Improve the robustness of the session token parameter which is used to prevent CSRF attacks

.github/workflows/github-actions-build.yml

@@ -48,7 +48,7 @@ jobs:
           echo "Sonar secure variables NOT available"
         else
           echo "Sonar secure variables ARE available"
-          mvn -B sonar:sonar -Dsonar.projectKey="bordertech-wcomponents" -Dsonar.organization="bordertech-github" -Dsonar.host.url="https://sonarcloud.io"
+          mvn -B org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey="bordertech-wcomponents" -Dsonar.organization="bordertech-github" -Dsonar.host.url="https://sonarcloud.io"
         fi
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

CHANGELOG.md

@@ -4,6 +4,15 @@
 
 ### API Changes
 ### Enhancements
+
+* To improve the robustness of the session token parameter (wc_t), which is used to prevent CSRF attacks, the following changes have been made:
+  * The session token is no longer included on any GET URLs and only posted in the body for POSTS.
+  * Modified the session token interceptors to only accept a session token on a POST and throw an exception if provided on a GET.
+  * Modified Targetable components to use the new createTargetUrl method in WebUtilites that centralises the logic for
+    creating the URLs for Targetable components and excludes the session token.
+  * Moved the adding of the hidden parameters onto the AJAX url from the XSL into the WApplicationRenderer so the session
+    token can be excluded.
+
 ### Bug Fixes
 
 ## 1.5.37

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/WAudio.java

@@ -2,6 +2,7 @@
 
 import com.github.bordertech.wcomponents.util.Util;
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import org.apache.commons.logging.Log;
@@ -324,29 +325,11 @@ public String[] getAudioUrls() {
 		}
 
 		String[] urls = new String[audio.length];
-
-		Environment env = getEnvironment();
-		Map<String, String> parameters = env.getHiddenParameters();
-		parameters.put(Environment.TARGET_ID, getTargetId());
-
-		if (Util.empty(getCacheKey())) {
-			// Add some randomness to the URL to prevent caching
-			String random = WebUtilities.generateRandom();
-			parameters.put(Environment.UNIQUE_RANDOM_PARAM, random);
-		} else {
-			// Remove step counter as not required for cached content
-			parameters.remove(Environment.STEP_VARIABLE);
-			parameters.remove(Environment.SESSION_TOKEN_VARIABLE);
-			// Add the cache key
-			parameters.put(Environment.CONTENT_CACHE_KEY, getCacheKey());
-		}
-
-		// this variable needs to be set in the portlet environment.
-		String url = env.getWServletPath();
-
+		String cacheKey = getCacheKey();
+		Map<String, String> parameters = new HashMap<>();
 		for (int i = 0; i < urls.length; i++) {
 			parameters.put(AUDIO_INDEX_REQUEST_PARAM_KEY, String.valueOf(i));
-			urls[i] = WebUtilities.getPath(url, parameters, true);
+			urls[i] = WebUtilities.createTargetUrl(this, cacheKey, parameters);
 		}
 
 		return urls;
@@ -439,7 +422,6 @@ public boolean isRenderControls() {
 		return getComponentModel().renderControls;
 	}
 
-
 	/**
 	 * Sets whether the browser should render the default controls. The default is true.
 	 * @param renderControls if true then the controls are rendered

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/WContent.java

@@ -1,7 +1,6 @@
 package com.github.bordertech.wcomponents;
 
 import com.github.bordertech.wcomponents.util.Util;
-import java.util.Map;
 
 /**
  * <p>
@@ -176,41 +175,19 @@ public String getUrl() {
 
 		String mode = DisplayMode.PROMPT_TO_SAVE.equals(getDisplayMode()) ? "attach" : "inline";
 
