From 8d00ca56bbf2f626ab21ce187f43c6a329612c08 Mon Sep 17 00:00:00 2001
From: scottbommarito
Date: Mon, 31 Jul 2017 16:32:58 -0700
Subject: [PATCH 1/4] add antiforgery tokens to many admin methods
---
.../Admin/Controllers/LuceneController.cs | 1 +
.../Controllers/SecurityPolicyController.cs | 1 +
.../Controllers/SupportRequestController.cs | 5 +++
.../Areas/Admin/Views/Lucene/Index.cshtml | 3 +-
.../Admin/Views/SupportRequest/Admins.cshtml | 33 +++++++++++--------
.../Admin/Views/SupportRequest/Index.cshtml | 5 ++-
.../Controllers/CuratedPackagesController.cs | 3 ++
src/NuGetGallery/Scripts/supportrequests.js | 15 ++++++---
.../Views/CuratedFeeds/CuratedFeed.cshtml | 17 ++++++++--
9 files changed, 60 insertions(+), 23 deletions(-)
diff --git a/src/NuGetGallery/Areas/Admin/Controllers/LuceneController.cs b/src/NuGetGallery/Areas/Admin/Controllers/LuceneController.cs
index 0bf844f9dd..336b8a9363 100644
--- a/src/NuGetGallery/Areas/Admin/Controllers/LuceneController.cs
+++ b/src/NuGetGallery/Areas/Admin/Controllers/LuceneController.cs
@@ -55,6 +55,7 @@ private async Task GetLuceneInfo()
}
[HttpPost]
+ [ValidateAntiForgeryToken]
public virtual Task Rebuild()
{
IndexingService.UpdateIndex(forceRefresh: true);
diff --git a/src/NuGetGallery/Areas/Admin/Controllers/SecurityPolicyController.cs b/src/NuGetGallery/Areas/Admin/Controllers/SecurityPolicyController.cs
index 05871bbb12..23cfd15a0f 100644
--- a/src/NuGetGallery/Areas/Admin/Controllers/SecurityPolicyController.cs
+++ b/src/NuGetGallery/Areas/Admin/Controllers/SecurityPolicyController.cs
@@ -71,6 +71,7 @@ public virtual JsonResult Search(string query)
}
[HttpPost]
+ [ValidateAntiForgeryToken]
public async Task Update(List subscriptionsJson)
{
var subscribeRequests = subscriptionsJson?.Select(JsonConvert.DeserializeObject)
diff --git a/src/NuGetGallery/Areas/Admin/Controllers/SupportRequestController.cs b/src/NuGetGallery/Areas/Admin/Controllers/SupportRequestController.cs
index a368dd4082..e9baa1e435 100644
--- a/src/NuGetGallery/Areas/Admin/Controllers/SupportRequestController.cs
+++ b/src/NuGetGallery/Areas/Admin/Controllers/SupportRequestController.cs
@@ -54,6 +54,7 @@ public ActionResult GetAdmins()
}
[HttpPost]
+ [ValidateAntiForgeryToken]
public async Task DisableAdmin(int key)
{
try
@@ -69,6 +70,7 @@ public async Task DisableAdmin(int key)
}
[HttpPost]
+ [ValidateAntiForgeryToken]
public async Task EnableAdmin(int key)
{
try
@@ -84,6 +86,7 @@ public async Task EnableAdmin(int key)
}
[HttpPost]
+ [ValidateAntiForgeryToken]
public async Task AddAdmin(string galleryUsername, string pagerDutyUsername)
{
try
@@ -99,6 +102,7 @@ public async Task AddAdmin(string galleryUsername, string pagerDut
}
[HttpPost]
+ [ValidateAntiForgeryToken]
public async Task UpdateAdmin(int key, string galleryUsername, string pagerDutyUsername)
{
try
@@ -114,6 +118,7 @@ public async Task UpdateAdmin(int key, string galleryUsername, str
}
[HttpPost]
+ [ValidateAntiForgeryToken]
public async Task Save(int issueKey, int? assignedToId, int issueStatusId, string comment)
{
try
diff --git a/src/NuGetGallery/Areas/Admin/Views/Lucene/Index.cshtml b/src/NuGetGallery/Areas/Admin/Views/Lucene/Index.cshtml
index 5ab934c113..5314304538 100644
--- a/src/NuGetGallery/Areas/Admin/Views/Lucene/Index.cshtml
+++ b/src/NuGetGallery/Areas/Admin/Views/Lucene/Index.cshtml
@@ -31,10 +31,11 @@ else
}
-@if(Model.IsLocal)
+@if (Model.IsLocal)
{
using (Html.BeginForm("Rebuild", "Lucene"))
{
+ @Html.AntiForgeryToken()