implemented xsrf protection, see issue #793

2026-02-05 06:09:12 +01:00 · 2016-01-23 22:02:25 +01:00
parent 451cd910a5
commit 488d4e3323
7 changed files with 511 additions and 0 deletions
--- a/scm-webapp/src/main/java/sonia/scm/ScmServletModule.java
+++ b/scm-webapp/src/main/java/sonia/scm/ScmServletModule.java
@@ -162,6 +162,7 @@ import sonia.scm.net.ahc.ContentTransformer;
 import sonia.scm.net.ahc.DefaultAdvancedHttpClient;
 import sonia.scm.net.ahc.JsonContentTransformer;
 import sonia.scm.net.ahc.XmlContentTransformer;
+import sonia.scm.security.XsrfProtectionFilter;
 import sonia.scm.web.UserAgentParser;

 /**
@@ -365,6 +366,9 @@ public class ScmServletModule extends ServletModule
      filter(PATTERN_ALL).through(LoggingFilter.class);
    }

+    // protect api agains xsrf attacks
+    filter(PATTERN_RESTAPI).through(XsrfProtectionFilter.class);
+    
    /*
     * filter(PATTERN_PAGE,
     *      PATTERN_STATIC_RESOURCES).through(StaticResourceFilter.class);