+		String url;
 		// Check for a "static" resource
 		if (content instanceof InternalResource) {
-			String url = ((InternalResource) content).getTargetUrl();
-			// This magic parameter is a work-around to the loading indicator becoming
-			// "stuck" in certain browsers.
-			// It is also used by the static resource handler to set the correct headers
-			url = url + "&" + URL_CONTENT_MODE_PARAMETER_KEY + "=" + mode;
-			return url;
-		}
-
-		Environment env = getEnvironment();
-		Map<String, String> parameters = env.getHiddenParameters();
-		parameters.put(Environment.TARGET_ID, getTargetId());
-
-		if (Util.empty(getCacheKey())) {
-			// Add some randomness to the URL to prevent caching
-			String random = WebUtilities.generateRandom();
-			parameters.put(Environment.UNIQUE_RANDOM_PARAM, random);
+			url = ((InternalResource) content).getTargetUrl();
 		} else {
-			// Remove step counter as not required for cached content
-			parameters.remove(Environment.STEP_VARIABLE);
-			parameters.remove(Environment.SESSION_TOKEN_VARIABLE);
-			// Add the cache key
-			parameters.put(Environment.CONTENT_CACHE_KEY, getCacheKey());
+			url = WebUtilities.createTargetUrl(this, getCacheKey());
 		}
 
-		// This magic parameter is a work-around to the loading indicator becoming
-		// "stuck" in certain browsers. It is only read by the theme.
-		parameters.put(URL_CONTENT_MODE_PARAMETER_KEY, mode);
-
-		// The targetable path needs to be configured for the portal environment.
-		String url = env.getWServletPath();
+		// This magic parameter is a work-around to the loading indicator becoming "stuck" in certain browsers.
+		// It is also used by the static resource handler to set the correct headers
+		url = url + "&" + URL_CONTENT_MODE_PARAMETER_KEY + "=" + mode;
 
-		// Note the last parameter. In javascript we don't want to encode "&".
-		return WebUtilities.getPath(url, parameters, true);
+		return url;
 	}
 
 	/**

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/WImage.java

@@ -2,7 +2,6 @@
 
 import com.github.bordertech.wcomponents.util.Util;
 import java.awt.Dimension;
-import java.util.Map;
 
 /**
  * <p>
@@ -99,26 +98,7 @@ public String getTargetUrl() {
 			return ((InternalResource) image).getTargetUrl();
 		}
 
-		Environment env = getEnvironment();
-		Map<String, String> parameters = env.getHiddenParameters();
-		parameters.put(Environment.TARGET_ID, getTargetId());
-
-		if (Util.empty(getCacheKey())) {
-			// Add some randomness to the URL to prevent caching
-			String random = WebUtilities.generateRandom();
-			parameters.put(Environment.UNIQUE_RANDOM_PARAM, random);
-		} else {
-			// Remove step counter as not required for cached content
-			parameters.remove(Environment.STEP_VARIABLE);
-			parameters.remove(Environment.SESSION_TOKEN_VARIABLE);
-			// Add the cache key
-			parameters.put(Environment.CONTENT_CACHE_KEY, getCacheKey());
-		}
-
-		// this variable needs to be set in the portlet environment.
-		String url = env.getWServletPath();
-
-		return WebUtilities.getPath(url, parameters, true);
+		return WebUtilities.createTargetUrl(this, getCacheKey());
 	}
 
 	/**

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/WMultiFileWidget.java

@@ -14,6 +14,7 @@
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -810,30 +811,10 @@ public String getFileUrl(final String fileId) {
 			return null;
 		}
 
-		Environment env = getEnvironment();
-		Map<String, String> parameters = env.getHiddenParameters();
-		parameters.put(Environment.TARGET_ID, getTargetId());
-
-		if (Util.empty(file.getFileCacheKey())) {
-			// Add some randomness to the URL to prevent caching
-			String random = WebUtilities.generateRandom();
-			parameters.put(Environment.UNIQUE_RANDOM_PARAM, random);
-		} else {
-			// Remove step counter as not required for cached content
-			parameters.remove(Environment.STEP_VARIABLE);
-			parameters.remove(Environment.SESSION_TOKEN_VARIABLE);
-			// Add the cache key
-			parameters.put(Environment.CONTENT_CACHE_KEY, file.getFileCacheKey());
-		}
-
 		// File id
+		Map<String, String> parameters = new HashMap<>();
 		parameters.put(FILE_UPLOAD_ID_KEY, fileId);
-
-		// The targetable path needs to be configured for the portal environment.
-		String url = env.getWServletPath();
-
-		// Note the last parameter. In javascript we don't want to encode "&".
-		return WebUtilities.getPath(url, parameters, true);
+		return WebUtilities.createTargetUrl(this, file.getFileCacheKey(), parameters);
 	}
 
 	/**
@@ -854,33 +835,12 @@ public String getFileThumbnailUrl(final String fileId) {
 			return ((InternalResource) thumbnail).getTargetUrl();
 		}
 
-		Environment env = getEnvironment();
-		Map<String, String> parameters = env.getHiddenParameters();
-		parameters.put(Environment.TARGET_ID, getTargetId());
-
-		if (Util.empty(file.getThumbnailCacheKey())) {
-			// Add some randomness to the URL to prevent caching
-			String random = WebUtilities.generateRandom();
-			parameters.put(Environment.UNIQUE_RANDOM_PARAM, random);
-		} else {
-			// Remove step counter as not required for cached content
-			parameters.remove(Environment.STEP_VARIABLE);
-			parameters.remove(Environment.SESSION_TOKEN_VARIABLE);
-			// Add the cache key
-			parameters.put(Environment.CONTENT_CACHE_KEY, file.getThumbnailCacheKey());
-		}
-
+		Map<String, String> parameters = new HashMap<>();
 		// File id
 		parameters.put(FILE_UPLOAD_ID_KEY, fileId);
-
 		// Thumbnail flag
 		parameters.put(FILE_UPLOAD_THUMB_NAIL_KEY, "Y");
-
-		// The targetable path needs to be configured for the portal environment.
-		String url = env.getWServletPath();
-
-		// Note the last parameter. In javascript we don't want to encode "&".
-		return WebUtilities.getPath(url, parameters, true);
+		return WebUtilities.createTargetUrl(this, file.getThumbnailCacheKey(), parameters);
 	}
 
 	/**

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/WTree.java

@@ -454,32 +454,10 @@ public String getItemImageUrl(final TreeItemImage item, final String itemId) {
 		}
 
 		// Build targetted url
-		Environment env = getEnvironment();
-		Map<String, String> parameters = env.getHiddenParameters();
-		parameters.put(Environment.TARGET_ID, getTargetId());
-
-		String cacheKey = item.getImageCacheKey();
-
-		if (Util.empty(cacheKey)) {
-			// Add some randomness to the URL to prevent caching
-			String random = WebUtilities.generateRandom();
-			parameters.put(Environment.UNIQUE_RANDOM_PARAM, random);
-		} else {
-			// Remove step counter as not required for cached content
-			parameters.remove(Environment.STEP_VARIABLE);
-			parameters.remove(Environment.SESSION_TOKEN_VARIABLE);
-			// Add the cache key
-			parameters.put(Environment.CONTENT_CACHE_KEY, cacheKey);
-		}
-
+		Map<String, String> parameters = new HashMap<>();
 		// Item id
 		parameters.put(ITEM_REQUEST_KEY, itemId);
-
-		// The targetable path needs to be configured for the portal environment.
-		url = env.getWServletPath();
-
-		// Note the last parameter. In javascript we don't want to encode "&".
-		return WebUtilities.getPath(url, parameters, true);
+		return WebUtilities.createTargetUrl(this, item.getImageCacheKey(), parameters);
 	}
 
 	/**

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/WVideo.java

@@ -2,10 +2,10 @@
 
 import com.github.bordertech.wcomponents.util.Util;
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -446,14 +446,11 @@ public String[] getVideoUrls() {
 		}
 
