Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0039123Openbravo ERPA. Platformpublic2018-08-13 10:032019-03-26 12:25
Reporterjarmendariz 
Assigned Tojarmendariz 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionFixed in Version3.0PR19Q1 
Merge Request Status
Review Assigned Toalostale
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0039123: Add CSRF Token support
DescriptionIn order to protect against CSRF attacks, a Session generated token should be used in all requests that modifies the state of the system (add, update and remove)

Project page: http://wiki.openbravo.com/wiki/Projects:CSRF_Token [^]
Steps To ReproduceSee above
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
related to defect 0041748 closed cberner Openbravo ERP DeleteImageActionHandler is vulnerable to CSRF attacks 
related to design defect 0046303 new Retail Retail Modules Review if context change check mechanism should be deleted 
related to defect 0047888RR22Q1 closed cberner Retail Modules checkServerAvailability does not fail even if the session is corrupted 
causes defect 0040454 closed caristu Openbravo ERP CSRF Token Error after executing Copy Store Process 
causes defect 0039519 closed jarmendariz Openbravo ERP Not possible to book a Resource Reservation 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2018-08-13 10:03jarmendarizNew Issue
2018-08-13 10:03jarmendarizAssigned To => platform
2018-08-13 10:03jarmendarizModules => Core
2018-08-13 10:03jarmendarizTriggers an Emergency Pack => No
2018-08-13 10:03jarmendarizAssigned Toplatform => jarmendariz
2018-08-13 14:59jarmendarizReview Assigned To => alostale
2018-10-18 12:42jarmendarizStatusnew => scheduled
2018-10-18 12:47hgbotCheckin
2018-10-18 12:47hgbotNote Added: 0107433
2018-10-18 12:47hgbotStatusscheduled => resolved
2018-10-18 12:47hgbotResolutionopen => fixed
2018-10-18 12:47hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/43a7e93a946d76de69bb30b066d41a6647508b30 [^]
2018-10-18 13:05hgbotCheckin
2018-10-18 13:05hgbotNote Added: 0107434
2018-10-18 13:05hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/devel/pi/rev/43a7e93a946d76de69bb30b066d41a6647508b30 [^] => http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/af016486280cf52f5096d3cee2e9a376a745ede9 [^]
2018-10-18 13:57hgbotCheckin
2018-10-18 13:57hgbotNote Added: 0107436
2018-10-18 13:57hgbotCheckin
2018-10-18 13:57hgbotNote Added: 0107437
2018-10-18 17:29hgbotCheckin
2018-10-18 17:29hgbotNote Added: 0107448
2018-10-19 08:00alostaleNote Added: 0107452
2018-10-19 08:00alostaleStatusresolved => closed
2018-10-19 08:00alostaleFixed in Version => 3.0PR19Q1
2018-10-24 10:26jarmendarizRelationship addedrelated to 0039519
2018-12-11 20:22hudsonbotCheckin
2018-12-11 20:22hudsonbotNote Added: 0108437
2019-03-26 12:24caristuRelationship addedcauses 0040454
2019-03-26 12:25caristuRelationship deletedrelated to 0039519
2019-03-26 12:25caristuRelationship addedcauses 0039519
2019-09-04 12:43cbernerRelationship addedrelated to 0041748
2021-04-20 08:10caristuRelationship addedrelated to 0046303
2021-10-20 07:14alostaleRelationship addedrelated to 0047888

Notes
(0107433)
hgbot   
2018-10-18 12:47   
Repository: erp/devel/pi
Changeset: 43a7e93a946d76de69bb30b066d41a6647508b30
Author: Javier Armendáriz <javier.armendariz <at> openbravo.com>
Date: Thu Oct 18 12:42:31 2018 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/43a7e93a946d76de69bb30b066d41a6647508b30 [^]

Fixed issue 39123: Adding CSRF token support

---
M modules/org.openbravo.client.application/src/org/openbravo/client/application/navigationbarcomponents/UserInfoWidgetActionHandler.java
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-notes.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/main/ob-standard-view-datasource.js
M modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/ApplicationDynamicComponent.java
M modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/templates/application-dynamic-js.ftl
M modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/DataSourceServlet.java
M modules/org.openbravo.service.datasource/web/org.openbravo.service.datasource/js/ob-datasource-utilities.js
M modules/org.openbravo.service.json/src/org/openbravo/service/json/JsonConstants.java
M modules/org.openbravo.userinterface.smartclient/web/org.openbravo.userinterface.smartclient/js/ob-smartclient.js
M src-db/database/model/tables/AD_SESSION.xml
M src-db/database/sourcedata/AD_COLUMN.xml
M src-db/database/sourcedata/AD_ELEMENT.xml
M src-db/database/sourcedata/AD_MESSAGE.xml
M src-test/src/org/openbravo/test/AllAntTaskTests.java
M src-test/src/org/openbravo/test/AllQuickAntTaskTests.java
M src-test/src/org/openbravo/test/AllTests.java
M src-test/src/org/openbravo/test/AllWebserviceTests.java
M src-test/src/org/openbravo/test/AntTaskTests.java
M src-test/src/org/openbravo/test/datasource/BaseDataSourceTestDal.java
M src-test/src/org/openbravo/test/datasource/BaseDataSourceTestNoDal.java
M src-test/src/org/openbravo/test/datasource/DataSourceSecurity.java
M src-test/src/org/openbravo/test/datasource/DatasourceTestUtil.java
M src-test/src/org/openbravo/test/datasource/ResetCookieOnLogin.java
M src-test/src/org/openbravo/test/datasource/TestNoteDatasource.java
M src-test/src/org/openbravo/test/selector/TestSelectorDefaultFilterActionHandler.java
M src-test/src/org/openbravo/test/views/ETagGeneration.java
M src/org/openbravo/authentication/AuthenticationManager.java
M src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java
M src/org/openbravo/base/secureApp/LoginHandler.java
M src/org/openbravo/base/secureApp/LoginUtils.java
M src/org/openbravo/base/secureApp/VariablesSecureApp.java
M src/org/openbravo/dal/core/OBContext.java
A src-test/src/org/openbravo/test/security/CSRFAttackTest.java
---
(0107434)
hgbot   
2018-10-18 13:05   
Repository: erp/pmods/org.openbravo.mobile.core
Changeset: af016486280cf52f5096d3cee2e9a376a745ede9
Author: Javier Armendáriz <javier.armendariz <at> openbravo.com>
Date: Thu Oct 18 13:05:01 2018 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/af016486280cf52f5096d3cee2e9a376a745ede9 [^]

