Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF (Cross Site Request Forgery) Protection #1826

Merged
merged 108 commits into from
Oct 28, 2024
Merged

CSRF (Cross Site Request Forgery) Protection #1826

merged 108 commits into from
Oct 28, 2024

Conversation

sdelamo
Copy link
Contributor

@sdelamo sdelamo commented Oct 18, 2024

After this PR gets merged, I will do a PR in Views to add a ViewModelProcessor which adds the CSRF token to the views seamlessly. I will also explore add it to the form generation api.

@sdelamo sdelamo added the type: enhancement New feature or request label Oct 18, 2024
@sdelamo sdelamo changed the title Csrf CSRF (Cross Site Request Forgery) Protection Oct 18, 2024
@sdelamo sdelamo self-assigned this Oct 18, 2024
}

boolean shouldTheFilterProcessTheRequestAccordingToTheUriMatch(String uri) {
boolean matches = PathMatcher.REGEX.matches(csrfFilterConfiguration.getRegexPattern(), uri);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Compile the pattern and store in a field

Copy link
Contributor Author

@sdelamo sdelamo Oct 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That it is what RegexPathMatcher does. It stores it in a concurrent hash map.

}

@Override
public String getRegexPattern() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe have the property named regex and regexPattern will return an instance of Pattern?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the name regex-pattern is appropriate. I want to convey is the pattern used for the filter. And I want to convey it is a regular expression not an ant pattern.

https://github.com/micronaut-projects/micronaut-core/blob/4.7.x/http/src/main/java/io/micronaut/http/annotation/RequestFilter.java#L90

The patterns this filter should match

Copy link

sonarcloud bot commented Oct 28, 2024

@sdelamo sdelamo merged commit cbf942d into 4.11.x Oct 28, 2024
17 checks passed
@sdelamo sdelamo deleted the csrf branch October 28, 2024 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: enhancement New feature or request
Projects
No open projects
Status: Done
Development

Successfully merging this pull request may close these issues.

Consider providing an API to ease the implementation of CSRF Prevention
5 participants