[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF (CVE-2019-0235)
[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16929737#comment-16929737 ] Jacques Le Roux commented on OFBIZ-10427: - (flag) As long as this issue is not fixed, I recommend all users with any version to use https://www.owasp.org/index.php/CSRFProtector_Project#tab=Apache_Module > Add a mean to handle CSRF (CVE-2019-0235) > - > > Key: OFBIZ-10427 > URL: https://issues.apache.org/jira/browse/OFBIZ-10427 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > Attachments: webtools_web.xml.patch > > > I already worked on that in OFBiz but without success so far: > https://markmail.org/message/r245yie623cdo3wz) > The tracks I explored are: > * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really > not simple in OFBiz) > * > https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction > (I think preferred) -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16665982#comment-16665982 ] Deepak Nigam commented on OFBIZ-10427: -- For using nonce with the CSRF prevention filter provided by tomcat, we need to make sure that we use transform in every URL. > Add a mean to handle CSRF > - > > Key: OFBIZ-10427 > URL: https://issues.apache.org/jira/browse/OFBIZ-10427 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > Attachments: webtools_web.xml.patch > > > I already worked on that in OFBiz but without success so far: > https://markmail.org/message/r245yie623cdo3wz) > The tracks I explored are: > * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really > not simple in OFBiz) > * > https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction > (I think preferred) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16662022#comment-16662022 ] Jacques Le Roux commented on OFBIZ-10427: - While working on this issue I stumbled upon this interesting alternative: https://www.owasp.org/index.php/CSRFProtector_Project#tab=Apache_Module > Add a mean to handle CSRF > - > > Key: OFBIZ-10427 > URL: https://issues.apache.org/jira/browse/OFBIZ-10427 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > Attachments: webtools_web.xml.patch > > > I already worked on that in OFBiz but without success so far: > https://markmail.org/message/r245yie623cdo3wz) > The tracks I explored are: > * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really > not simple in OFBiz) > * > https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction > (I think preferred) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16660097#comment-16660097 ] Girish Vasmatkar commented on OFBIZ-10427: -- Hi Jacques Thank you for the information. Yes, the "nonce" should provide the required protection. SameSite is still in infancy stage and will improve further hopefully. I am currently not working on implementing a custom filter so please feel free with your implementation. Also, if per-request "nonce" is giving more problem, we can also implement per-session "nonce". Most use cases can live with per-session nonce and may not require per-request implementation. Those were my two cents based on my knowledge. Please feel free to correct or enlighten me :). Best, Girish > Add a mean to handle CSRF > - > > Key: OFBIZ-10427 > URL: https://issues.apache.org/jira/browse/OFBIZ-10427 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > Attachments: webtools_web.xml.patch > > > I already worked on that in OFBiz but without success so far: > https://markmail.org/message/r245yie623cdo3wz) > The tracks I explored are: > * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really > not simple in OFBiz) > * > https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction > (I think preferred) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16658930#comment-16658930 ] Jacques Le Roux commented on OFBIZ-10427: - Hi Girish, You mentionned "SameSite cookie" at https://markmail.org/message/lafktxeiedp5papb. I actually already gave it a try with OFBIZ-9865 but decide to to revert because of side effects. I'm not sure this will be needed once we will have a nonce associate with each request (I'm still working on it). Despite I want to note here that I put this comment then in r1812540 bq. // TODO maybe one day the ServletContext will allow to do that, then better in WebAppServletContextListener > Add a mean to handle CSRF > - > > Key: OFBIZ-10427 > URL: https://issues.apache.org/jira/browse/OFBIZ-10427 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > Attachments: webtools_web.xml.patch > > > I already worked on that in OFBiz but without success so far: > https://markmail.org/message/r245yie623cdo3wz) > The tracks I explored are: > * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really > not simple in OFBiz) > * > https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction > (I think preferred) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16658144#comment-16658144 ] Jacques Le Roux commented on OFBIZ-10427: - Hi Girish, This comment to let you know that I'm working on a simple and possible complete OFBiz internal solution with a nonce. > Add a mean to handle CSRF > - > > Key: OFBIZ-10427 > URL: https://issues.apache.org/jira/browse/OFBIZ-10427 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > Attachments: webtools_web.xml.patch > > > I already worked on that in OFBiz but without success so far: > https://markmail.org/message/r245yie623cdo3wz) > The tracks I explored are: > * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really > not simple in OFBiz) > * > https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction > (I think preferred) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16608439#comment-16608439 ] Jacques Le Roux commented on OFBIZ-10427: - Hi Girish, I did not review nor tested yet. It's indeed a way to go. The others so far being made by Gregory in the security ML. I completly missed to put them in [my answer in dev ML|https://s.apache.org/XPhR] with my answers to Gregory's suggestion then (3 months ago, on a related subject including CSRF). Here they are: {quote}> So to do that, I recommend to perform a SHA512 of the user's session (as it is unpredictable) and then you pass this value in the body request. Then the application checks it is okay by hashing the session value and and compare with the value that has been passed. {quote} That's an idea, I'll get deeper in this. Because I believe Tomcat CSRF filter is too limited for our use in OFBiz {quote}> Maybe through Java Aspect? I don't know if it supported? {quote} We don't use Java Aspect (yet). Anyway I'll consider it also beside building our own filter. I must add that maybe subclassing the Tomcat filter is easier, better, etc. We have to compare both solutions and if needed discuss them again in dev ML. Since we already began to discuss there, at this stage I think we can start here :) > Add a mean to handle CSRF > - > > Key: OFBIZ-10427 > URL: https://issues.apache.org/jira/browse/OFBIZ-10427 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > Attachments: webtools_web.xml.patch > > > I already worked on that in OFBiz but without success so far: > https://markmail.org/message/r245yie623cdo3wz) > The tracks I explored are: > * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really > not simple in OFBiz) > * > https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction > (I think preferred) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16607972#comment-16607972 ] Girish Vasmatkar commented on OFBIZ-10427: -- Hi Jacques I am attaching a patch for web.xml changes. Alas, this filter does not support wildcards yet, so lots of URLs in the entryPoints param. Not an ideal way to go about it, unless we write our own implementation probably by subclassing this filter and providing wildcard. For now, I have provided patch for webtools web.xml. Similar entry points will have to be determined and applied for each web-app. Please review and let me know of any issue or concern you may have. [https://localhost:8443/webtools/] should not produce forbidden response now and also you should see the nonce added to each request. > Add a mean to handle CSRF > - > > Key: OFBIZ-10427 > URL: https://issues.apache.org/jira/browse/OFBIZ-10427 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > > I already worked on that in OFBiz but without success so far: > https://markmail.org/message/r245yie623cdo3wz) > The tracks I explored are: > * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really > not simple in OFBiz) > * > https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction > (I think preferred) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16501622#comment-16501622 ] Jacques Le Roux commented on OFBIZ-10427: - Following http://tomcat.10.x6.nabble.com/Help-with-CsrfPreventionFilter-tp2173495p2173508.html and before considering creating my own code, I also tried this config (thanks APL for the formatting) to no avail so far, I still get a 403. {code} Index: web.xml === --- web.xml (revision 1832887) +++ web.xml (working copy) @@ -46,6 +46,17 @@ +CSRFPreventionFilter +CSRFPreventionFilter + org.apache.catalina.filters.CsrfPreventionFilter + +entryPoints + /webtools/control/checkLogin,/common/js/jquery/jquery-3.2.1.min.js,/common/js/jquery/jquery-migrate-3.0.0.min.js,/common/js/jquery/plugins/browser-plugin/jquery.browser-0.1.0.min.js,/common/js/jquery/ui/jquery-ui-1.12.1.min.js,/common/js/jquery/plugins/select2/js/select2-4.0.6.js,/common/js/jquery/plugins/datetimepicker/jquery-ui-timepicker-addon-1.6.3.min.js,/common/js/jquery/plugins/fjTimer/jquerytimer-min.js,/common/js/jquery/plugins/mask/jquery.mask-1.14.13.min.js,/common/js/jquery/plugins/jeditable/jquery.jeditable-1.7.3.js,/common/js/jquery/plugins/validate/jquery.validate.min.js,/common/js/plugins/OpenLayers-2.13.1-modified-for-CSP-.js,/common/js/jquery/plugins/elrte-1.3/js/elrte.min.js,/common/js/util/OfbizUtil.js,/common/js/util/fieldlookup.js,/common/js/plugins/date/date.format-1.2.3-min.js,/common/js/plugins/date/date.timezone-min.js,/common/js/util/miscAjaxFunctions.js,/common/js/util/selectMultipleRelatedValues.js,/common/js/util/util.js,/common/js/jquery/plugins/jsTree/jquery.jstree.js,/common/js/jquery/ui/js/jquery.cookie-1.4.0.js,/common/js/plugins/date/FromThruDateCheck.js,/flatgrey/js/application.js,/rainbowstone/js/less.min.js,/common/js/plugins/moment-timezone/moment-with-locales.min.js,/common/js/plugins/moment-timezone/moment-timezone-with-data.min.js,/common/js/util/setUserLocale.js,/common/js/jquery/plugins/select2/js/i18n/fr.js,/common/js/jquery/plugins/datetimepicker/i18n/jquery-ui-timepicker-fr.js,/common/js/jquery/plugins/validate/localization/messages_fr.js,/common/js/jquery/ui/i18n/datepicker-fr.js,/common/js/jquery/plugins/datejs/date-fr-FR.js,/common/js/jquery/plugins/Readmore.js-master/readmore.js,/common/js/jquery/plugins/jquery-jgrowl/jquery.jgrowl-1.4.6.min.js,/common/js/jquery/plugins/jquery-jgrowl/jquery.jgrowl-1.4.6.min.css,/common/js/jquery/plugins/elrte-1.3/css/elrte.min.css,/common/js/jquery/ui/jquery-ui-1.12.1.min.css,/common/js/jquery/plugins/datetimepicker/jquery-ui-timepicker-addon-1.6.3.min.css,/common/js/jquery/plugins/select2/css/select2-4.0.6.css,/rainbowstone/style.css,/rainbowstone/flag-icon.min.css,/rainbowstone/javascript.css + + + + ControlFilter ControlFilter org.apache.ofbiz.webapp.control.ControlFilter @@ -64,6 +75,10 @@ org.apache.ofbiz.webapp.control.ContextFilter +CSRFPreventionFilter +/* + + ControlFilter /* {code} It's > Add a mean to handle CSRF > - > > Key: OFBIZ-10427 > URL: https://issues.apache.org/jira/browse/OFBIZ-10427 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > > I already worked on that in OFBiz but without success so far: > https://markmail.org/message/r245yie623cdo3wz) > The tracks I explored are: > * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really > not simple in OFBiz) > * > https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction > (I think preferred) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16498968#comment-16498968 ] Jacques Le Roux commented on OFBIZ-10427: - I have recently worked again on this topic, trying to set the Tomcat CSRF filter. I did not succeed yet and here are some causes. As said in the documentation {quote}This filter provides basic CSRF protection for a web application. The filter assumes that it is mapped to /* and that all URLs returned to the client are encoded via a call to HttpServletResponse#encodeRedirectURL(String) or HttpServletResponse#encodeURL(String). {quote} So I initially used the simplest web.xml configuration in webtools only, w/o putting and at last position. {code:java} CSRFPreventionFilter CSRFPreventionFilter CSRFPreventionFilter /* {code} And I checked we are encoding as requested. It' s not the case so I did these changes to only test: {code:java} Index: ControlFilter.java === --- ControlFilter.java (revision 1832691) +++ ControlFilter.java (working copy) @@ -111,10 +111,11 @@ if (httpRequest.getSession().getAttribute("_FORCE_REDIRECT_") == null) { httpRequest.getSession().setAttribute("_FORCE_REDIRECT_", "true"); Debug.logWarning("Redirecting user to: " + redirectPath, module); + if (redirectPathIsUrl) { -httpResponse.sendRedirect(redirectPath); +httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(redirectPath)); } else { -httpResponse.sendRedirect(httpRequest.getContextPath() + redirectPath); +httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(httpRequest.getContextPath() + redirectPath)); } return; } else { @@ -143,9 +144,9 @@ httpResponse.sendError(errorCode, httpRequest.getRequestURI()); } else { if (redirectPathIsUrl) { -httpResponse.sendRedirect(redirectPath); +httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(redirectPath)); } else { - httpResponse.sendRedirect(httpRequest.getContextPath() + redirectPath); +httpResponse.sendRedirect(((HttpServletResponse) response).encodeRedirectURL(httpRequest.getContextPath() + redirectPath)); } } if (Debug.infoOn()) { Index: RequestHandler.java === --- RequestHandler.java (revision 1832691) +++ RequestHandler.java (working copy) @@ -1180,7 +1180,7 @@ newURL.append(url); String encodedUrl; -if (encode) { +if (true) { encodedUrl = response.encodeURL(newURL.toString()); } else { encodedUrl = newURL.toString(); {code} with no avail. I always got a 403: {code:java} HTTP Status 403 | Forbidden Type Status Report Description The server understood the request but refuses to authorize it. Apache Tomcat/9.0.7 {code} So I tried to put the filter at the top, same issue. Then I began to add entryPoints in , knowing that they don't support wildcards (so in a way it's quite limited). The last set I tried was {code:java} entryPoints /catalog/control/main,/webtools/control/main,/webtools/control/login {code} I put _/catalog/control/main_ because I initially tried to come from there. I then tried manually _/webtools/control/login_ and _/webtools/control/main_ same issue. Desesperately I then set a huge nonceCacheSize (every call create a nonce, for instance js, css, img, etc.) and if one of them it's OK then it's OK (not totally sure of that, but anyway with a large cache more is allowed) {code:java} nonceCacheSize 100 {code} Still no success. I stopped there for now but I'll continue to try if a way is possible. I think the best would be to adapt the CsrfPreventionFilter class to our need. I did not look at the source in detail yet, let's see... > Add a mean to handle CSRF > - > > Key: OFBIZ-10427 > URL: https://issues.apache.org/jira/browse/OFBIZ-10427 > Project: OFBiz > Issue Type: Improvement > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > > I already worked on that in OFBiz but without success so far: > https://markmail.org/message/r245yie623cdo3wz) > The tracks I explored are: > *