Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2026-03-06 20:30:52 +01:00
Code Issues Packages Projects Releases Activity

Disable xsrf for mercurial hook tokens

Browse Source
This commit is contained in:
Sebastian Sdorra
2020-11-08 12:23:15 +01:00
parent d518af4ccc
commit d86b2f70c3
3 changed files with 17 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
scm-plugins/scm-hg-plugin/src/main/java/sonia/scm/repository/DefaultHgEnvironmentBuilder.java
View File

@@ -32,6 +32,7 @@ import sonia.scm.repository.hooks.HookServer;
import sonia.scm.security.AccessToken;
import sonia.scm.security.AccessTokenBuilderFactory;
import sonia.scm.security.CipherUtil;
import sonia.scm.security.Xsrf;
import sonia.scm.web.HgUtil;
import javax.inject.Inject;
@@ -109,11 +110,18 @@ public class DefaultHgEnvironmentBuilder implements HgEnvironmentBuilder {
private void write(ImmutableMap.Builder<String, String> env) {
env.put(ENV_HOOK_PORT, String.valueOf(getHookPort()));
AccessToken accessToken = accessTokenBuilderFactory.create().build();
env.put(ENV_BEARER_TOKEN, CipherUtil.getInstance().encode(accessToken.compact()));
env.put(ENV_BEARER_TOKEN, accessToken());
env.put(ENV_CHALLENGE, hookEnvironment.getChallenge());
}
private String accessToken() {
AccessToken accessToken = accessTokenBuilderFactory.create()
// disable xsrf protection, because we can not access the http servlet request for verification
.custom(Xsrf.TOKEN_KEY, null)
.build();
return CipherUtil.getInstance().encode(accessToken.compact());
}
private synchronized int getHookPort() {
if (hookPort > 0) {
return hookPort;