Merge pull request #2453 from Stirling-Tools/csrf2

Csrf fixes
Stirling-Tools · Dec 14, 2024 · 92cabf1 · 92cabf1
2 parents f1c5384 + 818bed3
commit 92cabf1
Show file tree

Hide file tree

Showing 8 changed files with 8 additions and 9 deletions.
diff --git a/build.gradle b/build.gradle
@@ -27,7 +27,7 @@ ext {
 }
 
 group = "stirling.software"
-version = "0.36.1"
+version = "0.36.2"
 
 
 java {

diff --git a/src/main/resources/static/js/downloader.js b/src/main/resources/static/js/downloader.js
@@ -242,7 +242,7 @@
     let errorMessage = null;
 
     try {
-      const response = await fetch(url, {method: 'POST', body: formData});
+      const response = await window.fetchWithCsrf(url, {method: 'POST', body: formData});
       const contentType = response.headers.get('content-type');
 
       if (!response.ok) {

diff --git a/src/main/resources/static/js/fetch-utils.js b/src/main/resources/static/js/fetch-utils.js
@@ -8,7 +8,6 @@ window.fetchWithCsrf = async function(url, options = {}) {
         if (cookieValue) {
             return cookieValue;
         }
-
         const csrfElement = document.querySelector('input[name="_csrf"]');
         return csrfElement ? csrfElement.value : null;
     }

diff --git a/src/main/resources/templates/account.html b/src/main/resources/templates/account.html
@@ -196,7 +196,7 @@ <h4 th:text="#{account.yourApiKey}">API Key</h4>
                     /*<![CDATA[*/
                     const urlGetApiKey = /*[[@{/api/v1/user/get-api-key}]]*/ "/api/v1/user/get-api-key";
                     /*]]>*/
-                    let response = await fetch(urlGetApiKey, { method: 'POST' });
+                    let response = await window.fetchWithCsrf(urlGetApiKey, { method: 'POST' });
                     if (response.status === 200) {
                       let apiKey = await response.text();
                       manageUIState(apiKey);
@@ -213,7 +213,7 @@ <h4 th:text="#{account.yourApiKey}">API Key</h4>
                     /*<![CDATA[*/
                     const urlUpdateApiKey = /*[[@{/api/v1/user/update-api-key}]]*/ "/api/v1/user/update-api-key";
                     /*]]>*/
-                    let response = await fetch(urlUpdateApiKey, { method: 'POST' });
+                    let response = await window.fetchWithCsrf(urlUpdateApiKey, { method: 'POST' });
                     if (response.status === 200) {
                       let apiKey = await response.text();
                       manageUIState(apiKey);

diff --git a/src/main/resources/templates/fragments/common.html b/src/main/resources/templates/fragments/common.html
@@ -24,7 +24,7 @@
     <script>
       window.stirlingPDF = window.stirlingPDF || {};
     </script>
-
+	<script th:src="@{'/js/fetch-utils.js'}"></script>
     <!-- jQuery -->
     <script th:src="@{'/js/thirdParty/jquery.min.js'}"></script>
     <script th:src="@{'/js/thirdParty/jquery.validate.min.js'}"></script>

diff --git a/src/main/resources/templates/fragments/navbar.html b/src/main/resources/templates/fragments/navbar.html
@@ -14,6 +14,7 @@
   </script>
   <script th:src="@{'/js/homecard.js'}"></script>
   <script th:src="@{'/js/githubVersion.js'}"></script>
+  <form th:action="@{'/dummyFormToPopulateCSRF'}" method="post" enctype="multipart/form-data"></form>
   <nav class="navbar navbar-expand-xl">
     <div class="container ">
       <a class="navbar-brand" th:href="@{'/'}" style="display: flex;">
@@ -376,7 +377,6 @@ <h6 class="menu-title" th:text="#{navbar.sections.advance}"></h6>
               <span class="go-pro-badge" th:text="#{enterpriseEdition.button}"></span>
             </a>
           </li>
-
           <li class="nav-item">
             <!-- Settings Button -->
             <a href="#" class="nav-link" data-bs-toggle="modal" data-bs-target="#settingsModal" th:title="#{navbar.settings}">

diff --git a/src/main/resources/templates/misc/remove-annotations.html b/src/main/resources/templates/misc/remove-annotations.html
@@ -38,7 +38,7 @@
 
         const processFile = async (file) => {
           const origFileUrl = URL.createObjectURL(file);
-          const formPdfBytes = await fetch(origFileUrl).then(res => res.arrayBuffer());
+          const formPdfBytes = await window.fetchWithCsrf(origFileUrl).then(res => res.arrayBuffer());
           const pdfDoc = await PDFDocument.load(formPdfBytes, { ignoreEncryption: true });
 
           const pages = pdfDoc.getPages();

diff --git a/src/main/resources/templates/security/validate-signature.html b/src/main/resources/templates/security/validate-signature.html
@@ -102,7 +102,7 @@ <h4 th:text="#{validateSignature.results}"></h4>
             formData.append('certFile', certInput.files[0]);
         }
         try {
-            const response = await fetch(e.target.action, {
+            const response = await window.fetchWithCsrf(e.target.action, {
                 method: 'POST',
                 body: formData
             });
-Original file line number
+Diff line change
@@ Expand Up / @@ -27,7 +27,7 @@ ext { @@
     }
     group = "stirling.software"
-    version = "0.36.1"
+    version = "0.36.2"
     java {
@@ Expand Down @@