Add csrf protection for provision handlers

2025-10-06 02:01:45 +00:00 · 2023-11-02 09:33:27 +05:30 · 2023-11-02 09:33:27 +05:30 · a9aa66173a
commit a9aa66173a
parent 93427e0077
2 changed files with 12 additions and 1 deletions
--- a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/JITProvisionCallbackHandler.java
+++ b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/JITProvisionCallbackHandler.java
@ -32,6 +32,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import java.io.IOException;
+import java.util.Objects;

@WebServlet(
        name = "JIT callback handler",
@ -45,6 +46,7 @@ public class JITProvisionCallbackHandler extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
+        String state = request.getParameter("state");
        HttpSession session = request.getSession(false);
        String JITProvisionCallbackURL = request.getScheme() + HandlerConstants.SCHEME_SEPARATOR
                + System.getProperty(HandlerConstants.IOT_CORE_HOST_ENV_VAR)
@ -57,6 +59,12 @@ public class JITProvisionCallbackHandler extends HttpServlet {
                return;
            }

+            if (state == null || !Objects.equals(state, session.getAttribute("state").toString())) {
+                response.sendError(org.apache.http.HttpStatus.SC_BAD_REQUEST, "MismatchingStateError: CSRF Warning! " +
+                        "State not equal in request and response");
+                return;
+            }
+
            JITData JITInfo = (JITData) session.getAttribute(HandlerConstants.SESSION_JIT_DATA_KEY);
            if (JITInfo == null) {
                response.sendError(HttpStatus.SC_UNAUTHORIZED);
--- a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/JITProvisionHandler.java
+++ b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/JITProvisionHandler.java
@ -70,6 +70,7 @@ public class JITProvisionHandler extends HttpServlet {
    private String encodedClientCredentials;
    private String JITConfigurationPath;
    private String redirectUrl;
+    private String state;

    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
@ -83,6 +84,7 @@ public class JITProvisionHandler extends HttpServlet {
                + HandlerConstants.JIT_PROVISION_CALLBACK_URL;
        JITConfigurationPath = CarbonUtils.getCarbonConfigDirPath() + File.separator + "jit-config.xml";
        String scope = "openid";
+        state = HandlerUtil.generateStateToken();
        tenantDomain = request.getParameter("tenantDomain");
        redirectUrl = request.getParameter("redirectUrl");
        JITServiceProviderName = request.getParameter("sp");
@ -100,7 +102,7 @@ public class JITProvisionHandler extends HttpServlet {
            response.sendRedirect(keyManagerUrl + HandlerConstants.AUTHORIZATION_ENDPOINT +
                    "?response_type=code" +
                    "&client_id=" + clientId +
-                    "&state=" +
+                    "&state=" + state +
                    "&scope=" + scope +
                    "&redirect_uri=" + JITCallbackUrl);
        } catch (JITProvisionException | IOException ex) {
@ -129,6 +131,7 @@ public class JITProvisionHandler extends HttpServlet {
        JITInfo.setRedirectUrl(redirectUrl);
        JITInfo.setSp(JITServiceProviderName);
        session.setMaxInactiveInterval(3600);
+        session.setAttribute("state", state);
        session.setAttribute(HandlerConstants.SESSION_JIT_DATA_KEY, JITInfo);
    }