Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add AntiForgery tokens to some actions that were missing them #4490

Merged
merged 4 commits into from
Aug 2, 2017
Merged

Add AntiForgery tokens to some actions that were missing them #4490

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8d00ca5
add antiforgery tokens to many admin methods
Jul 31, 2017
9ccd4ba
fix token on security policies admin page
Jul 31, 2017
fc9e389
move ajaxantiforgerytoken code to shared place
Aug 1, 2017
53afa66
added test and fixed change email endpoints
Aug 1, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions src/NuGetGallery/App_Code/ViewHelpers.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -311,3 +311,10 @@ var hlp = new AccordionHelper(name, formModelStatePrefix, expanded, page);
}
</li>
}

@helper AjaxAntiForgeryToken(System.Web.Mvc.HtmlHelper html)
{
<form id="AntiForgeryForm">
@html.AntiForgeryToken()
</form>
}
1 change: 1 addition & 0 deletions src/NuGetGallery/Areas/Admin/Controllers/LuceneController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ private async Task<LuceneInfoModel> GetLuceneInfo()
}

[HttpPost]
[ValidateAntiForgeryToken]
public virtual Task<ActionResult> Rebuild()
{
IndexingService.UpdateIndex(forceRefresh: true);
Expand Down
1 change: 1 addition & 0 deletions src/NuGetGallery/Areas/Admin/Controllers/SecurityPolicyController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ public virtual JsonResult Search(string query)
}

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<JsonResult> Update(List<string> subscriptionsJson)
{
var subscribeRequests = subscriptionsJson?.Select(JsonConvert.DeserializeObject<JObject>)
Expand Down
5 changes: 5 additions & 0 deletions src/NuGetGallery/Areas/Admin/Controllers/SupportRequestController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ public ActionResult GetAdmins()
}

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<ActionResult> DisableAdmin(int key)
{
try
Expand All @@ -69,6 +70,7 @@ public async Task<ActionResult> DisableAdmin(int key)
}

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<ActionResult> EnableAdmin(int key)
{
try
Expand All @@ -84,6 +86,7 @@ public async Task<ActionResult> EnableAdmin(int key)
}

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<ActionResult> AddAdmin(string galleryUsername, string pagerDutyUsername)
{
try
Expand All @@ -99,6 +102,7 @@ public async Task<ActionResult> AddAdmin(string galleryUsername, string pagerDut
}

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<ActionResult> UpdateAdmin(int key, string galleryUsername, string pagerDutyUsername)
{
try
Expand All @@ -114,6 +118,7 @@ public async Task<ActionResult> UpdateAdmin(int key, string galleryUsername, str
}

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Save(int issueKey, int? assignedToId, int issueStatusId, string comment)
{
try
Expand Down
3 changes: 2 additions & 1 deletion src/NuGetGallery/Areas/Admin/Views/Lucene/Index.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,11 @@ else
</p>
}

@if(Model.IsLocal)
@if (Model.IsLocal)
{
using (Html.BeginForm("Rebuild", "Lucene"))
{
@Html.AntiForgeryToken()
<fieldset class="form">
<input type="submit" value="Rebuild Now" />
<p>NOTE: This will only affect the current instance!</p>
Expand Down
7 changes: 4 additions & 3 deletions src/NuGetGallery/Areas/Admin/Views/SecurityPolicy/Index.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
ViewBag.Title = "Security Policies";
}

@ViewHelpers.AjaxAntiForgeryToken(Html)

<section>
<article id="stage">

Expand Down Expand Up @@ -68,7 +70,7 @@
@section BottomScripts {
<script src="@Url.Content("~/Scripts/knockout-2.2.1.js")"></script>
<script>
$(document).ready(function() {
$(document).ready(function () {
var viewModel = function () {
var $self = this;

Expand All @@ -89,8 +91,7 @@
cache: false,
dataType: 'json',
type: 'POST',
data: JSON.stringify(subscriptions),
contentType: 'application/json; charset=utf-8',
data: addAjaxAntiForgeryToken({ subscriptionsJson: subscriptions }),
success: function (data) {
$self.changeTracker(false);
$self.message("Security policies updated!");
Expand Down
25 changes: 11 additions & 14 deletions src/NuGetGallery/Areas/Admin/Views/SupportRequest/Admins.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,12 @@
@Styles.Render("~/Content/supportrequests")
}

@ViewHelpers.AjaxAntiForgeryToken(Html)

<section>
<article id="supportrequests">
<div style="display: none;" id="addAdmin-dialog">
<form id="addAdmin-form">
@Html.AntiForgeryToken()
<fieldset class="form">
<legend>Add</legend>

Expand All @@ -39,7 +40,6 @@

<div style="display: none;" id="editAdmin-dialog">
<form id="editAdmin-form">
@Html.AntiForgeryToken()
<fieldset class="form">
<legend>Edit</legend>

Expand Down Expand Up @@ -122,18 +122,17 @@

this.createAdmin = function (success, error) {
var url = '@Url.Action("AddAdmin")';
var model = JSON.stringify({
var model = {
galleryUsername: $self.newGalleryUsername(),
pagerDutyUsername: $self.newPagerDutyUsername()
});
};

$.ajax({
url: url,
type: 'POST',
cache: false,
dataType: 'json',
contentType: 'application/json; charset=utf-8',
data: model,
data: addAjaxAntiForgeryToken(model),
success: success
})
.error(error);
Expand All @@ -148,19 +147,18 @@

this.updateAdmin = function (success, error) {
var url = '@Url.Action("UpdateAdmin")';
var model = JSON.stringify({
var model = {
key: $self.admin.Key,
galleryUsername: $self.editGalleryUsername,
pagerDutyUsername: $self.editPagerDutyUsername
});
};

$.ajax({
url: url,
type: 'POST',
cache: false,
dataType: 'json',
contentType: 'application/json; charset=utf-8',
data: model,
data: addAjaxAntiForgeryToken(model),
success: success
})
.error(error);
Expand Down Expand Up @@ -204,9 +202,9 @@

this.toggleAdminAccess = function (data) {
var confirmationText, url;
var model = JSON.stringify({
var model = {
key: data.Key
});
};

if (data.AccessDisabled !== false) {
confirmationText = 'Are you sure you want to enable access for ' + data.GalleryUsername + '?';
Expand All @@ -222,8 +220,7 @@
type: 'POST',
cache: false,
dataType: 'json',
contentType: 'application/json; charset=utf-8',
data: model,
data: addAjaxAntiForgeryToken(model),
success: function () {
$self.refresh();
}
Expand Down
3 changes: 2 additions & 1 deletion src/NuGetGallery/Areas/Admin/Views/SupportRequest/Index.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
@Styles.Render("~/Content/supportrequests")
}

@ViewHelpers.AjaxAntiForgeryToken(Html)

<section>
<article id="supportrequests">
<div id="sr-nav-menu">
Expand Down Expand Up @@ -50,7 +52,6 @@

<div style="display: none;" id="editSupportRequest-dialog">
<form id="editSupportRequest-form">
@Html.AntiForgeryToken()
<fieldset class="form">
<legend>Edit</legend>

Expand Down
3 changes: 3 additions & 0 deletions src/NuGetGallery/Controllers/CuratedPackagesController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ public virtual ActionResult GetCreateCuratedPackageForm(string curatedFeedName)

[ActionName("CuratedPackage")]
[HttpDelete]
[ValidateAntiForgeryToken]
public virtual async Task<ActionResult> DeleteCuratedPackage(
string curatedFeedName,
string curatedPackageId)
Expand Down Expand Up @@ -76,6 +77,7 @@ await CuratedFeedService.DeleteCuratedPackageAsync(

[ActionName("CuratedPackage")]
[AcceptVerbs("patch")]
[ValidateAntiForgeryToken]
public virtual async Task<ActionResult> PatchCuratedPackage(
string curatedFeedName,
string curatedPackageId,
Expand Down Expand Up @@ -113,6 +115,7 @@ await CuratedFeedService.ModifyCuratedPackageAsync(

[ActionName("CuratedPackages")]
[HttpPost]
[ValidateAntiForgeryToken]
public virtual async Task<ActionResult> PostCuratedPackages(
string curatedFeedName,
CreateCuratedPackageRequest request)
Expand Down
2 changes: 2 additions & 0 deletions src/NuGetGallery/Controllers/UsersController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -364,6 +364,7 @@ public virtual ActionResult Profiles(string username, int page = 1, bool showAll

[HttpPost]
[Authorize]
[ValidateAntiForgeryToken]
public virtual async Task<ActionResult> ChangeEmail(AccountViewModel model)
{
if (!ModelState.IsValidField("ChangeEmail.NewEmail"))
Expand Down Expand Up @@ -424,6 +425,7 @@ public virtual async Task<ActionResult> ChangeEmail(AccountViewModel model)

[HttpPost]
[Authorize]
[ValidateAntiForgeryToken]
public virtual async Task<ActionResult> CancelChangeEmail(AccountViewModel model)
{
var user = GetCurrentUser();
Expand Down
8 changes: 8 additions & 0 deletions src/NuGetGallery/Scripts/nugetgallery.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
// Global utility script for NuGetGallery
/// <reference path="jquery-1.11.0.js" />

// Shared function for adding an anti-forgery token defined by ViewHelpers.AjaxAntiForgeryToken to an ajax request
function addAjaxAntiForgeryToken(data) {
var $field = $("#AntiForgeryForm input[name=__RequestVerificationToken]");
data["__RequestVerificationToken"] = $field.val();
return data;
}

(function (window, $, undefined) {
$(function () {
// Export an object with global config data
Expand Down
7 changes: 3 additions & 4 deletions src/NuGetGallery/Scripts/supportrequests.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,20 +16,19 @@ function EditViewModel(editUrl) {
this.issueStatusChoices = ko.observableArray();

this.updateSupportRequest = function (success, error) {
var model = JSON.stringify({
var model = {
issueKey: $self.issue.Key,
assignedToId: $self.editAssignedToId,
issueStatusId: $self.editIssueStatusId,
comment: $self.editIssueComment()
});
};

$.ajax({
url: editUrl,
type: 'POST',
cache: false,
dataType: 'json',
contentType: 'application/json; charset=utf-8',
data: model,
data: addAjaxAntiForgeryToken(model),
success: success
})
.error(error);
Expand Down
11 changes: 8 additions & 3 deletions src/NuGetGallery/Views/CuratedFeeds/CuratedFeed.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,19 @@
@{
ViewBag.Title = "Curated Feed: " + Model.Name;
}

@ViewHelpers.AjaxAntiForgeryToken(Html)

@section BottomScripts {
<script>
var urlFormat = "@Url.RouteUrl(RouteName.CuratedPackage, new { curatedFeedName = Model.Name, curatedPackageId = "PACKAGE_ID" })";

function deleteCuratedPackage(packageId) {
$.ajax({
type: 'delete',
url: urlFormat.replace("PACKAGE_ID", packageId)
url: urlFormat.replace("PACKAGE_ID", packageId),
dataType: 'json',
data: addAjaxAntiForgeryToken({})
})
.error(function(jqXhr, textStatus, errorThrown) {
alert("Error: " + errorThrown);
Expand All @@ -23,7 +28,7 @@
$.ajax({
type: 'patch',
url: urlFormat.replace("PACKAGE_ID", packageId),
data: { included: included },
data: addAjaxAntiForgeryToken({ included: included }),
dataType: 'json'
})
.error(function(jqXhr, textStatus, errorThrown) {
Expand Down
14 changes: 3 additions & 11 deletions src/NuGetGallery/Views/Packages/ManagePackageOwners.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,7 @@
ViewBag.Tab = "Packages";
}

<form id="AntiForgeryForm">
@Html.AntiForgeryToken()
</form>
@ViewHelpers.AjaxAntiForgeryToken(Html)

<h1 class="page-heading">Manage Owners for Package "@Model.Title.Abbreviate(50)"</h1>

Expand Down Expand Up @@ -66,12 +64,6 @@
alert('An unexpected error occurred! "' + errorThrown + '"');
};

var addAntiForgeryToken = function (data) {
var $field = $("#AntiForgeryForm input[name=__RequestVerificationToken]");
data["__RequestVerificationToken"] = $field.val();
return data;
}

var viewModel = {
package: { id: '@Model.Id' },
owners: ko.observableArray([]),
Expand Down Expand Up @@ -145,7 +137,7 @@
dataType: 'json',
type: 'POST',
dataType: 'json',
data: addAntiForgeryToken(ownerInputModel),
data: addAjaxAntiForgeryToken(ownerInputModel),
success: function (data) {
if (data.success) {
var newOwner = new Owner(data.name, /* pending */ true, data.current);
Expand Down Expand Up @@ -182,7 +174,7 @@
dataType: 'json',
type: 'POST',
dataType: 'json',
data: addAntiForgeryToken({}),
data: addAjaxAntiForgeryToken({}),
success: function (data) {
if (data.success) {
if (item.current) {
Expand Down
Loading