storm-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bo...@apache.org
Subject [15/50] storm git commit: STORM-460: Fix for storm CSRF vulnerability using ring-anti-forgery.
Date Thu, 13 Nov 2014 19:37:10 GMT
STORM-460: Fix for storm CSRF vulnerability using ring-anti-forgery.


Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/4ee22b13
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/4ee22b13
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/4ee22b13

Branch: refs/heads/master
Commit: 4ee22b1383fe14bfc852a0bcd8bf7b391ed47f27
Parents: 1a1df08
Author: Parth Brahmbhatt <brahmbhatt.parth@gmail.com>
Authored: Sun Aug 17 14:56:27 2014 -0700
Committer: Parth Brahmbhatt <brahmbhatt.parth@gmail.com>
Committed: Mon Aug 18 08:53:52 2014 -0700

----------------------------------------------------------------------
 storm-core/pom.xml                               |  7 ++++++-
 storm-core/src/clj/backtype/storm/ui/core.clj    | 14 +++++++++++---
 storm-core/src/ui/public/css/style.css           |  4 ++++
 storm-core/src/ui/public/js/script.js            |  3 ++-
 .../public/templates/anti-forgery-template.html  | 19 +++++++++++++++++++
 storm-core/src/ui/public/topology.html           |  7 +++++++
 6 files changed, 49 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/storm/blob/4ee22b13/storm-core/pom.xml
----------------------------------------------------------------------
diff --git a/storm-core/pom.xml b/storm-core/pom.xml
index c677b7c..44bca86 100644
--- a/storm-core/pom.xml
+++ b/storm-core/pom.xml
@@ -60,6 +60,11 @@
             <artifactId>ring-jetty-adapter</artifactId>
         </dependency>
         <dependency>
+            <groupId>ring</groupId>
+            <artifactId>ring-anti-forgery</artifactId>
+            <version>1.0.0</version>
+        </dependency>
+        <dependency>
             <groupId>org.clojure</groupId>
             <artifactId>tools.logging</artifactId>
         </dependency>
@@ -96,7 +101,7 @@
             <artifactId>data.codec</artifactId>
             <scope>test</scope>
         </dependency>
- 
+
         <!--java-->
         <dependency>
             <groupId>commons-io</groupId>

http://git-wip-us.apache.org/repos/asf/storm/blob/4ee22b13/storm-core/src/clj/backtype/storm/ui/core.clj
----------------------------------------------------------------------
diff --git a/storm-core/src/clj/backtype/storm/ui/core.clj b/storm-core/src/clj/backtype/storm/ui/core.clj
index 8dd301e..f771ee6 100644
--- a/storm-core/src/clj/backtype/storm/ui/core.clj
+++ b/storm-core/src/clj/backtype/storm/ui/core.clj
@@ -23,6 +23,7 @@
   (:use [backtype.storm.daemon [common :only [ACKER-COMPONENT-ID ACKER-INIT-STREAM-ID
                                               ACKER-ACK-STREAM-ID ACKER-FAIL-STREAM-ID system-id?]]])
   (:use [ring.adapter.jetty :only [run-jetty]])
+  (:use [ring.middleware.anti-forgery])
   (:use [clojure.string :only [blank? lower-case trim]])
   (:import [backtype.storm.utils Utils])
   (:import [backtype.storm.generated ExecutorSpecificStats
@@ -687,7 +688,8 @@
         "bolts" (bolt-comp id bolt-comp-summs (.get_errors summ) window include-sys?)
         "configuration" topology-conf
         "visualizationTable" (stream-boxes visualizer-data)
-        "uiActionsEnabled" (ui-actions-enabled?)}))))
+        "uiActionsEnabled" (ui-actions-enabled?)
+        "anti-forgery-token" *anti-forgery-token*}))))
 
 (defn spout-output-stats
   [stream-summary window]
@@ -956,10 +958,16 @@
       (catch Exception ex
         (json-response (exception->json ex) 500)))))
 
