Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0039123
TypeCategorySeverityReproducibilityDate SubmittedLast Update
feature request[Openbravo ERP] A. Platformmajoralways2018-08-13 10:032019-03-26 12:25
ReporterjarmendarizView Statuspublic 
Assigned Tojarmendariz 
PrioritynormalResolutionfixedFixed in Version3.0PR19Q1
StatusclosedFix in branchFixed in SCM revisionaf016486280c
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Merge Request Status
Review Assigned Toalostale
OBNetwork customerNo
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0039123: Add CSRF Token support

DescriptionIn order to protect against CSRF attacks, a Session generated token should be used in all requests that modifies the state of the system (add, update and remove)

Project page: http://wiki.openbravo.com/wiki/Projects:CSRF_Token [^]
Steps To ReproduceSee above
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to defect 0041748 closedcberner Openbravo ERP DeleteImageActionHandler is vulnerable to CSRF attacks 
related to design defect 0046303 newRetail Retail Modules Review if context change check mechanism should be deleted 
related to defect 0047888RR22Q1 closedcberner Retail Modules checkServerAvailability does not fail even if the session is corrupted 
causes defect 0040454 closedcaristu Openbravo ERP CSRF Token Error after executing Copy Store Process 
causes defect 0039519 closedjarmendariz Openbravo ERP Not possible to book a Resource Reservation 

-  Notes
(0107433)
hgbot (developer)
2018-10-18 12:47

 Repository: erp/devel/pi
Changeset: 43a7e93a946d76de69bb30b066d41a6647508b30
Author: Javier Armendáriz <javier.armendariz <at> openbravo.com>
Date: Thu Oct 18 12:42:31 2018 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/43a7e93a946d76de69bb30b066d41a6647508b30 [^]

Fixed issue 39123: Adding CSRF token support

---
M modules/org.openbravo.client.application/src/org/openbravo/client/application/navigationbarcomponents/UserInfoWidgetActionHandler.java
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/form/ob-view-form-notes.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/main/ob-standard-view-datasource.js
M modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/ApplicationDynamicComponent.java
M modules/org.openbravo.client.kernel/src/org/openbravo/client/kernel/templates/application-dynamic-js.ftl
M modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/DataSourceServlet.java
M modules/org.openbravo.service.datasource/web/org.openbravo.service.datasource/js/ob-datasource-utilities.js
M modules/org.openbravo.service.json/src/org/openbravo/service/json/JsonConstants.java
M modules/org.openbravo.userinterface.smartclient/web/org.openbravo.userinterface.smartclient/js/ob-smartclient.js
M src-db/database/model/tables/AD_SESSION.xml
M src-db/database/sourcedata/AD_COLUMN.xml
M src-db/database/sourcedata/AD_ELEMENT.xml
M src-db/database/sourcedata/AD_MESSAGE.xml
M src-test/src/org/openbravo/test/AllAntTaskTests.java
M src-test/src/org/openbravo/test/AllQuickAntTaskTests.java
M src-test/src/org/openbravo/test/AllTests.java
M src-test/src/org/openbravo/test/AllWebserviceTests.java
M src-test/src/org/openbravo/test/AntTaskTests.java
M src-test/src/org/openbravo/test/datasource/BaseDataSourceTestDal.java
M src-test/src/org/openbravo/test/datasource/BaseDataSourceTestNoDal.java
M src-test/src/org/openbravo/test/datasource/DataSourceSecurity.java
M src-test/src/org/openbravo/test/datasource/DatasourceTestUtil.java
M src-test/src/org/openbravo/test/datasource/ResetCookieOnLogin.java
M src-test/src/org/openbravo/test/datasource/TestNoteDatasource.java
M src-test/src/org/openbravo/test/selector/TestSelectorDefaultFilterActionHandler.java
M src-test/src/org/openbravo/test/views/ETagGeneration.java
M src/org/openbravo/authentication/AuthenticationManager.java
M src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java
M src/org/openbravo/base/secureApp/LoginHandler.java
M src/org/openbravo/base/secureApp/LoginUtils.java
M src/org/openbravo/base/secureApp/VariablesSecureApp.java
M src/org/openbravo/dal/core/OBContext.java
A src-test/src/org/openbravo/test/security/CSRFAttackTest.java
---
(0107434)
hgbot (developer)
2018-10-18 13:05

 Repository: erp/pmods/org.openbravo.mobile.core
Changeset: af016486280cf52f5096d3cee2e9a376a745ede9
Author: Javier Armendáriz <javier.armendariz <at> openbravo.com>
Date: Thu Oct 18 13:05:01 2018 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/af016486280cf52f5096d3cee2e9a376a745ede9 [^]

Fixed issue 39123: Adding CSRF token support for POST requests

---
M src/org/openbravo/mobile/core/authenticate/MobileKeyAuthenticationManager.java
M src/org/openbravo/mobile/core/login/MobileCoreLoginHandler.java
M src/org/openbravo/mobile/core/login/MobileCoreLoginUtilsServlet.java
M src/org/openbravo/mobile/core/process/JSONProcessSimple.java
M src/org/openbravo/mobile/core/process/MobileService.java
M web/org.openbravo.mobile.core/source/data/ob-datasource.js
M web/org.openbravo.mobile.core/source/data/ob-requestrouter.js
M web/org.openbravo.mobile.core/source/model/ob-terminal-model.js
M web/org.openbravo.mobile.core/source/utils/ob-utilities.js
---
(0107436)
hgbot (developer)
2018-10-18 13:57

 Repository: tools/automation/pi-mobile
Changeset: 7c085641901ea0659381280f5a9f06e1eca6da13
Author: Javier Armendáriz <javier.armendariz <at> openbravo.com>
Date: Tue Sep 18 11:11:05 2018 +0200
URL: http://code.openbravo.com/tools/automation/pi-mobile/rev/7c085641901ea0659381280f5a9f06e1eca6da13 [^]

Related to issue 39123: Created test case for CSRF attack.

