summaryrefslogtreecommitdiff
path: root/web-ui/app/js
diff options
context:
space:
mode:
authorNavaL <ayoyo@thoughtworks.com>2016-02-24 16:33:20 +0100
committerNavaL <mnandri@thoughtworks.com>2016-02-25 09:17:53 +0100
commit9573bdca55ddc5488066d3af525e41ed1d872ea6 (patch)
tree228ca246c306bd44faa37c01e52c6d7aefec1531 /web-ui/app/js
parentb79035b83e81e4fd654b587426083c6033e695ad (diff)
Backend and frontend protection against csrf attacks:
- root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login - it will also add that cookie on single user mode - initialize will still load all resources - but they you cant access them if the csrf token do not match - all ajax calls needs to add the token to the header - non ajax get requests do not need xsrf token validation - non ajax post will have to send the token in as a form input or in the content Issue #612
Diffstat (limited to 'web-ui/app/js')
-rw-r--r--web-ui/app/js/helpers/browser.js9
-rw-r--r--web-ui/app/js/helpers/monitored_ajax.js10
-rw-r--r--web-ui/app/js/services/mail_service.js2
3 files changed, 15 insertions, 6 deletions
diff --git a/web-ui/app/js/helpers/browser.js b/web-ui/app/js/helpers/browser.js
index e5be6667..23aa79c8 100644
--- a/web-ui/app/js/helpers/browser.js
+++ b/web-ui/app/js/helpers/browser.js
@@ -23,7 +23,14 @@ define([], function () {
window.location.replace(url);
}
+ function getCookie(name) {
+ var value = '; ' + document.cookie;
+ var parts = value.split('; ' + name + '=');
+ if (parts.length === 2) return parts.pop().split(';').shift();
+ }
+
return {
- redirect: redirect
+ redirect: redirect,
+ getCookie: getCookie
};
});
diff --git a/web-ui/app/js/helpers/monitored_ajax.js b/web-ui/app/js/helpers/monitored_ajax.js
index 1cb720de..dc182d58 100644
--- a/web-ui/app/js/helpers/monitored_ajax.js
+++ b/web-ui/app/js/helpers/monitored_ajax.js
@@ -36,6 +36,8 @@ define(['page/events', 'views/i18n', 'helpers/browser'], function (events, i18n,
}
};
+ config.headers = {'X-XSRF-TOKEN': browser.getCookie('XSRF-TOKEN')};
+
var originalComplete = config.complete;
config.complete = function () {
if (originalComplete) {
@@ -46,15 +48,15 @@ define(['page/events', 'views/i18n', 'helpers/browser'], function (events, i18n,
return $.ajax(url, config).fail(function (xmlhttprequest, textstatus, message) {
if (!config.skipErrorMessage) {
var msg = (xmlhttprequest.responseJSON && xmlhttprequest.responseJSON.message) ||
- messages[textstatus] ||
- 'unexpected problem while talking to server';
- on.trigger(document, events.ui.userAlerts.displayMessage, {message: i18n(msg)});
+ messages[textstatus] ||
+ 'unexpected problem while talking to server';
+ on.trigger(document, events.ui.userAlerts.displayMessage, {message: i18n(msg), class: 'error'});
}
if (xmlhttprequest.status === 302) {
var redirectUrl = xmlhttprequest.getResponseHeader('Location');
browser.redirect(redirectUrl);
- }else if (xmlhttprequest.status === 401) {
+ } else if (xmlhttprequest.status === 401) {
browser.redirect('/');
}
diff --git a/web-ui/app/js/services/mail_service.js b/web-ui/app/js/services/mail_service.js
index a63d517e..412451cb 100644
--- a/web-ui/app/js/services/mail_service.js
+++ b/web-ui/app/js/services/mail_service.js
@@ -246,7 +246,7 @@ define(
this.trigger(document, events.mails.available, _.merge({tag: this.attr.currentTag, forSearch: this.attr.lastQuery }, this.parseMails(data)));
}.bind(this))
.fail(function () {
- this.trigger(document, events.ui.userAlerts.displayMessage, { message: i18n('Could not fetch messages') });
+ this.trigger(document, events.ui.userAlerts.displayMessage, { message: i18n('Could not fetch messages'), class: 'error' });
}.bind(this));
};