+
+(def csrf-error-response
+  (json-response {"error" "Forbidden action."
+                  "errorMessage" "missing CSRF token."} 403))
+
 (def app
   (handler/site (-> main-routes
-                    (wrap-reload '[backtype.storm.ui.core])
-                    catch-errors)))
+                  (wrap-reload '[backtype.storm.ui.core])
+                  (wrap-anti-forgery {:error-response csrf-error-response})
+                  catch-errors)))
 
 (defn start-server!
   []

http://git-wip-us.apache.org/repos/asf/storm/blob/4ee22b13/storm-core/src/ui/public/css/style.css
----------------------------------------------------------------------
diff --git a/storm-core/src/ui/public/css/style.css b/storm-core/src/ui/public/css/style.css
index 29a45eb..85a8961 100644
--- a/storm-core/src/ui/public/css/style.css
+++ b/storm-core/src/ui/public/css/style.css
@@ -24,6 +24,10 @@
     padding: 0.5em;
 }
 
+.anti-forgery-token {
+visibility:hidden;
+}
+
 body {
   color: #808080;
   padding: 0.2em;

http://git-wip-us.apache.org/repos/asf/storm/blob/4ee22b13/storm-core/src/ui/public/js/script.js
----------------------------------------------------------------------
diff --git a/storm-core/src/ui/public/js/script.js b/storm-core/src/ui/public/js/script.js
index fef3b59..09ecd57 100644
--- a/storm-core/src/ui/public/js/script.js
+++ b/storm-core/src/ui/public/js/script.js
@@ -71,7 +71,8 @@ function ensureInt(n) {
 function confirmAction(id, name, action, wait, defaultWait) {
     var opts = {
         type:'POST',
-        url:'/api/v1/topology/' + id + '/' + action
+        url:'/api/v1/topology/' + id + '/' + action,
+        headers: { 'x-csrf-token': $.trim($('#anti-forgery-token').text()) }
     };
     if (wait) {
         var waitSecs = prompt('Do you really want to ' + action + ' topology "' + name +
'"? ' +

http://git-wip-us.apache.org/repos/asf/storm/blob/4ee22b13/storm-core/src/ui/public/templates/anti-forgery-template.html
----------------------------------------------------------------------
diff --git a/storm-core/src/ui/public/templates/anti-forgery-template.html b/storm-core/src/ui/public/templates/anti-forgery-template.html
new file mode 100644
index 0000000..1a63ace
--- /dev/null
+++ b/storm-core/src/ui/public/templates/anti-forgery-template.html
@@ -0,0 +1,19 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements.  See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<script id="anti-forgery-template" type="text/html">
+{{#anti-forgery-token}}{{anti-forgery-token}}{{/anti-forgery-token}}
+</script>

http://git-wip-us.apache.org/repos/asf/storm/blob/4ee22b13/storm-core/src/ui/public/topology.html
----------------------------------------------------------------------
diff --git a/storm-core/src/ui/public/topology.html b/storm-core/src/ui/public/topology.html
index eb74522..805b6b4 100644
--- a/storm-core/src/ui/public/topology.html
+++ b/storm-core/src/ui/public/topology.html
@@ -52,6 +52,8 @@
 <p id="toggle-switch" style="display: block;" class="js-only"></p>
 <div id="json-response-error">
 </div>
+<div id="anti-forgery-token" class="anti-forgery-token">
+</div>
 </body>
 <script>
 $(document).ready(function() {
@@ -76,6 +78,11 @@ $(document).ready(function() {
             uiUser.append(Mustache.render($(template).filter("#user-template").html(),response));
         });
 
+        var antiForgeryToken = $("#anti-forgery-token");
+        $.get("/templates/anti-forgery-template.html", function(template) {
+            antiForgeryToken.append(Mustache.render($(template).filter("#anti-forgery-template").html(),response));
+        });
+
         var topologySummary = $("#topology-summary");
         var topologyStats = $("#topology-stats");
         var spoutStats = $("#spout-stats");


Mime
View raw message