- Created a new abstract AuthenticatedPOS test case to test HTTP requests on
a live POS environment.
- Used this test case to test the behavior of a POST request when the CSRF token
is present and when its not.

---
M src-test/org/openbravo/test/mobile/retail/mobilecore/webservice/WebServicesHelper.java
M src-test/org/openbravo/test/mobile/retail/pack/selenium/suites/concurrent/job003/WebServiceSuite.java
M src-test/org/openbravo/test/mobile/retail/pack/selenium/suites/concurrent/job014/WebServiceSuite.java
A src-test/org/openbravo/test/mobile/retail/pack/webservice/tests/authrequest/AuthenticatedPOSRequestTest.java
A src-test/org/openbravo/test/mobile/retail/pack/webservice/tests/authrequest/POSCsrfAttackTest.java
---
(0107437)
hgbot (developer)
2018-10-18 13:57

 Repository: tools/automation/pi-mobile
Changeset: f58b3f7454fad72febb1027db3a8e59e56b629a5
Author: Javier Armendáriz <javier.armendariz <at> openbravo.com>
Date: Thu Oct 18 13:57:23 2018 +0200
URL: http://code.openbravo.com/tools/automation/pi-mobile/rev/f58b3f7454fad72febb1027db3a8e59e56b629a5 [^]

Related to issue 39123: Adding CSRF token support

---
M src-test/org/openbravo/test/mobile/retail/mobilecore/webservice/WebServicesHelper.java
M src-test/org/openbravo/test/mobile/retail/pack/selenium/suites/concurrent/job003/WebServiceSuite.java
M src-test/org/openbravo/test/mobile/retail/pack/selenium/suites/concurrent/job014/WebServiceSuite.java
A src-test/org/openbravo/test/mobile/retail/pack/webservice/tests/authrequest/AuthenticatedPOSRequestTest.java
A src-test/org/openbravo/test/mobile/retail/pack/webservice/tests/authrequest/POSCsrfAttackTest.java
---
(0107448)
hgbot (developer)
2018-10-18 17:29

 Repository: erp/pmods/org.openbravo.mobile.core
Changeset: 97f627f0fe30c3aa111c7f5c2c973f5b308e6b87
Author: Javier Armendáriz <javier.armendariz <at> openbravo.com>
Date: Thu Oct 18 17:28:30 2018 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/97f627f0fe30c3aa111c7f5c2c973f5b308e6b87 [^]

Related to issue 39123: Removed empty line at end of file added by merge.

---
M web/org.openbravo.mobile.core/source/model/ob-terminal-model.js
---
(0107452)
alostale (viewer)
2018-10-19 08:00

 reviewed https://docs.google.com/spreadsheets/d/1Q8cABvlY7ibP9vdEMT0SoDAUtm6WNR5mPi-I76tofww/edit?ts=5b728b6b#gid=0 [^]
(0108437)
hudsonbot (viewer)
2018-12-11 20:22

 A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/470e3cd384c5 [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2018-08-13 10:03 jarmendariz New Issue
2018-08-13 10:03 jarmendariz Assigned To => platform
2018-08-13 10:03 jarmendariz OBNetwork customer => No
2018-08-13 10:03 jarmendariz Modules => Core
2018-08-13 10:03 jarmendariz Triggers an Emergency Pack => No
2018-08-13 10:03 jarmendariz Assigned To platform => jarmendariz
2018-08-13 14:59 jarmendariz Review Assigned To => alostale
2018-10-18 12:42 jarmendariz Status new => scheduled
2018-10-18 12:47 hgbot Checkin
2018-10-18 12:47 hgbot Note Added: 0107433
2018-10-18 12:47 hgbot Status scheduled => resolved
2018-10-18 12:47 hgbot Resolution open => fixed
2018-10-18 12:47 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/43a7e93a946d76de69bb30b066d41a6647508b30 [^]
2018-10-18 13:05 hgbot Checkin
2018-10-18 13:05 hgbot Note Added: 0107434
2018-10-18 13:05 hgbot Fixed in SCM revision http://code.openbravo.com/erp/devel/pi/rev/43a7e93a946d76de69bb30b066d41a6647508b30 [^] => http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/af016486280cf52f5096d3cee2e9a376a745ede9 [^]
2018-10-18 13:57 hgbot Checkin
2018-10-18 13:57 hgbot Note Added: 0107436
2018-10-18 13:57 hgbot Checkin
2018-10-18 13:57 hgbot Note Added: 0107437
2018-10-18 17:29 hgbot Checkin
2018-10-18 17:29 hgbot Note Added: 0107448
2018-10-19 08:00 alostale Note Added: 0107452
2018-10-19 08:00 alostale Status resolved => closed
2018-10-19 08:00 alostale Fixed in Version => 3.0PR19Q1
2018-10-24 10:26 jarmendariz Relationship added related to 0039519
2018-12-11 20:22 hudsonbot Checkin
2018-12-11 20:22 hudsonbot Note Added: 0108437
2019-03-26 12:24 caristu Relationship added causes 0040454
2019-03-26 12:25 caristu Relationship deleted related to 0039519
2019-03-26 12:25 caristu Relationship added causes 0039519
2019-09-04 12:43 cberner Relationship added related to 0041748
2021-04-20 08:10 caristu Relationship added related to 0046303
2021-10-20 07:14 alostale Relationship added related to 0047888

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker