Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-5275

Import config copy/paste not working due to missing CSRF header

    XMLWordPrintable

Details

    • Bug
    • Resolution: Invalid
    • Minor
    • None
    • None
    • UI
    • None

    Description

      Importing configs by pasting contents and clicking submit. No change in the page. Grouper log shows

       

      grouper_1   | grouper;grouper_error.log;dev;nothing;2024-01-22T00:29:29,780: [http-nio-0.0.0.0-8080-exec-2] ERROR JavaScriptServlet.writeJavaScript(267) - [] - Referer domain 'http://localhost:8080/grouper/grouperUi/app/UiV2Main.index?operation=UiV2Main.indexMain' does not match request domain: 'https://localhost:8080/grouper/grouperExternal/public/OwaspJavaScriptServlet'
      		 
      grouper_1   | grouper;grouper_error.log;dev;nothing;2024-01-22T00:29:52,281: [http-nio-0.0.0.0-8080-exec-10] ERROR Log.execute(73) - [] - potential cross-site request forgery (CSRF) attack thwarted (user:GrouperSystem, ip:192.168.144.1, method:POST, uri:/grouper/grouperUi/app/UiV2Configure.configurationFileImportSubmit, error:Required Token is missing from the Request)

      Config import works in 4.10.1 and is broken in 4.10.2.

      This is a demo container running on 8080, so the issue may be related to that. These are the startup environment vars:

        grouper:
      		 
          image: "i2incommon/grouper:4.10.2"
      		 
          restart: always
      		 
          ports:
      		 
            - 80:80
      		 
            - 443:443
      		 
            - 8080:8080
      		 
            - 8443:8443
      		 
            - 8000:5005
      		 
          command:
      		 
            - quickstart
      		 
          environment:
      		 
            - GROUPERSYSTEM_QUICKSTART_PASS=pass
      		 
            - GROUPER_RUN_APACHE=false
      		 
            - GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true
      		 
            - GROUPER_RUN_SHIB_SP=false
      		 
            - GROUPER_MORPHSTRING_ENCRYPT_KEY=abcd1234
      		 
            - GROUPER_DATABASE_PASSWORD=pass
      		 
            - GROUPER_DATABASE_USERNAME=postgres
      		 
            - GROUPER_DATABASE_URL=jdbc:postgresql://postgres:5432/postgres
      		 
            - GROUPER_AUTO_DDL_UPTOVERSION=4.*.*
      		 
          volumes:
      		 
            - ./grouper-files-common/grouper-loader.properties:/opt/grouper/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties
      		 
            - ./grouper-files-common/subject.properties:/opt/grouper/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/subject.properties

      I do see in 4.10.2, the GROUPER_HTTP_CONNECTOR env sets a connector for 8080, but which sets scheme="https". This may be the cause of the Owasp "does not match request domain" error.

      Attachments

        Activity

          People

            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            chad.redman.3@at.internet2.edu Chad Redman
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: