Fix csrf (#2126)

* apply fix

* Fixes empty th:action

* Update build.gradle

* fix

* formatting

---------

Co-authored-by: Dimitrios Kaitantzidis <james_k23@hotmail.gr>

build.gradle

@@ -137,7 +137,7 @@ dependencies {
 
     if (System.getenv("DOCKER_ENABLE_SECURITY") != "false") {
         implementation "org.springframework.boot:spring-boot-starter-security:$springBootVersion"
-        runtimeOnly "org.thymeleaf.extras:thymeleaf-extras-springsecurity5:3.1.2.RELEASE"
+        implementation "org.thymeleaf.extras:thymeleaf-extras-springsecurity5:3.1.2.RELEASE"
         implementation "org.springframework.boot:spring-boot-starter-data-jpa:$springBootVersion"
         implementation "org.springframework.boot:spring-boot-starter-oauth2-client:$springBootVersion"
 
@@ -154,6 +154,8 @@ dependencies {
         implementation "org.springframework.security:spring-security-saml2-service-provider"
 
         implementation 'com.coveo:saml-client:5.0.0'
+
+
     }
 
     testImplementation "org.springframework.boot:spring-boot-starter-test:$springBootVersion"

src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java

@@ -36,6 +36,8 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.savedrequest.NullRequestCache;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
@@ -94,6 +96,16 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                     userAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
             if (applicationProperties.getSecurity().getCsrfDisabled()) {
                 http.csrf(csrf -> csrf.disable());
+            } else {
+                CookieCsrfTokenRepository cookieRepo =
+                        CookieCsrfTokenRepository.withHttpOnlyFalse();
+                CsrfTokenRequestAttributeHandler requestHandler =
+                        new CsrfTokenRequestAttributeHandler();
+                requestHandler.setCsrfRequestAttributeName(null);
+                http.csrf(
+                        csrf ->
+                                csrf.csrfTokenRepository(cookieRepo)
+                                        .csrfTokenRequestHandler(requestHandler));
             }
             http.addFilterBefore(rateLimitingFilter(), UsernamePasswordAuthenticationFilter.class);
             http.addFilterAfter(firstLoginFilter, UsernamePasswordAuthenticationFilter.class);
@@ -113,6 +125,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                             logout.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                                     .logoutSuccessHandler(
                                             new CustomLogoutSuccessHandler(applicationProperties))
+                                    .clearAuthentication(true)
                                     .invalidateHttpSession(true) // Invalidate session
                                     .deleteCookies("JSESSIONID", "remember-me"));
             http.rememberMe(
@@ -223,6 +236,16 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         } else {
             if (applicationProperties.getSecurity().getCsrfDisabled()) {
                 http.csrf(csrf -> csrf.disable());
+            } else {
+                CookieCsrfTokenRepository cookieRepo =
+                        CookieCsrfTokenRepository.withHttpOnlyFalse();
+                CsrfTokenRequestAttributeHandler requestHandler =
+                        new CsrfTokenRequestAttributeHandler();
+                requestHandler.setCsrfRequestAttributeName(null);
+                http.csrf(
+                        csrf ->
+                                csrf.csrfTokenRepository(cookieRepo)
+                                        .csrfTokenRequestHandler(requestHandler));
             }
             http.authorizeHttpRequests(authz -> authz.anyRequest().permitAll());
         }

src/main/resources/templates/change-creds.html

@@ -27,7 +27,7 @@ <h3 class="text-center"><span th:text="#{welcome} + ' ' + ${username}">User</spa
 
               <!-- Change Username Form -->
               <h4 th:text="#{changeCreds.changePassword}">Change password</h4>
-              <form action="api/v1/user/change-password-on-login" method="post" id="formsavechangecreds">
+              <form th:action="@{'api/v1/user/change-password-on-login'}" method="post" id="formsavechangecreds">
                 <div class="mb-3">
                   <label for="currentPassword" th:text="#{changeCreds.oldPassword}">Old Password</label>
                   <input type="password" class="form-control" name="currentPassword" id="currentPassword" th:placeholder="#{changeCreds.oldPassword}">

src/main/resources/templates/fragments/navbar.html

@@ -351,7 +351,7 @@ <h6 class="menu-title" th:text="#{navbar.sections.advance}"></h6>
             </a>
             <div class="dropdown-menu dropdown-menu-tp" aria-labelledby="searchDropdown">
               <div class="dropdown-menu-wrapper px-xl-2 px-2">
-                <form class="d-flex p-2 search-form" id="searchForm">
+                <form th:action="@{''}" class="d-flex p-2 search-form" id="searchForm">
                   <input class="form-control search-input" type="search" placeholder="Search" aria-label="Search" id="navbarSearchInput">
                 </form>
                 <!-- Search Results -->

src/main/resources/templates/merge-pdfs.html

@@ -19,7 +19,7 @@
               <span class="material-symbols-rounded tool-header-icon organize">add_to_photos</span>
               <span class="tool-header-text" th:text="#{merge.header}"></span>
             </div>
-            <form action="api/v1/general/merge-pdfs" method="post" enctype="multipart/form-data">
+            <form th:action="@{'api/v1/general/merge-pdfs'}" method="post" enctype="multipart/form-data">
               <div class="mb-3">
                 <label th:text="#{multiPdfDropPrompt}" for="fileInput-input"></label>
                 <div

src/main/resources/templates/misc/adjust-contrast.html

@@ -21,7 +21,7 @@
         <div class="container">
           <div class="row justify-content-center">
             <div class="col-md-12 bg-card">
-              <form>
+              <form th:action="@{''}">
               <div class="row justify-content-center">
 
                 <div class="col-md-3">

src/main/resources/templates/misc/remove-annotations.html

@@ -16,7 +16,7 @@
                 <span class="material-symbols-rounded tool-header-icon other">thread_unread</span>
                 <span class="tool-header-text" th:text="#{removeAnnotations.header}"></span>
               </div>
-              <form id="pdfForm" class="mb-3">
+              <form id="pdfForm" th:action="@{''}" class="mb-3">
                 <div class="custom-file">
                   <div th:replace="~{fragments/common :: fileSelector(name='fileInput', multipleInputsForSingleRequest=false, accept='application/pdf', remoteCall='false')}"></div>
                 </div>

src/main/resources/templates/remove-image-pdf.html

@@ -20,7 +20,7 @@
                         <span class="material-symbols-rounded tool-header-icon word">remove_selection</span>
                         <span class="tool-header-text" th:text="#{removeImage.header}"></span>
                     </div>
-                        <form action="api/v1/general/remove-image-pdf" method="post" enctype="multipart/form-data">
+                        <form th:action="@{'api/v1/general/remove-image-pdf'}" method="post" enctype="multipart/form-data">
                         <div th:replace="~{fragments/common :: fileSelector(name='fileInput', multipleInputsForSingleRequest=false, accept='application/pdf')}"></div>
 
                         <br>

src/main/resources/templates/security/add-password.html

@@ -16,7 +16,7 @@
                 <span class="material-symbols-rounded tool-header-icon security">lock</span>
                 <span class="tool-header-text" th:text="#{addPassword.header}"></span>
               </div>
-              <form action="api/v1/security/add-password" method="post" enctype="multipart/form-data">
+              <form th:action="@{'api/v1/security/add-password'}" method="post" enctype="multipart/form-data">
                 <div class="mb-3">
                   <label th:text="#{addPassword.selectText.1}"></label>
                   <div th:replace="~{fragments/common :: fileSelector(name='fileInput', multipleInputsForSingleRequest=false, accept='application/pdf')}"></div>

src/main/resources/templates/security/add-watermark.html

@@ -17,7 +17,7 @@
                 <span class="tool-header-text" th:text="#{watermark.header}"></span>
               </div>
 
-              <form method="post" enctype="multipart/form-data" action="api/v1/security/add-watermark">
+              <form method="post" enctype="multipart/form-data" th:action="@{'api/v1/security/add-watermark'}">
                 <div class="mb-3">
                   <label th:text="#{watermark.selectText.1}"></label>
                   <div th:replace="~{fragments/common :: fileSelector(name='fileInput', multipleInputsForSingleRequest=false, accept='application/pdf')}"></div>

src/main/resources/templates/security/auto-redact.html

@@ -16,7 +16,7 @@
                 <span class="material-symbols-rounded tool-header-icon security">ink_eraser</span>
                 <span class="tool-header-text" th:text="#{autoRedact.header}"></span>
               </div>
-              <form action="api/v1/security/auto-redact" method="post" enctype="multipart/form-data">
+              <form th:action="@{'api/v1/security/auto-redact'}" method="post" enctype="multipart/form-data">
                 <div class="mb-3">
                   <input type="file" class="form-control" id="fileInput" name="fileInput" required accept="application/pdf">
                 </div>

