Continuum
  1. Continuum
  2. CONTINUUM-2622

Add CSRF prevention checks for sensitive actions

    Details

    • Type: Improvement Improvement
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.3.7, 1.4.0 (Beta)
    • Fix Version/s: 1.3.8
    • Component/s: Security
    • Labels:
      None
    • Complexity:
      Intermediate
    • Number of attachments :
      0

      Issue Links

        Activity

        Maria Odea Ching made changes -
        Field Original Value New Value
        Assignee Maria Odea Ching [ oching ]
        Fix Version/s 1.3.8 [ 17300 ]
        Hide
        Maria Odea Ching added a comment -

        Added the following changes in -r1091098:

        • CSRF checks for delete actions and some save actions
        • added selenium tests for CSRF
        Show
        Maria Odea Ching added a comment - Added the following changes in -r1091098 : CSRF checks for delete actions and some save actions added selenium tests for CSRF
        Maria Odea Ching made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Resolution Fixed [ 1 ]
        Hide
        Maria Odea Ching added a comment -

        Re-opening issue.. delete project group from project group summary is failing. It's always returning "Invalid token found in request" even though the token was passed.

        Show
        Maria Odea Ching added a comment - Re-opening issue.. delete project group from project group summary is failing. It's always returning "Invalid token found in request" even though the token was passed.
        Maria Odea Ching made changes -
        Resolution Fixed [ 1 ]
        Status Closed [ 6 ] Reopened [ 4 ]
        Hide
        Maria Odea Ching added a comment -

        Fixed in 1.3.x branch -r1092648 with the following changes:

        • do an explicit check for a random generated value in the action on remove project group (built-in token session interceptor doesn't work for projectGroupSummary page because the <s:action> tag (which executes result) for getting the projects in the group in the page causes a double submit
        • enabled selenium test for remove project group csrf check
        Show
        Maria Odea Ching added a comment - Fixed in 1.3.x branch -r1092648 with the following changes: do an explicit check for a random generated value in the action on remove project group (built-in token session interceptor doesn't work for projectGroupSummary page because the <s:action> tag (which executes result) for getting the projects in the group in the page causes a double submit enabled selenium test for remove project group csrf check
        Maria Odea Ching made changes -
        Status Reopened [ 4 ] Closed [ 6 ]
        Resolution Fixed [ 1 ]
        Hide
        Maria Odea Ching added a comment -

        Merged to trunk in -r1092666.

        Show
        Maria Odea Ching added a comment - Merged to trunk in -r1092666.
        Hide
        Maria Odea Ching added a comment -

        Additional changes committed in branch -r1099015 and merged in trunk -r1099019:

        • revert changes made in -r1092648 in csrf check for remove project group
        • check only on actual delete, do not check on confirm delete – separated remove project group and confirm remove project group into separate actions
        Show
        Maria Odea Ching added a comment - Additional changes committed in branch -r1099015 and merged in trunk -r1099019 : revert changes made in -r1092648 in csrf check for remove project group check only on actual delete, do not check on confirm delete – separated remove project group and confirm remove project group into separate actions
        Brett Porter made changes -
        Link This issue supercedes CONTINUUM-838 [ CONTINUUM-838 ]

          People

          • Assignee:
            Maria Odea Ching
            Reporter:
            Maria Odea Ching
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: