Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0051321Openbravo ERPA. Platformpublic2023-01-10 15:162024-02-26 14:00
ReporterAugustoMauch 
Assigned Tojarmendariz 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionFixed in VersionPR24Q2 
Merge Request Status
Review Assigned To
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0051321: Improve CSRF coverage to cover some missing POST requests
DescriptionPOST requests of action handlers covered by KernelServlet are not checking the CSRF token (i.e. change of role from WebPOS).

A CSRF token check should be added here [1].

[1] https://gitlab.com/openbravo/product/openbravo/-/blob/master/modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/KernelServlet.java#L291 [^]
Steps To ReproduceOpen WebPOS
Change the role.
Notice that no CSRF token is included, but the POST request is processed with success (see image)
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
causes defect 0054801 closed jarmendariz POS2 Error while forcing "Close Tills" from Backend 
causes defect 0055012pi closed meriem_azaf Openbravo ERP Business API Data Load window: Not possible to load the data - InvalidCSRFToken 
Attached Filespng 0051321.png (30,111) 2023-10-24 15:03
https://issues.openbravo.com/file_download.php?file_id=19089&type=bug
png

png POST_Request_200.png (234,243) 2024-01-25 10:58
https://issues.openbravo.com/file_download.php?file_id=19386&type=bug
png

png POST_Request_No_CSRF.png (219,679) 2024-01-25 10:59
https://issues.openbravo.com/file_download.php?file_id=19387&type=bug
png
Issue History
Date ModifiedUsernameFieldChange
2023-01-10 15:16AugustoMauchNew Issue
2023-01-10 15:16AugustoMauchAssigned To => gdagnesses
2023-01-10 15:16AugustoMauchModules => Core
2023-01-10 15:16AugustoMauchTriggers an Emergency Pack => No
2023-01-10 16:27hgbotNote Added: 0145243
2023-01-12 09:42AugustoMauchStatusnew => scheduled
2023-10-24 15:01fermin_ostivarNote Added: 0156231
2023-10-24 15:01fermin_ostivarAssigned Togdagnesses =>
2023-10-24 15:03fermin_ostivarFile Added: 0051321.png
2023-12-05 14:07hector_hernaezIssue Monitored: hector_hernaez
2023-12-21 13:33egoitzAssigned To => AugustoMauch
2024-01-25 10:57AugustoMauchSummaryImprove CSRF coverage => Improve CSRF coverage to cover some missing POST requests
2024-01-25 10:57AugustoMauchDescription Updatedbug_revision_view_page.php?rev_id=27401#r27401
2024-01-25 10:57AugustoMauchSteps to Reproduce Updatedbug_revision_view_page.php?rev_id=27403#r27403
2024-01-25 10:58AugustoMauchFile Added: POST_Request_200.png
2024-01-25 10:59AugustoMauchFile Added: POST_Request_No_CSRF.png
2024-01-25 10:59AugustoMauchAssigned ToAugustoMauch => jarmendariz
2024-01-31 16:13hgbotNote Added: 0160025
2024-02-01 14:20maiteIssue Monitored: networkb
2024-02-18 22:11hgbotNote Added: 0160875
2024-02-26 12:26hgbotNote Added: 0161255
2024-02-26 12:26hgbotNote Added: 0161256
2024-02-26 13:59hgbotNote Added: 0161259
2024-02-26 13:59hgbotNote Added: 0161260
2024-02-26 14:00hgbotNote Added: 0161261
2024-02-26 14:00hgbotResolutionopen => fixed
2024-02-26 14:00hgbotStatusscheduled => closed
2024-02-26 14:00hgbotFixed in Version => PR24Q2
2024-02-26 14:00hgbotNote Added: 0161262
2024-03-11 10:27AugustoMauchRelationship addedcauses 0054801
2024-03-22 11:35alostaleRelationship addedcauses 0055012

Notes
(0145243)
hgbot   
2023-01-10 16:27   
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/807 [^]
(0156231)
fermin_ostivar   
2023-10-24 15:01   
With the current fix, it is not possible to change the role.
(0160025)
hgbot   
2024-01-31 16:13   
Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/658 [^]
(0160875)
hgbot   
2024-02-18 22:11   
Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/merge_requests/1373 [^]
(0161255)
hgbot   
2024-02-26 12:26   
Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/658 [^]
(0161256)
hgbot   
2024-02-26 12:26   
Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core [^]
Changeset: aaa0e69362ff1aa854c5a639ecc241d2ee760aa3
Author: Javier Armendáriz <javier.armendariz@openbravo.com>
Date: 26-02-2024 09:09:23
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/commit/aaa0e69362ff1aa854c5a639ecc241d2ee760aa3 [^]

Related to ISSUE-51321: Added CSRF token to POST request in request router

---
M web/org.openbravo.mobile.core/source/data/ob-requestrouter.js
---
(0161259)
hgbot   
2024-02-26 13:59   
Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2 [^]
Changeset: 8fb7d37ca5c4909f85e6f8efa8bf682ed6f8761a
Author: Javier Armendáriz <javier.armendariz@openbravo.com>
Date: 26-02-2024 09:09:24
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/commit/8fb7d37ca5c4909f85e6f8efa8bf682ed6f8761a [^]

Related to ISSUE-51321: Adding CSRF to profile switch request

---
M web-jspack/org.openbravo.core2/src/components/AppBar/ProfileSelector/ProfileSelector.jsx
---
(0161260)
hgbot   
2024-02-26 13:59   
Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/merge_requests/1373 [^]
(0161261)
hgbot   
2024-02-26 14:00   
Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/807 [^]
(0161262)
hgbot   
2024-02-26 14:00   
Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: 01c9d899e4fab5431f3ab1d2d87c92297fcf464d
Author: Guillermo Dagnesses Segura <guillermo.dagnesses@doceleguas.com>
Date: 26-02-2024 14:00:13
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/01c9d899e4fab5431f3ab1d2d87c92297fcf464d [^]

Fixed ISSUE-51321: Checking CSRF token in missing flows

---
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/utilities/ob-remote-call-manager.js
M modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/BaseActionHandler.java
M src-db/database/sourcedata/AD_PREFERENCE.xml
M src-db/database/sourcedata/AD_REF_LIST.xml
M src-test/src/org/openbravo/test/datasource/BaseDataSourceTestDal.java
M src-test/src/org/openbravo/test/datasource/BaseDataSourceTestNoDal.java
M src-test/src/org/openbravo/test/datasource/DatasourceTestUtil.java
M src-test/src/org/openbravo/test/datasource/FICTest.java
M src-test/src/org/openbravo/test/datasource/TestComboDatasource.java
M src-test/src/org/openbravo/test/selector/TestSelectorDefaultFilterActionHandler.java
M src/org/openbravo/erpCommon/utility/CsrfUtil.java
---