Proposal title

Date	2013/02/24
Contact(s)	Jose García, Heikki Doeleman
Last edited
Status	in progress
Assigned to release	To be determined
Resources	​https://github.com/josegar74/core-geonetwork/tree/csrf
Ticket #

Overview

Improve the security in GeoNetwork, adding support to CSRF tokens to prevent Cross-Site Request Forgery. Also fixes have been done in user request parameters accepted in main page to prevent XSS attacks.

Proposal Type

• Type: Core Change
• App: GeoNetwork
• Module: Jeeves, Services

Links

• Documents:
• Email discussions:
• Other wiki discussions:

Voting History

• Vote proposed by X on Y, result was +/-n (m non-voting members).

---

Motivations

Improve the security in GeoNetwork to prevent CSRF (Cross-site request forgery) attacks. This type of attacks force an end user to execute unwanted actions on a web application in which he/she is currently authenticated. See additional information in ​https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Additionally, improvements in main page have been done to prevent XSS attacks in user requests parameters.

Proposal

An effective way to prevent CSRF attacks it is to generate a random string (CSRF token) that is included in application forms. When the form is submitted, the CSRF token is send along the other form data, the server validates it before. approving the request for processing.

This way, prevents a malicious website from post a request even if have access to a valid session in a browser.

To implement this mechanism in GeoNetwork:

1) A new base service class for services that require CSRF (Cross Site Request Forgery) tokens: BaseSecureService

This class validates the CSRF token before processing the service:

• If it's not valid and exception ServiceNotAllowedEx is thrown.
• If it's valid, the service processing continues.

package jeeves.services;

public abstract class BaseSecureService implements Service {
    public final Element exec(Element params, ServiceContext context) throws Exception {
        if (!CSRFUtil.isValidToken(params, context)) {
            throw new ServiceNotAllowedEx("Service not allowed. CSRF Token is not valid");
        }

        return doExec(params, context);
    }

    /** Services that require CSRF tokens must implement doExec instead of exec **/
    protected abstract Element doExec(Element params, ServiceContext context) throws Exception;
}

Services that require CSRF tokens must extend this class and implement the logic in doExec method instead of exec method.

package org.fao.geonet.services.user;

public class Update extends BaseSecureService
{
        public Element doExec(Element params, ServiceContext context) throws Exception
	{
                // Service logic  
        }
}

Code: ​https://github.com/josegar74/core-geonetwork/blob/csrf/jeeves/src/main/java/jeeves/services/BaseSecureService.java

Example service requiring CSRF token: ​https://github.com/josegar74/core-geonetwork/blob/csrf/web/src/main/java/org/fao/geonet/services/user/Update.java

2) A new service to create/retrieve a CSRF token: secure.token. This service is used to provide the secure token in services that create forms (see next point) and can be used from scripts that use actual GeoNetwork services that have been changed to require CSRF tokens. For example, a script that call metadata.category to update the categories of metadata, will require to call first secure.token to get the token and use it in metadata.category calls.

CSRF tokens are created using SecureRandom java class.

Code: ​https://github.com/josegar74/core-geonetwork/blob/csrf/jeeves/src/main/java/jeeves/services/GetSecureToken.java, ​https://github.com/josegar74/core-geonetwork/blob/csrf/jeeves/src/main/java/jeeves/utils/CSRFUtil.java

3) Services that create forms to submit data to services that require CSRF tokens validation require to add this token in the form to submit. This requires 2 changes:

• Update service definition to provide the CSRF token:

<service name="user.edit">
	<class name=".services.user.Get" />

	<output sheet="user-update.xsl">
		<call name="groups" class=".guiservices.groups.GetMine" />
		<call name="groupsAndProfiles" class=".guiservices.groups.GetMineWithProfiles" />
		<call name="profiles" class="jeeves.guiservices.profiles.Get" />
		
		<call name="_tk" class="jeeves.services.GetSecureToken" />
	</output>
</service>

• Add the token value as a hidden field in the form:

<form name="userupdateform" accept-charset="UTF-8" action="{/root/gui/locService}/user.update?operation=editinfo" method="post">
        <input type="hidden" name="_tk" value="{/root/gui/_tk}"/>

Also as part of this work security improvements in main page user request parameters have been done to prevent XSS attacks: ​https://github.com/josegar74/core-geonetwork/commit/50f722f12c36e403ffa80724004e937db0ef2821

Useful resources:

• ​https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
• ​http://ricardozuasti.com/2012/preventing-csrf-in-java-web-apps

Backwards Compatibility Issues

User scripts using GeoNetwork services to update data will require to be updated to use secure.token to retrieve the CSRF token and use it in the services. See Proposal description (point 2) for more details. These changes don't affect interfaces like CSW.

UI WIdgets requires to be changed to use the CSRF token.

New libraries added

Risks

Participants

• Jose García
• Heikki Doeleman