[jira] [Comment Edited] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019637#comment-17019637 ] Jacques Le Roux edited comment on OFBIZ-11306 at 1/20/20 5:06 PM: -- Hi James, Thanks for feedback. bq. Do you have any link for further reading? https://blog.clever-age.com/fr/2014/06/25/owasp-cross-site-request-forgery-csrf-ou-xsrf/ It's in French but I guess it's readable when translated by Google or maybe better Deepl. I read in comment that using an IP address can be a problem if the user is browsing through Thor. So maybe not a good idea finally. Remains the timeout, and maybe we can find another static parameter to replace the IP as a JWT claim. Anyway all that is minor. A random value as you propose is safe enough IMO. Just that we can't limit it in time. We can discuss that later with the team... was (Author: jacques.le.roux): Hi James, Thanks for feedback. bq. Do you have any link for further reading? https://blog.clever-age.com/fr/2014/06/25/owasp-cross-site-request-forgery-csrf-ou-xsrf/ It's in French but I guess it's readable when translated by Google or maybe better Deepl. I read in comment that using an IP address can be a problem if the use is browsing throught Thor, so maybe not a good idea finally. Remains the timeout, and maybe we can find another static parameter to replace the IP as a JWT claim. Anyway all that is minor. A random value as you propose is safe enough IMO. Just that we can't limit it in time. We can discuss that later with the team... > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class. > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019637#comment-17019637 ] Jacques Le Roux commented on OFBIZ-11306: - Hi James, Thanks for feedback. bq. Do you have any link for further reading? https://blog.clever-age.com/fr/2014/06/25/owasp-cross-site-request-forgery-csrf-ou-xsrf/ It's in French but I guess it's readable when translated by Google or maybe better Deepl. I read in comment that using an IP address can be a problem if the use is browsing throught Thor, so maybe not a good idea finally. Remains the timeout, and maybe we can find another static parameter to replace the IP as a JWT claim. Anyway all that is minor. A random value as you propose is safe enough IMO. Just that we can't limit it in time. We can discuss that later with the team... > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class. > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019626#comment-17019626 ] James Yong commented on OFBIZ-11306: Hi Jacques, Thanks for the check. bq. Have you few examples of that (one would be sufficient)? We need to be sure that we are not missing anything. forgotPassword bq. Could you please explain where/how is that done? Is that depending on being a POST method as in tokenMap.remove(requestUri); in CsrfUtil::checkToken? tokenMap.remove(requestUri) bq. I'd prefer that we change all the "same uri for getting the form and posting the changes.". Somehow what you did for processorder in OFBIZ-11319 Agree we should use different uri for posting the form changes. bq. Though I'd add preferred rather to add the token in a hidden field. I understand it's an easy way to automatically do it, and seems safe. As with the previous point we need to be sure that all forms use the POST method. Also we need to do it for at least ofbizContentUrl and check no others would miss it. Will look into ofbizContextUrl. bq. I sugget we make return size() > 100; in CsrfUtil::getTokenMap a properties to allow users to adjust in function of their needs. Will add the property. bq. Some recommend to encrypt IP and "Timeout" in the CSRF token and check. We could do that by using a JWT token rather than a random value. We could then check both IP and "Timeout" to increase safety. Do you have any link for further reading? Need more time to look into the remaining issues mentioned.. > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class. > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019453#comment-17019453 ] Jacques Le Roux commented on OFBIZ-11306: - Previously I proposed and deleted solutions for SetTimeZoneFromBrowser. We can use a get method, here in common controller, the same should be used in Webpos: {code:xml} {code} We need also to change setUserTimeZone.js: {noformat} diff --git themes/common-theme/webapp/common/js/util/setUserTimeZone.js themes/common-theme/webapp/common/js/util/setUserTimeZone.js index 4c29928..b840ebf 100644 --- themes/common-theme/webapp/common/js/util/setUserTimeZone.js +++ themes/common-theme/webapp/common/js/util/setUserTimeZone.js @@ -23,7 +23,7 @@ var timezone = moment.tz.guess(); $.ajax({ url: "SetTimeZoneFromBrowser", -type: "POST", +type: "GET", async: false, data: "localeName=" + timezone, error: function(error) { error: function(error) { {noformat} A "X-CSRF-Token" is useless since we use a get method... > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class. > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-10472) Rename the misnamed setUserLocale.js to setUserTimeZone.js