src/main/resources/templates/security/cert-sign.html

@@ -16,7 +16,7 @@
                 <span class="material-symbols-rounded tool-header-icon security">workspace_premium</span>
                 <span class="tool-header-text" th:text="#{certSign.header}"></span>
               </div>
-              <form action="api/v1/security/cert-sign" method="post" enctype="multipart/form-data">
+              <form th:action="@{'api/v1/security/cert-sign'}" method="post" enctype="multipart/form-data">
                 <div class="mb-3">
                   <label th:text="#{certSign.selectPDF}"></label>
                   <div th:replace="~{fragments/common :: fileSelector(name='fileInput', multipleInputsForSingleRequest=false, accept='application/pdf')}"></div>

src/main/resources/templates/security/change-permissions.html

@@ -17,7 +17,7 @@
                 <span class="tool-header-text" th:text="#{permissions.header}"></span>
               </div>
               <p th:text="#{permissions.warning}"></p>
-              <form action="api/v1/security/add-password" method="post" enctype="multipart/form-data">
+              <form th:action="@{'api/v1/security/add-password'}" method="post" enctype="multipart/form-data">
                 <div class="mb-3">
                   <label th:text="#{permissions.selectText.1}"></label>
                   <div th:replace="~{fragments/common :: fileSelector(name='fileInput', multipleInputsForSingleRequest=false, accept='application/pdf')}"></div>

src/main/resources/templates/security/remove-cert-sign.html

@@ -16,7 +16,7 @@
                 <span class="material-symbols-rounded tool-header-icon security">remove_moderator</span>
                 <span class="tool-header-text" th:text="#{removeCertSign.header}"></span>
               </div>
-              <form action="api/v1/security/remove-cert-sign" method="post" enctype="multipart/form-data">
+              <form th:action="@{'api/v1/security/remove-cert-sign'}" method="post" enctype="multipart/form-data">
                 <div class="mb-3">
                   <label th:text="#{removeCertSign.selectPDF}"></label>
                   <div th:replace="~{fragments/common :: fileSelector(name='fileInput', multipleInputsForSingleRequest=false, accept='application/pdf')}"></div>

src/main/resources/templates/security/remove-password.html

@@ -16,7 +16,7 @@
                 <span class="material-symbols-rounded tool-header-icon security">lock_open_right</span>
                 <span class="tool-header-text" th:text="#{removePassword.header}"></span>
               </div>
-              <form action="api/v1/security/remove-password" method="post" enctype="multipart/form-data">
+              <form th:action="@{'api/v1/security/remove-password'}" method="post" enctype="multipart/form-data">
                 <div class="mb-3">
                   <label th:text="#{removePassword.selectText.1}"></label>
                   <div th:replace="~{fragments/common :: fileSelector(name='fileInput', multipleInputsForSingleRequest=false, accept='application/pdf')}"></div>

src/main/resources/templates/security/remove-watermark.html

@@ -16,7 +16,7 @@
                 <span class="material-symbols-rounded tool-header-icon security">water_drop</span>
                 <span class="tool-header-text" th:text="#{remove-watermark.header}"></span>
               </div>
-              <form method="post" enctype="multipart/form-data" action="api/v1/security/remove-watermark">
+              <form method="post" enctype="multipart/form-data" th:action="@{'api/v1/security/remove-watermark'}">
                 <div class="mb-3">
                   <label th:text="#{remove-watermark.selectText.1}"></label>
                   <div th:replace="~{fragments/common :: fileSelector(name='fileInput', multipleInputsForSingleRequest=false, accept='application/pdf')}"></div>

src/main/resources/templates/security/sanitize-pdf.html

@@ -16,7 +16,7 @@
                 <span class="material-symbols-rounded tool-header-icon security">sanitizer</span>
                 <span class="tool-header-text" th:text="#{sanitizePDF.header}"></span>
               </div>
-              <form action="api/v1/security/sanitize-pdf" method="post" enctype="multipart/form-data">
+              <form th:action="@{'api/v1/security/sanitize-pdf'}" method="post" enctype="multipart/form-data">
                 <div class="mb-3">
                   <div th:replace="~{fragments/common :: fileSelector(name='fileInput', multipleInputsForSingleRequest=false, accept='application/pdf')}"></div>
                 </div>