Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Xor CSRF token #6798

Merged
merged 2 commits into from
Oct 9, 2024
Merged

Xor CSRF token #6798

merged 2 commits into from
Oct 9, 2024

Conversation

JohnNiang
Copy link
Member

@JohnNiang JohnNiang commented Oct 9, 2024
edited
Loading

What type of PR is this?

/kind improvement
/area core
/milestone 2.20.x

What this PR does / why we need it:

This PR makes XOR operation for CSRF token and changes the CSRF cookie HttpOnly to true to forbid JavaScript from accessing the cookie.

See https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#csrf-token-request-handler-breach for more details.

Special notes for your reviewer:

http http://localhost:8090/login -ph

HTTP/1.1 200 OK
set-cookie: XSRF-TOKEN=6d5dd83f-f0a7-4d94-a33e-73f213d679ff; Path=/; HTTPOnly
http http://localhost:8090/login -pb | grep _csrf

><input type="hidden" name="_csrf" value="ctubmrEC3dAbxC5H_k_-VnVUtih2BrfjcPfLmVAyaP0a1kAdEb-t_IcwuLM29B11yGLKNRQxm0lFZILOFZX-_GcHWJ974iR5"/>

Does this PR introduce a user-facing change?

None

@f2c-ci-robot f2c-ci-robot bot added release-note-none Denotes a PR that doesn't merit a release note. kind/improvement Categorizes issue or PR as related to a improvement. labels Oct 9, 2024
@f2c-ci-robot f2c-ci-robot bot added this to the 2.20.x milestone Oct 9, 2024
@f2c-ci-robot f2c-ci-robot bot added the area/core Issues or PRs related to the Halo Core label Oct 9, 2024
@f2c-ci-robot f2c-ci-robot bot requested review from LIlGG and ruibaby October 9, 2024 03:51
@JohnNiang
Xor CSRF token
8d5967d 
Signed-off-by: JohnNiang <[email protected]>
@codecov Codecov
Copy link

codecov bot commented Oct 9, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 57.06%. Comparing base (5df755d) to head (137107b).
Report is 3 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##               main    #6798   +/-   ##
=========================================
  Coverage     57.06%   57.06%           
  Complexity     3980     3980           
=========================================
  Files           710      710           
  Lines         23972    23972           
  Branches       1569     1569           
=========================================
  Hits          13680    13680           
  Misses         9680     9680           
  Partials        612      612

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

ruibaby
ruibaby reviewed Oct 9, 2024
View reviewed changes
Copy link
Member

@ruibaby ruibaby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@f2c-ci-robot f2c-ci-robot bot added the lgtm Indicates that a PR is ready to be merged. label Oct 9, 2024
@f2c-ci-robot f2c-ci-robot bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 9, 2024
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 9, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

guqing
guqing approved these changes Oct 9, 2024
View reviewed changes
Copy link
Member

@guqing guqing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@f2c-ci-robot f2c-ci-robot bot added the lgtm Indicates that a PR is ready to be merged. label Oct 9, 2024
@f2c-ci-robot f2c-ci-robot
Copy link

f2c-ci-robot bot commented Oct 9, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: guqing

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@f2c-ci-robot f2c-ci-robot bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 9, 2024
@f2c-ci-robot f2c-ci-robot bot merged commit 5c50779 into halo-dev:main Oct 9, 2024
8 checks passed
@ruibaby ruibaby modified the milestones: 2.20.x, 2.20.0 LTS Oct 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruibaby ruibaby ruibaby left review comments

@guqing guqing guqing approved these changes

@LIlGG LIlGG Awaiting requested review from LIlGG

Assignees

@ruibaby ruibaby

@guqing guqing

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/core Issues or PRs related to the Halo Core kind/improvement Categorizes issue or PR as related to a improvement. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note.
Projects
None yet
Milestone
2.20.0 LTS
Development

Successfully merging this pull request may close these issues.
3 participants
@JohnNiang @ruibaby @guqing