CSRF Token

cancel
Showing results for 
Search instead for 
Did you mean: 
rekhaahir
Active Member

CSRF Token

hello,

 I get CSRF Token "Possible CSRF attack noted when comparing token in session and request parameter" Error  when Multipart/formdata is passed in parameter to send file .

7 Replies
afaust
Master

Re: CSRF Token

Did you configure CSRF properly? Is the client you are using correctly setting the CSRF token in its POST requests?

rekhaahir
Active Member

Re: CSRF Token

yes

i had done  configuration on share side and also i tried to send token at the time of calling webscript.but after getting  token it gives same error. 

may be some configuration will be  missing so please guide me.

Moderator
Moderator

Re: CSRF Token

What is the rquest format you are using, what is request URI and what all params you are sending. 

What is your current CSRF configuration is share-config-custom.xml file ? Can you also share the full log?

Please share all the details so we can look at it. 

rekhaahir
Active Member

Re: CSRF Token

 

<config evaluator="string-compare" condition="CSRFPolicy" replace="true">

<!--
Force creation of a Session when the filter matches a path - this should only be used when you are
confident the filtered part of the web application is using an authentication mechanism that will avoid
protected pages being accessed until the user is authenticated. Otherwise this would be a route to
a Session fixation attack.
-->
<session>true</session>

<!--
Properties that may be used inside the rest of the CSRFPolicy config to avoid repetition but
also making it possible to provide different values in different environments.
I.e. Different "Referer" & "Origin" properties for test & production etc.
Reference a property using "{propertyName}".
-->
<properties>

<!-- There is normally no need to override this property -->
<token>alf-csrftoken</token>

<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Referer header.
-->
<referer></referer>

<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Origin header.
-->
<origin></origin>
</properties>

<!--
Will be used and exposed to the client side code in Admin.CSRF
Use the Admin.CSRF.getHeader() or Admin.CSRF.getParameter() with Admin.CSRF.getToken()
to set the token in custom 3rd party code.
-->
<client>
<cookie>{token}</cookie>
<header>{token}</header>
<parameter>{token}</parameter>
</client>

<!-- The first rule with a matching request will get its action invoked, the remaining rules will be ignored. -->
<filter>

<!-- Refresh token on each new page visit -->
<rule>
<request>
<method>GET</method>
<path>/service/enterprise/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/enterprise/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/service/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>

<!--
Verify multipart requests contain the token as a parameter
and also correct referer & origin header if available
-->
<rule>
<request>
<method>POST</method>
<header name="Content-Type">multipart/.+</header>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="parameter">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>

<!--
Verify that all remaining state changing requests contain a token in the header and correct referer & origin headers
if available. We "catch" all content types since just setting it to "application/json.*" since a webscript that doesn't
require a json request body otherwise would be successfully executed using i.e."text/plain".
-->
<!-- <rule>
<request>
<method>POST|PUT|DELETE</method>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="header">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule> -->
</filter>

</config>

 

 

this is my share config.after this code  every where in upload api csrf token is getting null.so i cant use inbuilt upload functionality and also get error in my  custom upload api too.

please guide me..

rekhaahir
Active Member

Re: CSRF Token

function postForm(htmlBody,formTitle) {
var xmlhttp = new XMLHttpRequest(); // new HttpRequest instance
var allcookies = document.cookie;

// Get all the cookies pairs in an array
cookiearray = allcookies.split(';');

// Now take key value pair out of this array
value = cookiearray[2].split('=')[1];
alert( " and Value is : " + value);

// var url="share/proxy/alfresco/save-form/save-form?Alfresco-CSRFToken="+value;
xmlhttp.open("POST", 'share/proxy/alfresco/save-form/save-form?Alfresco-CSRFToken='+value);
xmlhttp.setRequestHeader("Content-Type", "application/json");
xmlhttp.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
xmlhttp.send(JSON.stringify({"htmlBody":htmlBody,"formTitle":formTitle}));
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState>3 && xmlhttp.status==200) {
alert( xmlhttp.responseText.trim());
}
};
}

 

code for calling...

Moderator
Moderator

Re: CSRF Token

Which version of alfresco you are using ? and can you point out the customizations you have done in the CSRF Token handling in your share-config-custom file for the URIs you are trying to pass?

Moderator
Moderator

Re: CSRF Token

Instead of using this type of code, use alfresco standard java script for calling any apis. you are using typical java script ajax which is why you may be getting csrf error. 

Use ajax something like this from your share side component:

 

var payload = {
	    		"htmlBody":htmlBody,
	    		"formTitle":formTitle
	    };

Alfresco.util.Ajax.request({
			url :Alfresco.constants.PROXY_URI + "save-form/save-form",
			requestContentType:Alfresco.util.Ajax.JSON,
			responseContentType: Alfresco.util.Ajax.JSON,
			dataObj:JSON.stringify(payload),
			method: Alfresco.util.Ajax.POST,
			successCallback : {
				fn : function (res) {
					Alfresco.util.PopupManager.displayMessage({
						text : "Processing the request"
					});
				},
				
				scope : this
			},
			failureCallback : {
				fn : function (res) {
					Alfresco.util.PopupManager.displayMessage({
						text : "Unable to process the request"
					});
			},
			scope : this
		}
	});