ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Yong (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-11306) POC for CSRF Token
Date Mon, 20 Jan 2020 16:28:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019626#comment-17019626
] 

James Yong commented on OFBIZ-11306:
------------------------------------

Hi Jacques,

Thanks for the check.

bq. Have you few examples of that (one would be sufficient)? We need to be sure that we are
not missing anything.

forgotPassword

bq. Could you please explain where/how is that done? Is that depending on being a POST method
as in tokenMap.remove(requestUri); in CsrfUtil::checkToken?

tokenMap.remove(requestUri)

bq. I'd prefer that we change all the "same uri for getting the form and posting the changes.".
Somehow what you did for processorder in OFBIZ-11319

Agree we should use different uri for posting the form changes.

bq. Though I'd add preferred rather to add the token in a hidden field. I understand it's
an easy way to automatically do it, and seems safe. As with the previous point we need to
be sure that all forms use the POST method. Also we need to do it for at least ofbizContentUrl
and check no others would miss it.

Will look into ofbizContextUrl. 

bq. I sugget we make return size() > 100; in CsrfUtil::getTokenMap a properties to allow
users to adjust in function of their needs.

Will add the property.

bq. Some recommend to encrypt IP and "Timeout" in the CSRF token and check. We could do that
by using a JWT token rather than a random value. We could then check both IP and "Timeout"
to increase safety.

Do you have any link for further reading?


Need more time to look into the remaining issues mentioned.. 

> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch,
OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class.
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token
field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to
X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token check during
Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message