krazo icon indicating copy to clipboard operation
krazo copied to clipboard
verified publisher icon eclipse-ee4j

CSRF entity body validation is not possible for multipart/form-data requests

Open pdudits opened this issue 5 years ago • 1 comments

When CSRF protection engaged on a method annotated

    @POST
    @Produces(MediaType.TEXT_HTML)
    @Controller
    @Consumes(MediaType.MULTIPART_FORM_DATA)

Can only be validated via HTTP header match. I understand that support for this feature is optional per MVC spec, but currently it is impossible to implement it in Krazo via configuration or SPI.

Even though Application or SPI could provide custom handling via FormEntityProvider, the check is done sooner than FormEntityProvider is queried.

I could contribute a solution myself, but I'd need advice on most fitting solution. I currently see these two options:

  1. Let FormEntityProvider decide if it can handle the entity. Application or SPI package can provide handling for multipart requests.
  2. Add configuration property that will skip Csrf validation in this case (so that application can handle it itself in case of implicit protection)

pdudits avatar Dec 22 '20 16:12 pdudits

Thanks a lot for reporting this. Maybe a first step would be to get a failing testcase that reproduces this issue? Not sure if you saw the testsuite directory which contains Arquillian based tests which we can run against different containers.

@gtudan IIRC you built the FormEntityProvider SPI back then. Any thoughts?

chkal avatar Dec 23 '20 09:12 chkal