[ https://issues.apache.org/jira/browse/OFBIZ-10472?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-10472: Description: Because this name is confusing as it's only about handling user timezone. It was done with OFBIZ-9264 and improved/fixed since (was: Because this anme is confusing as it's only about handling user timezone. It was done with OFBIZ-9264 and improved/fixed since) > Rename the misnamed setUserLocale.js to setUserTimeZone.js > -- > > Key: OFBIZ-10472 > URL: https://issues.apache.org/jira/browse/OFBIZ-10472 > Project: OFBiz > Issue Type: Improvement > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Trivial > Fix For: 18.12.01 > > > Because this name is confusing as it's only about handling user timezone. It > was done with OFBIZ-9264 and improved/fixed since -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Issue Comment Deleted] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-11306: Comment: was deleted (was: Here isthe solution for SetTimeZoneFromBrowser {noformat} diff --git themes/common-theme/webapp/common/js/util/setUserTimeZone.js themes/common-theme/webapp/common/js/util/setUserTimeZone.js index 4c29928..340182f 100644 --- themes/common-theme/webapp/common/js/util/setUserTimeZone.js +++ themes/common-theme/webapp/common/js/util/setUserTimeZone.js @@ -24,6 +24,9 @@ $.ajax({ url: "SetTimeZoneFromBrowser", type: "POST", +beforeSend: function(xhr,settings) { +xhr.setRequestHeader("X-CSRF-Token", $("meta[name='csrf-token']").attr("content")); + }, async: false, data: "localeName=" + timezone, error: function(error) { {noformat} ) > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class. > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019418#comment-17019418 ] Jacques Le Roux commented on OFBIZ-11306: - Here isthe solution for SetTimeZoneFromBrowser {noformat} diff --git themes/common-theme/webapp/common/js/util/setUserTimeZone.js themes/common-theme/webapp/common/js/util/setUserTimeZone.js index 4c29928..340182f 100644 --- themes/common-theme/webapp/common/js/util/setUserTimeZone.js +++ themes/common-theme/webapp/common/js/util/setUserTimeZone.js @@ -24,6 +24,9 @@ $.ajax({ url: "SetTimeZoneFromBrowser", type: "POST", +beforeSend: function(xhr,settings) { +xhr.setRequestHeader("X-CSRF-Token", $("meta[name='csrf-token']").attr("content")); + }, async: false, data: "localeName=" + timezone, error: function(error) { {noformat} > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class. > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Issue Comment Deleted] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-11306: Comment: was deleted (was: For SetTimeZoneFromBrowser we can use a get method, the same in Webpos: {code:xml} {code}) > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class. > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019409#comment-17019409 ] Jacques Le Roux commented on OFBIZ-11306: - For SetTimeZoneFromBrowser we can use a get method, the same in Webpos: {code:xml} {code} > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class. > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Closed] (OFBIZ-11322) Replace deprecated Freemarker code
[ https://issues.apache.org/jira/browse/OFBIZ-11322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-11322. --- Resolution: Not A Problem visitAndTransform is not part of OFBiz code but Freemarker code > Replace deprecated Freemarker code > -- > > Key: OFBIZ-11322 > URL: https://issues.apache.org/jira/browse/OFBIZ-11322 > Project: OFBiz > Issue Type: Improvement >Reporter: Jacques Le Roux >Priority: Minor > > While working on OFBIZ-11306 I stumbled upon things like (there are others) > {code:java} > void visitAndTransform(TemplateElement[] elementBuffer, > Open Declaration freemarker.core.TemplateElement > @Deprecated > Deprecated. This is an internal FreeMarker API with no backward > compatibility guarantees, so you shouldn't depend on it. > Internal API - subject to change: Represent directive call, > interpolation, text block, or other such non-expression node in the parsed > template. Some information that can be found here can be accessed through the > Environment.getCurrentDirectiveCallPlace(), which a published API, and thus > promises backward compatibility. > {code} > We need to replace all these deprecated code. -- This message was sent by Atlassian Jira (v8.3.4#803005)