Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF (Cross Site Request Forgery) Protection #1826

Merged
merged 108 commits into from
Oct 28, 2024
Merged

CSRF (Cross Site Request Forgery) Protection #1826

merged 108 commits into from
Oct 28, 2024

Conversation

sdelamo
Copy link
Contributor

@sdelamo sdelamo commented Oct 18, 2024
edited
Loading

After this PR gets merged, I will do a PR in Views to add a ViewModelProcessor which adds the CSRF token to the views seamlessly. I will also explore add it to the form generation api.

@sdelamo sdelamo added the type: enhancement New feature or request label Oct 18, 2024
@sdelamo sdelamo linked an issue Oct 18, 2024 that may be closed by this pull request
Consider providing an API to ease the implementation of CSRF Prevention #1074
Closed
@sdelamo sdelamo changed the title Csrf CSRF (Cross Site Request Forgery) Protection Oct 18, 2024
@sdelamo sdelamo self-assigned this Oct 18, 2024
@sdelamo sdelamo mentioned this pull request Oct 28, 2024
Merged
dstepanov
dstepanov requested changes Oct 28, 2024
View reviewed changes
security-csrf/src/main/java/io/micronaut/security/csrf/filter/CsrfFilter.java Outdated Show resolved Hide resolved
security-csrf/src/main/java/io/micronaut/security/csrf/filter/CsrfFilter.java
}

boolean shouldTheFilterProcessTheRequestAccordingToTheUriMatch(String uri) {
boolean matches = PathMatcher.REGEX.matches(csrfFilterConfiguration.getRegexPattern(), uri);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Compile the pattern and store in a field

Copy link
Contributor Author

@sdelamo sdelamo Oct 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That it is what RegexPathMatcher does. It stores it in a concurrent hash map.

security-csrf/src/main/java/io/micronaut/security/csrf/filter/CsrfFilter.java Show resolved Hide resolved
...-csrf/src/main/java/io/micronaut/security/csrf/filter/CsrfFilterConfigurationProperties.java
}

@Override
public String getRegexPattern() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe have the property named regex and regexPattern will return an instance of Pattern?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the name regex-pattern is appropriate. I want to convey is the pattern used for the filter. And I want to convey it is a regular expression not an ant pattern.

https://github.com/micronaut-projects/micronaut-core/blob/4.7.x/http/src/main/java/io/micronaut/http/annotation/RequestFilter.java#L90

The patterns this filter should match

security-csrf/src/main/java/io/micronaut/security/csrf/generator/CsrfHmacTokenGenerator.java Show resolved Hide resolved
...rity-csrf/src/main/java/io/micronaut/security/csrf/session/HttpSessionSessionIdResolver.java Outdated Show resolved Hide resolved
...ty-csrf/src/main/java/io/micronaut/security/csrf/validator/RepositoryCsrfTokenValidator.java Outdated Show resolved Hide resolved
...src/main/java/io/micronaut/security/token/jwt/validator/JsonWebTokenIdSessionIdResolver.java Outdated Show resolved Hide resolved
security-session/src/main/java/io/micronaut/security/session/DefaultSessionPopulator.java Outdated Show resolved Hide resolved
security/src/main/java/io/micronaut/security/session/CompositeSessionIdResolver.java Outdated Show resolved Hide resolved
@sdelamo
don’t use reactor
aba5267 
Use CompletableFuture<@nullable HttpResponse<?>>
@sdelamo
Use CollectionUtils::concat
bb937ad
@sdelamo
FutureCsrfTokenResolverAdapter pck private & final
2fb98bf
@sdelamo
CsrfSessionPopulator pck private & final
c70e6e6 
annotate with @internal as well.
@sdelamo
HttpSessionSessionIdResolver pck private & final
b6cd612 
annotate with @internal
@sdelamo
RepositoryCsrfTokenValidator pck private & final
816466c 
annotate with @internal
@sdelamo
JsonWebTokenIdSessionIdResolver pkg private and final
37517d3
@sdelamo
DefaultSessionPopulator package private and final
a89d437 
annotate also with @internal
@sdelamo
CompositeSessionIdResolver final and @internal
f2e2025
@sdelamo
CompositeCsrfTokenRepository final and internal
37a8bc0
@sdelamo
make possible to disable sessionidresolvers
7d4ecda
@sdelamo
test HttpSessionSessionIdResolver
41cffe0
@sdelamo
annotate it with @internal
3c66326
@sdelamo
ann interfaces with composite pattern with @indexed
aafcefb
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 28, 2024
edited
Loading

Quality Gate Passed Quality Gate passed

Issues
5 New issues
4 Accepted issues

Measures
0 Security Hotspots
92.7% Coverage on New Code
2.0% Duplication on New Code

See analysis details on SonarCloud

@sdelamo sdelamo merged commit cbf942d into 4.11.x Oct 28, 2024
17 checks passed
@sdelamo sdelamo deleted the csrf branch October 28, 2024 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@n0tl3ss n0tl3ss n0tl3ss approved these changes

@yawkat yawkat yawkat approved these changes

@graemerocher graemerocher graemerocher approved these changes

@dstepanov dstepanov dstepanov approved these changes

Assignees

@sdelamo sdelamo

Labels
type: enhancement New feature or request
Projects
No open projects
4.7.0 Release
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Consider providing an API to ease the implementation of CSRF Prevention
5 participants
@sdelamo @yawkat @n0tl3ss @graemerocher @dstepanov