Skip to content

GitLab

Commit 19610f73 authored by vehjelmtvedt's avatar vehjelmtvedt
Browse files

add CSRF token to all forms and validtate it in handler

parent 980aa59d
Hide whitespace changes
Inline Side-by-side
production.db
View file @ 19610f73
No preview for this file type
src/main/java/inf226/inchat/Handler.java
View file @ 19610f73
......@@ -151,6 +151,28 @@ public class Handler extends AbstractHandler
Util.lookup(account.value.channels,alias).get();
if(request.getMethod().equals("POST")) {
// This is a request to post something in the channel.
// Confirm that CSRF token matches session cookie
if (session.identity.equals(UUID.fromString(request.getParameter("CSRFToken")))) { return; }
if(request.getParameter("newmessage") != null) {
String message = (new Maybe<String>
......@@ -184,7 +206,7 @@ public class Handler extends AbstractHandler
printStandardTop(out, "inChat: " + alias);
out.println("<div class=\"main\">");
printChannelList(out, account.value, alias);
printChannel(out, channel, alias);
printChannel(out, channel, alias, session.identity);
out.println("</div>");
out.println("</body>");
out.println("</html>");
......@@ -203,6 +225,7 @@ public class Handler extends AbstractHandler
out.println("<form class=\"login\" action=\"/\" method=\"POST\">"
+ "<div class=\"name\"><input type=\"text\" name=\"channelname\" placeholder=\"Channel name\"></div>"
+ "<div class=\"submit\"><input type=\"submit\" name=\"createchannel\" value=\"Create Channel\"></div>"
+ " <input type=\"hidden\" name=\"CSRFToken\" value=\"" + session.identity + "\">"
+ "</form>");
out.println("</body>");
out.println("</html>");
......@@ -221,6 +244,7 @@ public class Handler extends AbstractHandler
out.println("<form class=\"login\" action=\"/join\" method=\"POST\">"
+ "<div class=\"name\"><input type=\"text\" name=\"channelid\" placeholder=\"Channel ID number:\"></div>"
+ "<div class=\"submit\"><input type=\"submit\" name=\"joinchannel\" value=\"Join channel\"></div>"
+ " <input type=\"hidden\" name=\"CSRFToken\" value=\"" + session.identity + "\">"
+ "</form>");
out.println("</body>");
out.println("</html>");
......@@ -246,6 +270,8 @@ public class Handler extends AbstractHandler
out.println(" <div class=\"user\">You</div>");
out.println(" <input type=\"hidden\" name=\"editmessage\" value=\"Edit\">");
out.println(" <input type=\"hidden\" name=\"message\" value=\"" + messageid + "\">");
// Add anti-CSRF token here
out.println(" <input type=\"hidden\" name=\"CSRFToken\" value=\"" + session.identity + "\">");
out.println(" <textarea id=\"messageInput\" class=\"messagebox\" placeholder=\"Post a message in this channel!\" name=\"content\">" + originalContent + "</textarea>");
out.println(" <div class=\"controls\"><input style=\"float: right;\" type=\"submit\" name=\"edit\" value=\"Edit\"></div>");
out.println("</form>");
......@@ -310,7 +336,7 @@ public class Handler extends AbstractHandler
Stored<Channel> channel = inchat.waitNextChannelVersion(identity,version).get();
System.err.println("Got a new version.");
out.println(channel.version);
printChannelEvents(out,channel);
printChannelEvents(out,channel, session.identity);
response.setStatus(HttpServletResponse.SC_OK);
baseRequest.setHandled(true);
return ;
......@@ -428,16 +454,17 @@ public class Handler extends AbstractHandler
**/
private void printChannel(PrintWriter out,
Stored<Channel> channel,
String alias) {
String alias, UUID token) {
out.println("<main id=\"channel\" role=\"main\" class=\"channel\">");
printChannelEvents(out,channel);
printChannelEvents(out,channel, token);
out.println("<script src=\"/script.js\"></script>");
out.println("<script>subscribe(\"" + channel.identity +"\",\"" + channel.version + "\");</script>");
out.println("<form class=\"entry\" action=\"/channel/" + alias + "\" method=\"post\">");
out.println(" <div class=\"user\">You</div>");
out.println(" <input type=\"hidden\" name=\"newmessage\" value=\"Send\">");
out.println(" <input type=\"hidden\" name=\"CSRFToken\" value=\"" + token + "\">");
out.println(" <textarea id=\"messageInput\" class=\"messagebox\" placeholder=\"Post a message in this channel!\" name=\"message\"></textarea>");
out.println(" <div class=\"controls\"><input style=\"float: right;\" type=\"submit\" name=\"send\" value=\"Send\"></div>");
out.println("</form>");
......@@ -461,6 +488,7 @@ public class Handler extends AbstractHandler
out.println("<option value=\"observer\">Observer</option>");
out.println("<option value=\"banned\">Banned</option>");
out.println("<input type=\"submit\" name=\"setpermission\" value=\"Set!\">");
out.println(" <input type=\"hidden\" name=\"CSRFToken\" value=\"" + token + "\">");
out.println("</select>");
out.println("</form>");
......@@ -471,19 +499,19 @@ public class Handler extends AbstractHandler
* Render the events of a channel as HTML.
*/
private void printChannelEvents(PrintWriter out,
Stored<Channel> channel) {
Stored<Channel> channel, UUID token) {
out.println("<div id=\"chanevents\">");
channel.value
.events
.reverse()
.forEach(printEvent(out,channel));
.forEach(printEvent(out,channel, token));
out.println("</div>");
}
/**
* Render an event as HTML.
*/
private Consumer<Stored<Channel.Event>> printEvent(PrintWriter out, Stored<Channel> channel) {
private Consumer<Stored<Channel.Event>> printEvent(PrintWriter out, Stored<Channel> channel, UUID token) {
return (e -> {
switch(e.value.type) {
case message:
......@@ -494,6 +522,7 @@ public class Handler extends AbstractHandler
out.println(" <div class=\"messagecontrols\">");
out.println(" <form style=\"grid-area: delete;\" action=\"/channel/" + channel.value.name + "\" method=\"POST\">");
out.println(" <input type=\"hidden\" name=\"message\" value=\""+ e.identity + "\">");
out.println(" <input type=\"hidden\" name=\"CSRFToken\" value=\"" + token + "\">");
out.println(" <input type=\"submit\" name=\"deletemessage\" value=\"Delete\">");
out.println(" </form><form style=\"grid-area: edit;\" action=\"/editMessage\" method=\"POST\">");
out.println(" ");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment