Do not use CSRF cookie as the next token value #37723
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gastaldi
approved these changes
Dec 13, 2023
|
✔️ The latest workflow run for the pull request has completed successfully. It should be safe to merge provided you have a look at the other checks in the summary. |
benkard
added a commit
to benkard/mulkcms2
that referenced
this pull request
Dec 29, 2023
This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [flow-bin](https://github.com/flowtype/flow-bin) ([changelog](https://github.com/facebook/flow/blob/master/Changelog.md)) | devDependencies | minor | [`^0.224.0` -> `^0.225.0`](https://renovatebot.com/diffs/npm/flow-bin/0.224.0/0.225.1) | | [org.liquibase.ext:liquibase-hibernate5](https://github.com/liquibase/liquibase-hibernate/wiki) ([source](https://github.com/liquibase/liquibase-hibernate)) | build | patch | `4.25.0` -> `4.25.1` | | [org.liquibase:liquibase-maven-plugin](http://www.liquibase.org/liquibase-maven-plugin) ([source](https://github.com/liquibase/liquibase)) | build | patch | `4.25.0` -> `4.25.1` | | [org.jsoup:jsoup](https://jsoup.org/) ([source](https://github.com/jhy/jsoup)) | compile | patch | `1.17.1` -> `1.17.2` | | [io.hypersistence:hypersistence-utils-hibernate-62](https://github.com/vladmihalcea/hypersistence-utils) | compile | minor | `3.6.1` -> `3.7.0` | | [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `3.6.3` -> `3.6.4` | | [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | patch | `3.6.3` -> `3.6.4` | | [org.apache.maven.plugins:maven-compiler-plugin](https://maven.apache.org/plugins/) | build | minor | `3.11.0` -> `3.12.1` | --- ### Release Notes <details> <summary>flowtype/flow-bin</summary> ### [`v0.225.1`](flow/flow-bin@62a43fb...23ec616) [Compare Source](flow/flow-bin@62a43fb...23ec616) ### [`v0.225.0`](flow/flow-bin@e6104a1...62a43fb) [Compare Source](flow/flow-bin@e6104a1...62a43fb) </details> <details> <summary>liquibase/liquibase</summary> ### [`v4.25.1`](https://github.com/liquibase/liquibase/blob/HEAD/changelog.txt#Liquibase-4251-is-a-patch-release) [Compare Source](liquibase/liquibase@v4.25.0...v4.25.1) </details> <details> <summary>jhy/jsoup</summary> ### [`v1.17.2`](https://github.com/jhy/jsoup/blob/HEAD/CHANGES.md#​1172-2023-Dec-29) ##### Improvements - **Attribute object accessors**: Added `Element.attribute(String)` and `Attributes.attribute(String)` to more simply obtain an `Attribute` object. [2069](jhy/jsoup#2069) - **Attribute source tracking**: If source tracking is on, and an Attribute's key is changed ( via `Attribute.setKey(String)`), the source range is now still tracked in `Attribute.sourceRange()`. [2070](jhy/jsoup#2070) - **Wildcard attribute selector**: Added support for the `[*]` element with any attribute selector. And also restored support for selecting by an empty attribute name prefix (`[^]`). [2079](jhy/jsoup#2079) ##### Bug Fixes - **Mixed-cased source position**: When tracking the source position of attributes, if the source attribute name was mix-cased but the parser was lower-case normalizing attribute names, the source position for that attribute was not tracked correctly. [2067](jhy/jsoup#2067) - **Source position NPE**: When tracking the source position of a body fragment parse, a null pointer exception was thrown. [2068](jhy/jsoup#2068) - **Multi-point emoji entity**: A multi-point encoded emoji entity may be incorrectly decoded to the replacement character. [2074](jhy/jsoup#2074) - **Selector sub-expressions**: (Regression) in a selector like `parent [attr=va], other`, the `, OR` was binding to `[attr=va]` instead of `parent [attr=va]`, causing incorrect selections. The fix includes a EvaluatorDebug class that generates a sexpr to represent the query, allowing simpler and more thorough query parse tests. [2073](jhy/jsoup#2073) - **XML CData output**: When generating XML-syntax output from parsed HTML, script nodes containing (pseudo) CData sections would have an extraneous CData section added, causing script execution errors. Now, the data content is emitted in a HTML/XML/XHTML polyglot format, if the data is not already within a CData section. [2078](jhy/jsoup#2078) - **Thread safety**: The `:has` evaluator held a non-thread-safe Iterator, and so if an Evaluator object was shared across multiple concurrent threads, a NoSuchElement exception may be thrown, and the selected results may be incorrect. Now, the iterator object is a thread-local. [2088](jhy/jsoup#2088) *** Older changes for versions 0.1.1 (2010-Jan-31) through 1.17.1 (2023-Nov-27) may be found in [change-archive.txt](./change-archive.txt). </details> <details> <summary>vladmihalcea/hypersistence-utils</summary> ### [`v3.7.0`](https://github.com/vladmihalcea/hypersistence-utils/blob/HEAD/changelog.txt#Version-370---December-18-2023) \================================================================================ Oracle Interval Type does not support negative intervals [#​682](vladmihalcea/hypersistence-utils#682) Return original object if target and original are the same when merging [#​677](vladmihalcea/hypersistence-utils#677) Add a hypersistence-utils-hibernate-63 module for Hibernate 6.3 [#​657](vladmihalcea/hypersistence-utils#657) </details> <details> <summary>quarkusio/quarkus</summary> ### [`v3.6.4`](https://github.com/quarkusio/quarkus/releases/tag/3.6.4) [Compare Source](quarkusio/quarkus@3.6.3...3.6.4) ##### Complete changelog - [#​37808](quarkusio/quarkus#37808) - CLI - Rework how missing commands are detected - [#​37803](quarkusio/quarkus#37803) - Dev mode: add null checks to TimestampSet.isRestartNeeded() - [#​37798](quarkusio/quarkus#37798) - Only update ~/.docker/config.json if it exists - [#​37787](quarkusio/quarkus#37787) - Take priority into account in ConfigurationImpl - [#​37775](quarkusio/quarkus#37775) - Docs: fix typo in rabbitmq reference documentation - [#​37770](quarkusio/quarkus#37770) - Add SequencedCollection to BANNED_INTERFACE_TYPES - [#​37768](quarkusio/quarkus#37768) - Running application build with JDK21 and target Java 17 crash with NoClassDefFoundError: java/util/SequencedCollection - [#​37731](quarkusio/quarkus#37731) - Query logging is being done in io.quarkus.mongodb.panache.common.runtime.MongoOperations - [#​37723](quarkusio/quarkus#37723) - Do not use CSRF cookie as the next token value - [#​37717](quarkusio/quarkus#37717) - Docs: Fix incorrect link reference in Cross-Site Request Forgery Prevention guide - [#​37714](quarkusio/quarkus#37714) - Remove the driver property in the documentation for Cloud SQL - [#​37710](quarkusio/quarkus#37710) - Use NoStackTraceException in metrics - [#​37677](quarkusio/quarkus#37677) - Bump io.quarkus:quarkus-platform-bom-maven-plugin from 0.0.100 to 0.0.101 - [#​37654](quarkusio/quarkus#37654) - Make sure dev mode is properly written in doc - [#​36848](quarkusio/quarkus#36848) - CSRF Token with HMAC signature gets double signed </details> <details> <summary>quarkusio/quarkus-platform</summary> ### [`v3.6.4`](quarkusio/quarkus-platform@3.6.3...3.6.4) [Compare Source](quarkusio/quarkus-platform@3.6.3...3.6.4) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #36848
CSRF filter works like this: it generates a CSRF token, sets it as a routing context property, https://github.com/quarkusio/quarkus/blob/main/extensions/csrf-reactive/runtime/src/main/java/io/quarkus/csrf/reactive/runtime/CsrfRequestResponseReactiveFilter.java#L94
and then this provider helps to copy it into Qute templates which will have it saved as an internal form field, https://github.com/quarkusio/quarkus/blob/main/extensions/csrf-reactive/runtime/src/main/java/io/quarkus/csrf/reactive/runtime/CsrfTokenParameterProvider.java#L39, or it can be returned as a header value (for example in case of HTMX).
And a matching CSRF cookie is created.
Now lets imagine a Form containing a CSRF token POSTs something and it will be accompanied by the CSRF cookie, and the filter will compare it and if values match then all is good.
However, if a response to this POST is another form (as demonstrated in the test, or in similar cases), what happens is that the csrf cookie value, not the crsf token value (contained in the form field or header) which is returned in the next form, because, as soon as the cookie is found, it is set as the next CSRF token value and which will be set in the next form as described above, due to:
https://github.com/quarkusio/quarkus/blob/main/extensions/csrf-reactive/runtime/src/main/java/io/quarkus/csrf/reactive/runtime/CsrfRequestResponseReactiveFilter.java#L69.
It makes no difference when the CSRF token is not signed because both values are identical. When the CSRF token is signed, the cookie contains a signed copy of the token.
So when the Form POST is done, the filter, in order to verify that the cookie and the token match, signs the token and compares it with the cookie. Now, this cookie, which is a signed copy of the token is making its way into the second form as the next token value - but now both the cookie and the token are identical - both are now SHA-256 hashes, and therefore, during the follow up submission, resigning the token and comparing it with the cookie produces a false result.
It took several hours to figure out how to reproduce it in a test, and the fix is straighforward: simply avoid using the existing CSRF cookie value as the next token value, instead, when the cookie and the token already exist, it is the same original token value which has to be used as the next token value once it has been verified.
FYI, the test will fail without the proposed fix, since the token signature is required in that test