Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reimplement CSRF feature as ServerRequestFilter with form read #29977

Merged
merged 1 commit into from
Dec 20, 2022

Conversation

sberyozkin
Copy link
Member

Fixes #29763.

This PR restores the previous CSRF feature ServerRequestFilter implementation and adds @WithFormRead, adds a test confirming the filter is effective if no FormParam is available in the method signature.

@geoand Even though the CSRF feature just can't settle on one concrete implementation, the good news is that the enhancement you added to support the config injection to ServerRestHandler and a neat fix to handle SecureRandom in native image in ServerRestHandler would be of help to other users for sure, and who knows, maybe CSRF feature will become ServerRestHandler again :-)

@sberyozkin sberyozkin requested review from FroMage and geoand December 20, 2022 13:47
@geoand
Copy link
Contributor

geoand commented Dec 20, 2022

Sounds good :)

@quarkus-bot
Copy link

quarkus-bot bot commented Dec 20, 2022

Failing Jobs - Building 1ab36ed

Status Name Step Failures Logs Raw logs
✔️ JVM Tests - JDK 11
✔️ JVM Tests - JDK 17
JVM Tests - JDK 17 MacOS M1 Set up runner ⚠️ Check → Logs Raw logs
✔️ JVM Tests - JDK 18

@sberyozkin
Copy link
Member Author

Let me merge now, Steph - hope it will work for you as well

@sberyozkin sberyozkin merged commit 1079861 into quarkusio:main Dec 20, 2022
@sberyozkin sberyozkin deleted the csrf_filter_force_form_read branch December 20, 2022 15:38
@quarkus-bot quarkus-bot bot added this to the 2.16 - main milestone Dec 20, 2022
@FroMage
Copy link
Member

FroMage commented Dec 21, 2022

Thanks. To try it, it needs to be in a release. Can't we backport it to 2.15? IMO the CSRF filter doesn't work entirely in 2.15 so this is a needed security bug fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CSRF not working on POST actions that require no form parameters
4 participants