 		String[] urls = new String[video.length];
-
-		// this variable needs to be set in the portlet environment.
-		String url = getEnvironment().getWServletPath();
-		Map<String, String> parameters = getBaseParameterMap();
-
+		String cacheKey = getCacheKey();
+		Map<String, String> parameters = new HashMap<>();
 		for (int i = 0; i < urls.length; i++) {
 			parameters.put(VIDEO_INDEX_REQUEST_PARAM_KEY, String.valueOf(i));
-			urls[i] = WebUtilities.getPath(url, parameters, true);
+			urls[i] = WebUtilities.createTargetUrl(this, cacheKey, parameters);
 		}
 
 		return urls;
@@ -474,14 +471,11 @@ public String[] getTrackUrls() {
 		}
 
 		String[] urls = new String[tracks.length];
-
-		// this variable needs to be set in the portlet environment.
-		String url = getEnvironment().getWServletPath();
-		Map<String, String> parameters = getBaseParameterMap();
-
+		String cacheKey = getCacheKey();
+		Map<String, String> parameters = new HashMap<>();
 		for (int i = 0; i < urls.length; i++) {
 			parameters.put(TRACK_INDEX_REQUEST_PARAM_KEY, String.valueOf(i));
-			urls[i] = WebUtilities.getPath(url, parameters, true);
+			urls[i] = WebUtilities.createTargetUrl(this, cacheKey, parameters);
 		}
 
 		return urls;
@@ -501,36 +495,9 @@ public String getPosterUrl() {
 			return null;
 		}
 
-		// this variable needs to be set in the portlet environment.
-		String url = getEnvironment().getWServletPath();
-		Map<String, String> parameters = getBaseParameterMap();
+		Map<String, String> parameters = new HashMap<>();
 		parameters.put(POSTER_REQUEST_PARAM_KEY, "x");
-		return WebUtilities.getPath(url, parameters, true);
-	}
-
-	/**
-	 * Retrieves the base parameter map for serving content (videos + tracks).
-	 *
-	 * @return the base map for serving content.
-	 */
-	private Map<String, String> getBaseParameterMap() {
-		Environment env = getEnvironment();
-		Map<String, String> parameters = env.getHiddenParameters();
-		parameters.put(Environment.TARGET_ID, getTargetId());
-
-		if (Util.empty(getCacheKey())) {
-			// Add some randomness to the URL to prevent caching
-			String random = WebUtilities.generateRandom();
-			parameters.put(Environment.UNIQUE_RANDOM_PARAM, random);
-		} else {
-			// Remove step counter as not required for cached content
-			parameters.remove(Environment.STEP_VARIABLE);
-			parameters.remove(Environment.SESSION_TOKEN_VARIABLE);
-			// Add the cache key
-			parameters.put(Environment.CONTENT_CACHE_KEY, getCacheKey());
-		}
-
-		return parameters;
+		return WebUtilities.createTargetUrl(this, getCacheKey(), parameters);
 	}
 
 	/**
@@ -559,7 +526,6 @@ public boolean isVisible() {
 	public void handleRequest(final Request request) {
 		super.handleRequest(request);
 
-
 		String targ = request.getParameter(Environment.TARGET_ID);
 		boolean contentReqested = (targ != null && targ.equals(getTargetId()));
 

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/WWindow.java

@@ -351,6 +351,8 @@ public String getUrl() {
 		parameters.put(WWINDOW_REQUEST_PARAM_KEY, getId());
 		// Override the step count with WWindow step
 		parameters.put(Environment.STEP_VARIABLE, String.valueOf(getStep()));
+		// Remove session token as this should not be exposed on GET URLs (CSRF Rules)
+		parameters.remove(Environment.SESSION_TOKEN_VARIABLE);
 
 		String url = env.getWServletPath();