19 deletions.
diff --git a/.../test/java/org/openmrs/module/referenceapplication/ReferenceApplicationActivatorTest.java b/.../test/java/org/openmrs/module/referenceapplication/ReferenceApplicationActivatorTest.java
@@ -8,6 +8,7 @@
 import org.junit.Before;
 import org.junit.Test;
 import org.mockito.Mock;
+import org.mockito.ArgumentMatcher;
 import org.mockito.Mockito;
 import org.mockito.MockitoAnnotations;
 import org.openmrs.scheduler.SchedulerService;
@@ -47,16 +48,11 @@ public void shouldSaveNewTaskIfNotAlreadyRegistered() {
 
 		new ReferenceApplicationActivator().setupHL7ProcessingTask(schedulerService);
 
-		verify(schedulerService).saveTaskDefinition(Matchers.argThat(new BaseMatcher<TaskDefinition>() {
+		verify(schedulerService).saveTaskDefinition(Matchers.argThat(new ArgumentMatcher<TaskDefinition>() {
 
 			@Override
-			public boolean matches(Object obj) {
-				return obj instanceof TaskDefinition
-				        && ProcessHL7InQueueTask.class.getName().equals(((TaskDefinition) obj).getTaskClass());
-			}
-
-			@Override
-			public void describeTo(Description description) {				
+			public boolean matches(TaskDefinition obj) {
+				return ProcessHL7InQueueTask.class.getName().equals(obj.getTaskClass());
 			}
 		}));
 

diff --git a/api/src/test/resources/TestingApplicationContext.xml b/api/src/test/resources/TestingApplicationContext.xml
@@ -18,6 +18,11 @@
         <property name="mappingJarLocations">
             <ref bean="mappingJarResources"/>
         </property>
+        <property name="packagesToScan">
+            <list>
+                <value>org.openmrs</value>
+            </list>
+        </property>
         <!--  default properties must be set in the hibernate.default.properties -->
     </bean>
 

diff --git a/omod/src/main/webapp/pages/login.gsp b/omod/src/main/webapp/pages/login.gsp
@@ -188,6 +188,7 @@
                             <% } %>
                                 <input id="loginButton" class="btn ${ ui.message(selectLocation ? "btn-success" : "confirm") }" type="submit"
                                     value="${ ui.message(selectLocation ? "general.done" : "referenceapplication.login.button") }"/>
+                                <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
                             </p>
                             <% if(!selectLocation) {%>
                             <p>

diff --git a/pom.xml b/pom.xml
@@ -35,24 +35,24 @@
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<openMRSVersion>2.0.1</openMRSVersion>
+		<openMRSVersion>2.5.0-SNAPSHOT</openMRSVersion>
         	<webservicesRestModuleVersion>2.6</webservicesRestModuleVersion>
         	<appointmentschedulingVersion>1.3</appointmentschedulingVersion>
-		<appframeworkVersion>2.9</appframeworkVersion>
+		<appframeworkVersion>2.16.0</appframeworkVersion>
 		<referencemetadataVersion>2.5.0</referencemetadataVersion>
 		<reportingcompatibilityVersion>2.0.2</reportingcompatibilityVersion>
 		<calculationVersion>1.2</calculationVersion>
 		<serialization.xstreamVersion>0.2.12</serialization.xstreamVersion>
 		<reportingVersion>0.10.6</reportingVersion>
-		<htmlformentryVersion>3.3.0</htmlformentryVersion>
+		<htmlformentryVersion>4.0.1</htmlformentryVersion>
 		<htmlformentryuiVersion>1.6.1</htmlformentryuiVersion>
-		<idgenVersion>4.4.0</idgenVersion>
-		<registrationcoreVersion>1.6</registrationcoreVersion>
+		<idgenVersion>4.7.0</idgenVersion>
+		<registrationcoreVersion>1.11.0</registrationcoreVersion>
 		<namephoneticsVersion>1.5</namephoneticsVersion>
-		<metadatadeployVersion>1.7</metadatadeployVersion>
+		<metadatadeployVersion>1.13.0</metadatadeployVersion>
 		<metadatasharingVersion>1.2.2</metadatasharingVersion>
-		<emrapiVersion>1.21.0</emrapiVersion>
-		<providermanagementVersion>2.5.0</providermanagementVersion>
+		<emrapiVersion>1.31.0</emrapiVersion>
+		<providermanagementVersion>2.13.0</providermanagementVersion>
 		<uiframeworkVersion>3.21.0-SNAPSHOT</uiframeworkVersion>
 		<appuiVersion>1.7</appuiVersion>
 		<atlasVersion>2.2</atlasVersion>
@@ -63,7 +63,7 @@
 		<webservices.restVersion>2.16</webservices.restVersion>
 		<uicommonsVersion>2.12.0</uicommonsVersion>
 		<legacyuiVersion>1.2.3</legacyuiVersion>
-		<metadatamappingVersion>1.2.1</metadatamappingVersion>
+		<metadatamappingVersion>1.4.0</metadatamappingVersion>
 	</properties>
 
 	<dependencyManagement>
@@ -228,7 +228,7 @@
 
 			<dependency>
 	            <groupId>org.openmrs.module</groupId>
-	            <artifactId>htmlformentry-api-1.10</artifactId>
+	            <artifactId>htmlformentry-api-2.3</artifactId>
 	            <version>${htmlformentryVersion}</version>
 	            <scope>provided</scope>
 	        </dependency>
@@ -460,7 +460,7 @@
 
 		<dependency>
             <groupId>org.openmrs.module</groupId>
-            <artifactId>htmlformentry-api-1.10</artifactId>
+            <artifactId>htmlformentry-api-2.3</artifactId>
         </dependency>
 
         <dependency>