From ac4e28e2c5aa9faf5fd0cebfddb835a0c02bb15e Mon Sep 17 00:00:00 2001 From: yogur Date: Wed, 1 Nov 2023 14:34:15 +0100 Subject: [PATCH 1/2] Add CSRF protection to workspace settings forms --- .../onpremises/web/security/CsrfSecurityRequestMatcher.java | 2 +- .../src/main/webapp/WEB-INF/views/images.jsp | 1 + .../src/main/webapp/WEB-INF/views/users.jsp | 1 + .../src/main/webapp/WEB-INF/views/workspace-settings.jsp | 5 +++++ 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java b/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java index f4b157e..aa2830e 100644 --- a/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java +++ b/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java @@ -14,7 +14,7 @@ public boolean matches(HttpServletRequest request) { String uri = request.getRequestURI(); if ( - uri.startsWith("/login") + uri.startsWith("/login") || uri.startsWith("/workspace") ) { return true; } diff --git a/structurizr-onpremises/src/main/webapp/WEB-INF/views/images.jsp b/structurizr-onpremises/src/main/webapp/WEB-INF/views/images.jsp index f125cb2..1fed0a1 100644 --- a/structurizr-onpremises/src/main/webapp/WEB-INF/views/images.jsp +++ b/structurizr-onpremises/src/main/webapp/WEB-INF/views/images.jsp @@ -32,6 +32,7 @@
+
diff --git a/structurizr-onpremises/src/main/webapp/WEB-INF/views/users.jsp b/structurizr-onpremises/src/main/webapp/WEB-INF/views/users.jsp index 3dced47..f805834 100644 --- a/structurizr-onpremises/src/main/webapp/WEB-INF/views/users.jsp +++ b/structurizr-onpremises/src/main/webapp/WEB-INF/views/users.jsp @@ -47,6 +47,7 @@
+
diff --git a/structurizr-onpremises/src/main/webapp/WEB-INF/views/workspace-settings.jsp b/structurizr-onpremises/src/main/webapp/WEB-INF/views/workspace-settings.jsp index 04114bf..fde93a5 100644 --- a/structurizr-onpremises/src/main/webapp/WEB-INF/views/workspace-settings.jsp +++ b/structurizr-onpremises/src/main/webapp/WEB-INF/views/workspace-settings.jsp @@ -82,12 +82,14 @@ +
+
@@ -110,12 +112,14 @@
+
+
@@ -135,6 +139,7 @@
+
From 14ae72ae9f77378d5d64e42e32bff93fed27ef19 Mon Sep 17 00:00:00 2001 From: yogur Date: Wed, 28 Aug 2024 09:57:12 +0200 Subject: [PATCH 2/2] Use regex for specific CSRF uri matching --- .../web/security/CsrfSecurityRequestMatcher.java | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java b/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java index aa2830e..0d519ac 100644 --- a/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java +++ b/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java @@ -13,9 +13,18 @@ public boolean matches(HttpServletRequest request) { if ("POST".equals(method)) { String uri = request.getRequestURI(); - if ( - uri.startsWith("/login") || uri.startsWith("/workspace") - ) { + /* + * Matches URIs like: + * /login* + * /workspace/123/images/delete + * /workspace/123/private + * /workspace/123/public + * /workspace/123/unshare + * /workspace/123/share + * /workspace/123/delete + */ + if (uri.startsWith("/login") + || uri.matches("/workspace/\\d+/(images/delete|private|public|unshare|share|delete)")) { return true; } }