Fixed issue 39123: Adding CSRF token support for POST requests

---
M src/org/openbravo/mobile/core/authenticate/MobileKeyAuthenticationManager.java
M src/org/openbravo/mobile/core/login/MobileCoreLoginHandler.java
M src/org/openbravo/mobile/core/login/MobileCoreLoginUtilsServlet.java
M src/org/openbravo/mobile/core/process/JSONProcessSimple.java
M src/org/openbravo/mobile/core/process/MobileService.java
M web/org.openbravo.mobile.core/source/data/ob-datasource.js
M web/org.openbravo.mobile.core/source/data/ob-requestrouter.js
M web/org.openbravo.mobile.core/source/model/ob-terminal-model.js
M web/org.openbravo.mobile.core/source/utils/ob-utilities.js
---
(0107436)
hgbot   
2018-10-18 13:57   
Repository: tools/automation/pi-mobile
Changeset: 7c085641901ea0659381280f5a9f06e1eca6da13
Author: Javier Armendáriz <javier.armendariz <at> openbravo.com>
Date: Tue Sep 18 11:11:05 2018 +0200
URL: http://code.openbravo.com/tools/automation/pi-mobile/rev/7c085641901ea0659381280f5a9f06e1eca6da13 [^]

Related to issue 39123: Created test case for CSRF attack.

- Created a new abstract AuthenticatedPOS test case to test HTTP requests on
a live POS environment.
- Used this test case to test the behavior of a POST request when the CSRF token
is present and when its not.

---
M src-test/org/openbravo/test/mobile/retail/mobilecore/webservice/WebServicesHelper.java
M src-test/org/openbravo/test/mobile/retail/pack/selenium/suites/concurrent/job003/WebServiceSuite.java
M src-test/org/openbravo/test/mobile/retail/pack/selenium/suites/concurrent/job014/WebServiceSuite.java
A src-test/org/openbravo/test/mobile/retail/pack/webservice/tests/authrequest/AuthenticatedPOSRequestTest.java
A src-test/org/openbravo/test/mobile/retail/pack/webservice/tests/authrequest/POSCsrfAttackTest.java
---
(0107437)
hgbot   
2018-10-18 13:57   
Repository: tools/automation/pi-mobile
Changeset: f58b3f7454fad72febb1027db3a8e59e56b629a5
Author: Javier Armendáriz <javier.armendariz <at> openbravo.com>
Date: Thu Oct 18 13:57:23 2018 +0200
URL: http://code.openbravo.com/tools/automation/pi-mobile/rev/f58b3f7454fad72febb1027db3a8e59e56b629a5 [^]

Related to issue 39123: Adding CSRF token support

---
M src-test/org/openbravo/test/mobile/retail/mobilecore/webservice/WebServicesHelper.java
M src-test/org/openbravo/test/mobile/retail/pack/selenium/suites/concurrent/job003/WebServiceSuite.java
M src-test/org/openbravo/test/mobile/retail/pack/selenium/suites/concurrent/job014/WebServiceSuite.java
A src-test/org/openbravo/test/mobile/retail/pack/webservice/tests/authrequest/AuthenticatedPOSRequestTest.java
A src-test/org/openbravo/test/mobile/retail/pack/webservice/tests/authrequest/POSCsrfAttackTest.java
---
(0107448)
hgbot   
2018-10-18 17:29   
Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 97f627f0fe30c3aa111c7f5c2c973f5b308e6b87
Author: Javier Armendáriz <javier.armendariz <at> openbravo.com>
Date: Thu Oct 18 17:28:30 2018 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/97f627f0fe30c3aa111c7f5c2c973f5b308e6b87 [^]

Related to issue 39123: Removed empty line at end of file added by merge.

---
M web/org.openbravo.mobile.core/source/model/ob-terminal-model.js
---
(0107452)
alostale   
2018-10-19 08:00   
reviewed https://docs.google.com/spreadsheets/d/1Q8cABvlY7ibP9vdEMT0SoDAUtm6WNR5mPi-I76tofww/edit?ts=5b728b6b#gid=0 [^]
(0108437)
hudsonbot   
2018-12-11 20:22   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/470e3cd384c5 [^]
Maturity status: Test