Uploaded image for project: 'Continuum'
  1. Continuum
  2. CONTINUUM-2622

Add CSRF prevention checks for sensitive actions

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.3.7, 1.4.0 (Beta)
    • Fix Version/s: 1.3.8
    • Component/s: Security
    • Labels:
      None

      Issue Links

        Activity

        Hide
        oching Maria Odea Ching added a comment -

        Additional changes committed in branch -r1099015 and merged in trunk -r1099019:

        • revert changes made in -r1092648 in csrf check for remove project group
        • check only on actual delete, do not check on confirm delete – separated remove project group and confirm remove project group into separate actions
        Show
        oching Maria Odea Ching added a comment - Additional changes committed in branch -r1099015 and merged in trunk -r1099019 : revert changes made in -r1092648 in csrf check for remove project group check only on actual delete, do not check on confirm delete – separated remove project group and confirm remove project group into separate actions
        Hide
        oching Maria Odea Ching added a comment -

        Merged to trunk in -r1092666.

        Show
        oching Maria Odea Ching added a comment - Merged to trunk in -r1092666.
        Hide
        oching Maria Odea Ching added a comment -

        Fixed in 1.3.x branch -r1092648 with the following changes:

        • do an explicit check for a random generated value in the action on remove project group (built-in token session interceptor doesn't work for projectGroupSummary page because the <s:action> tag (which executes result) for getting the projects in the group in the page causes a double submit
        • enabled selenium test for remove project group csrf check
        Show
        oching Maria Odea Ching added a comment - Fixed in 1.3.x branch -r1092648 with the following changes: do an explicit check for a random generated value in the action on remove project group (built-in token session interceptor doesn't work for projectGroupSummary page because the <s:action> tag (which executes result) for getting the projects in the group in the page causes a double submit enabled selenium test for remove project group csrf check
        Hide
        oching Maria Odea Ching added a comment -

        Re-opening issue.. delete project group from project group summary is failing. It's always returning "Invalid token found in request" even though the token was passed.

        Show
        oching Maria Odea Ching added a comment - Re-opening issue.. delete project group from project group summary is failing. It's always returning "Invalid token found in request" even though the token was passed.
        Hide
        oching Maria Odea Ching added a comment -

        Added the following changes in -r1091098:

        • CSRF checks for delete actions and some save actions
        • added selenium tests for CSRF
        Show
        oching Maria Odea Ching added a comment - Added the following changes in -r1091098 : CSRF checks for delete actions and some save actions added selenium tests for CSRF

          People

          • Assignee:
            oching Maria Odea Ching
            Reporter:
            oching Maria Odea Ching
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development