Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0051321
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. Platformmajorhave not tried2023-01-10 15:162024-02-26 14:00
ReporterAugustoMauchView Statuspublic 
Assigned Tojarmendariz 
PrioritynormalResolutionfixedFixed in VersionPR24Q2
StatusclosedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0051321: Improve CSRF coverage to cover some missing POST requests

DescriptionPOST requests of action handlers covered by KernelServlet are not checking the CSRF token (i.e. change of role from WebPOS).

A CSRF token check should be added here [1].

[1] https://gitlab.com/openbravo/product/openbravo/-/blob/master/modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/KernelServlet.java#L291 [^]
Steps To ReproduceOpen WebPOS
Change the role.
Notice that no CSRF token is included, but the POST request is processed with success (see image)
TagsNo tags attached.
Attached Filespng file icon 0051321.png [^] (30,111 bytes) 2023-10-24 15:03


png file icon POST_Request_200.png [^] (234,243 bytes) 2024-01-25 10:58


png file icon POST_Request_No_CSRF.png [^] (219,679 bytes) 2024-01-25 10:59

- Relationships Relation Graph ] Dependency Graph ]
causes defect 0054801 closedjarmendariz POS2 Error while forcing "Close Tills" from Backend 
causes defect 0055012pi closedmeriem_azaf Openbravo ERP Business API Data Load window: Not possible to load the data - InvalidCSRFToken 

-  Notes
(0145243)
hgbot (developer)
2023-01-10 16:27

Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/807 [^]
(0156231)
fermin_ostivar (developer)
2023-10-24 15:01

With the current fix, it is not possible to change the role.

(0160025)
hgbot (developer)
2024-01-31 16:13

Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/658 [^]
(0160875)
hgbot (developer)
2024-02-18 22:11

Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/merge_requests/1373 [^]
(0161255)
hgbot (developer)
2024-02-26 12:26

Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/658 [^]
(0161256)
hgbot (developer)
2024-02-26 12:26

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core [^]
Changeset: aaa0e69362ff1aa854c5a639ecc241d2ee760aa3
Author: Javier Armendáriz <javier.armendariz@openbravo.com>
Date: 26-02-2024 09:09:23
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/commit/aaa0e69362ff1aa854c5a639ecc241d2ee760aa3 [^]

Related to ISSUE-51321: Added CSRF token to POST request in request router

---
M web/org.openbravo.mobile.core/source/data/ob-requestrouter.js
---
(0161259)
hgbot (developer)
2024-02-26 13:59

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2 [^]
Changeset: 8fb7d37ca5c4909f85e6f8efa8bf682ed6f8761a
Author: Javier Armendáriz <javier.armendariz@openbravo.com>
Date: 26-02-2024 09:09:24
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/commit/8fb7d37ca5c4909f85e6f8efa8bf682ed6f8761a [^]

Related to ISSUE-51321: Adding CSRF to profile switch request

---
M web-jspack/org.openbravo.core2/src/components/AppBar/ProfileSelector/ProfileSelector.jsx
---
(0161260)
hgbot (developer)
2024-02-26 13:59

Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/merge_requests/1373 [^]
(0161261)
hgbot (developer)
2024-02-26 14:00

Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/807 [^]
(0161262)
hgbot (developer)
2024-02-26 14:00

Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: 01c9d899e4fab5431f3ab1d2d87c92297fcf464d
Author: Guillermo Dagnesses Segura <guillermo.dagnesses@doceleguas.com>
Date: 26-02-2024 14:00:13
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/01c9d899e4fab5431f3ab1d2d87c92297fcf464d [^]

Fixed ISSUE-51321: Checking CSRF token in missing flows

---
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/utilities/ob-remote-call-manager.js
M modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/BaseActionHandler.java
M src-db/database/sourcedata/AD_PREFERENCE.xml
M src-db/database/sourcedata/AD_REF_LIST.xml
M src-test/src/org/openbravo/test/datasource/BaseDataSourceTestDal.java
M src-test/src/org/openbravo/test/datasource/BaseDataSourceTestNoDal.java
M src-test/src/org/openbravo/test/datasource/DatasourceTestUtil.java
M src-test/src/org/openbravo/test/datasource/FICTest.java
M src-test/src/org/openbravo/test/datasource/TestComboDatasource.java
M src-test/src/org/openbravo/test/selector/TestSelectorDefaultFilterActionHandler.java
M src/org/openbravo/erpCommon/utility/CsrfUtil.java
---

- Issue History
Date Modified Username Field Change
2023-01-10 15:16 AugustoMauch New Issue
2023-01-10 15:16 AugustoMauch Assigned To => gdagnesses
2023-01-10 15:16 AugustoMauch Modules => Core
2023-01-10 15:16 AugustoMauch Triggers an Emergency Pack => No
2023-01-10 16:27 hgbot Note Added: 0145243
2023-01-12 09:42 AugustoMauch Status new => scheduled
2023-10-24 15:01 fermin_ostivar Note Added: 0156231
2023-10-24 15:01 fermin_ostivar Assigned To gdagnesses =>
2023-10-24 15:03 fermin_ostivar File Added: 0051321.png
2023-12-05 14:07 hector_hernaez Issue Monitored: hector_hernaez
2023-12-21 13:33 egoitz Assigned To => AugustoMauch
2024-01-25 10:57 AugustoMauch Summary Improve CSRF coverage => Improve CSRF coverage to cover some missing POST requests
2024-01-25 10:57 AugustoMauch Description Updated View Revisions
2024-01-25 10:57 AugustoMauch Steps to Reproduce Updated View Revisions
2024-01-25 10:58 AugustoMauch File Added: POST_Request_200.png
2024-01-25 10:59 AugustoMauch File Added: POST_Request_No_CSRF.png
2024-01-25 10:59 AugustoMauch Assigned To AugustoMauch => jarmendariz
2024-01-31 16:13 hgbot Note Added: 0160025
2024-02-01 14:20 maite Issue Monitored: networkb
2024-02-18 22:11 hgbot Note Added: 0160875
2024-02-26 12:26 hgbot Note Added: 0161255
2024-02-26 12:26 hgbot Note Added: 0161256
2024-02-26 13:59 hgbot Note Added: 0161259
2024-02-26 13:59 hgbot Note Added: 0161260
2024-02-26 14:00 hgbot Note Added: 0161261
2024-02-26 14:00 hgbot Resolution open => fixed
2024-02-26 14:00 hgbot Status scheduled => closed
2024-02-26 14:00 hgbot Fixed in Version => PR24Q2
2024-02-26 14:00 hgbot Note Added: 0161262
2024-03-11 10:27 AugustoMauch Relationship added causes 0054801
2024-03-22 11:35 alostale Relationship added causes 0055012


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker