Disable serving Internet Explorer by default #101

forgedhallpass · forgedhallpass · commit a2179c157012 · 2022-05-16T17:00:58.000+03:00
* Applied the User-Agent check to the JavaScriptServlet as well (although if the CsrfGuardFilter is correctly configured against the web root, it should not be needed)
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardFilter.java b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardFilter.java
@@ -64,12 +64,7 @@ public void doFilter(final ServletRequest request, final ServletResponse respons
                 final HttpServletRequest httpServletRequest = (HttpServletRequest) request;
                 final HttpServletResponse httpServletResponse = (HttpServletResponse) response;
 
-                final String[] bannedUserAgentProperties = csrfGuard.getBannedUserAgentProperties().toArray(new String[0]);
-                final String userAgent = httpServletRequest.getHeader("User-Agent");
-                if (bannedUserAgentProperties.length > 0 && StringUtils.containsAnyIgnoreCase(userAgent, bannedUserAgentProperties)) {
-                    LOGGER.warn("HTTP request with forbidden User-Agent: '{}'", userAgent);
-                    httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden HTTP Client!");
-                } else {
+                if (CsrfGuardUtils.isPermittedUserAgent(httpServletRequest, httpServletResponse, csrfGuard)) {
                     doFilter(httpServletRequest, httpServletResponse, filterChain, csrfGuard);
                 }
             } else {
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/servlet/JavaScriptServlet.java b/csrfguard/src/main/java/org/owasp/csrfguard/servlet/JavaScriptServlet.java
@@ -50,11 +50,7 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.nio.charset.Charset;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Objects;
-import java.util.Set;
+import java.util.*;
 import java.util.function.BiFunction;
 import java.util.regex.Pattern;
 
@@ -99,7 +95,7 @@ public final class JavaScriptServlet extends HttpServlet {
     private static final String TOKENS_PER_PAGE_IDENTIFIER = "'%TOKENS_PER_PAGE%'";
 
     private static final String ASYNC_XHR = "'%ASYNC_XHR%'";
-    
+
     private static final Map<String, BiFunction<CsrfGuard, HttpServletRequest, String>> JS_REPLACEMENT_MAP = new HashMap<>();
 
     static {
@@ -121,7 +117,6 @@ public final class JavaScriptServlet extends HttpServlet {
         JS_REPLACEMENT_MAP.put(DOMAIN_STRICT_IDENTIFIER, (csrfGuard, request) -> Boolean.toString(csrfGuard.isJavascriptDomainStrict()));
         JS_REPLACEMENT_MAP.put(ASYNC_XHR, (csrfGuard, request) -> Boolean.toString(!csrfGuard.isForceSynchronousAjax()));
     }
-            
 
     /* MIME Type constants */
     private static final String JSON_MIME_TYPE = "application/json";
@@ -157,16 +152,17 @@ public void init(final ServletConfig theServletConfig) {
         csrfGuard.initializeJavaScriptConfiguration();
 
         // print again since it might change based on servlet config of javascript servlet
-        CsrfGuardServletContextListener.printConfigIfConfigured(servletConfig.getServletContext(),
-                                                                "Printing properties after JavaScript servlet, note, the javascript properties have now been initialized: ");
+        CsrfGuardServletContextListener.printConfigIfConfigured(servletConfig.getServletContext(), "Printing properties after JavaScript servlet, note, the javascript properties have now been initialized: ");
     }
 
     @Override
     public void doGet(final HttpServletRequest request, final HttpServletResponse response) throws IOException {
         final CsrfGuard csrfGuard = CsrfGuard.getInstance();
 
         if (csrfGuard.isEnabled()) {
-            writeJavaScript(csrfGuard, request, response);
+            if (CsrfGuardUtils.isPermittedUserAgent(request, response, csrfGuard)) {
+                writeJavaScript(csrfGuard, request, response);
+            }
         } else {
             response.setContentType(JAVASCRIPT_MIME_TYPE);
             final String javaScriptCode = "console.log('CSRFGuard is disabled');";
@@ -178,22 +174,24 @@ public void doGet(final HttpServletRequest request, final HttpServletResponse re
     public void doPost(final HttpServletRequest request, final HttpServletResponse response) throws IOException {
         final CsrfGuard csrfGuard = CsrfGuard.getInstance();
 
-        if (new CsrfValidator().isValid(request, response)) {
-            if (csrfGuard.isTokenPerPageEnabled()) {
-                // TODO pass the logical session downstream, see whether the null check can be done from here
-                final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract(request);
-                if (Objects.isNull(logicalSession)) {
-                    response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Could not create a logical session from the current request.");
+        if (CsrfGuardUtils.isPermittedUserAgent(request, response, csrfGuard)) {
+            if (new CsrfValidator().isValid(request, response)) {
+                if (csrfGuard.isTokenPerPageEnabled()) {
+                    // TODO pass the logical session downstream, see whether the null check can be done from here
+                    final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract(request);
+                    if (Objects.isNull(logicalSession)) {
+                        response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Could not create a logical session from the current request.");
+                    } else {
+                        final Map<String, String> pageTokens = csrfGuard.getTokenService().getPageTokens(logicalSession.getKey());
+                        final TokenTO tokenTO = new TokenTO(pageTokens);
+                        writeTokens(response, tokenTO);
+                    }
                 } else {
-                    final Map<String, String> pageTokens = csrfGuard.getTokenService().getPageTokens(logicalSession.getKey());
-                    final TokenTO tokenTO = new TokenTO(pageTokens);
-                    writeTokens(response, tokenTO);
+                    response.sendError(HttpServletResponse.SC_BAD_REQUEST, "This endpoint should not be invoked if the Token-Per-Page functionality is disabled!");
                 }
             } else {
-                response.sendError(HttpServletResponse.SC_BAD_REQUEST, "This endpoint should not be invoked if the Token-Per-Page functionality is disabled!");
+                response.sendError(HttpServletResponse.SC_FORBIDDEN, "Master token missing from the request.");
             }
-        } else {
-            response.sendError(HttpServletResponse.SC_FORBIDDEN, "Master token missing from the request.");
         }
     }
 
@@ -220,11 +218,11 @@ private static void writeJavaScript(final HttpServletRequest request, final Http
         }
 
         response.setContentType(JAVASCRIPT_MIME_TYPE);
-        
+
         final String[] replacementList = JS_REPLACEMENT_MAP.values().stream().map(v -> v.apply(csrfGuard, request)).toArray(String[]::new);
 
         final String code = StringUtils.replaceEach(csrfGuard.getJavascriptTemplateCode(), JS_REPLACEMENT_MAP.keySet().toArray(new String[0]), replacementList);
-        
+
         response.getWriter().write(code);
     }
 
@@ -270,12 +268,12 @@ private void writeJavaScript(final CsrfGuard csrfGuard, final HttpServletRequest
                 }
             }
         } else {
-           if (!javaScriptReferer.equals(JavaScriptConfigParameters.DEFAULT_REFERER_PATTERN)) {
-               LOGGER.error("Missing referer headers are not accepted if a non-default referer pattern '{}' is configured!", javaScriptReferer);
+            if (!javaScriptReferer.equals(JavaScriptConfigParameters.DEFAULT_REFERER_PATTERN)) {
+                LOGGER.error("Missing referer headers are not accepted if a non-default referer pattern '{}' is configured!", javaScriptReferer);
 
-               response.sendError(HttpServletResponse.SC_FORBIDDEN);
-               return;
-           }
+                response.sendError(HttpServletResponse.SC_FORBIDDEN);
+                return;
+            }
         }
 
         // save this path so javascript is whitelisted
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/util/CsrfGuardUtils.java b/csrfguard/src/main/java/org/owasp/csrfguard/util/CsrfGuardUtils.java
@@ -34,6 +34,8 @@
 import org.owasp.csrfguard.CsrfGuard;
 import org.owasp.csrfguard.config.overlay.ConfigPropertiesCascadeCommonUtils;
 import org.owasp.csrfguard.token.transferobject.TokenTO;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -51,6 +53,8 @@
  */
 public final class CsrfGuardUtils {
 
+    private static final Logger LOGGER = LoggerFactory.getLogger(CsrfGuardUtils.class.getName());
+
     private CsrfGuardUtils() {}
 
     /**
@@ -146,6 +150,21 @@ public static String readInputStreamContent(final InputStream inputStream) {
         }
     }
 
+    public static boolean isPermittedUserAgent(HttpServletRequest request, HttpServletResponse response, CsrfGuard csrfGuard) throws IOException {
+        final boolean result;
+
+        final String[] bannedUserAgentProperties = csrfGuard.getBannedUserAgentProperties().toArray(new String[0]);
+        final String userAgent = request.getHeader("User-Agent");
+        if (bannedUserAgentProperties.length > 0 && StringUtils.containsAnyIgnoreCase(userAgent, bannedUserAgentProperties)) {
+            LOGGER.warn("HTTP request with forbidden User-Agent: '{}'", userAgent);
+            response.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden HTTP Client!");
+            result = false;
+        } else {
+            result = true;
+        }
+        return result;
+    }
+
     /**
      * for a url, get the protocol and domain, e.g. for url https://a.b/path, will return https://a.b
      *
