Re: [PR] Csrf filter improvements [tomcat]

Wed, 20 Dec 2023 14:02:12 -0800 


michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1433225531


##########
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##########
@@ -198,15 +416,27 @@ protected boolean skipNonceCheck(HttpServletRequest 
request) {
 
         String requestedPath = getRequestedPath(request);
 
-        if (!entryPoints.contains(requestedPath)) {
-            return false;
+        if (entryPoints.contains(requestedPath)) {
+            if (log.isTraceEnabled()) {
+                log.trace("Skipping CSRF nonce-check for GET request to entry 
point " + requestedPath);
+            }
+
+            return true;
         }
 
-        if (log.isTraceEnabled()) {
-            log.trace("Skipping CSRF nonce-check for GET request to entry 
point " + requestedPath);
+        if (null != noNoncePredicates && !noNoncePredicates.isEmpty()) {
+            for (Predicate<String> p : noNoncePredicates) {
+                if (p.test(requestedPath)) {
+                    if (log.isTraceEnabled()) {
+                        log.trace("Skipping CSRF nonce-check for GET request 
to no-nonce path " + requestedPath);

Review Comment:
   No `messages.properties`?



##########
webapps/docs/config/filter.xml:
##########
@@ -319,6 +326,34 @@
         of <code>java.security.SecureRandom</code> will be used.</p>
       </attribute>
 
+      <attribute name="noNonceURLPatterns" required="false">
+        <p>A list of URL patterns that will <i>not</i> have CSRF nonces added
+        to them. You may not want to add nonces to certain URLs to avoid
+        creating unique URLs which may defeat resource caching, etc.</p>
+
+        <p>There are 3 types of patterns supported:</p>

Review Comment:
   three



##########
webapps/docs/config/filter.xml:
##########
@@ -291,6 +291,13 @@
         request. The default value is <code>403</code>.</p>
       </attribute>
 
+      <attribute name="enforce" required="false">
+        <p>A flag to enable or disable enforcement. When enforcement is
+        disabled, the CsrfPreventionFilter will <i>allow all requests</i> and
+        log CSRF failures as DEBUG messages. The default is <b>true</b>,
+        enabling the enforcement of CSRF protections.</p>
+      </attribute>

Review Comment:
   I don't understand the purpose. I mean, why not then drop the filter from 
the `web.xml`? We don't have this for other filter, do we?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to