Merge branch 'refs/heads/feature/N°7124-CSRF-in-several-iTop-pages' into support/3.2

2026-04-24 11:08:45 +02:00 · 2024-07-02 17:16:23 +02:00
parent 452d97f2d0 98f946c871
commit 84f2ecd80f
10 changed files with 31 additions and 22 deletions
--- a/datamodels/2.x/itop-portal-base/portal/templates/layout.html.twig
+++ b/datamodels/2.x/itop-portal-base/portal/templates/layout.html.twig
@@ -87,6 +87,7 @@
 	{% block pPageScripts %}
 		<script type="text/javascript" src="{{ app['combodo.absolute_url'] ~ 'node_modules/jquery/dist/jquery.min.js'|add_itop_version }}"></script>
        <script type="text/javascript" src="{{ app['combodo.absolute_url'] ~ 'js/ajax_hook.js'|add_itop_version }}"></script>
 		{% if is_development_environment() %}
 				<script type="text/javascript" src="{{ app['combodo.absolute_url'] ~ 'node_modules/jquery-migrate/dist/jquery-migrate.js'|add_itop_version }}"></script>
 		{% else %}
--- a/js/ajax_hook.js
+++ b/js/ajax_hook.js
@@ -0,0 +1,5 @@
 // add X-Combodo-Ajax for all request (just after jaquery is loaded)
 // mandatory for ajax requests with JQuery (CSRF protection)
 $(document).ajaxSend(function (event, jqxhr, options) {
 	jqxhr.setRequestHeader('X-Combodo-Ajax', 'true');
 });
--- a/js/ckeditor.feeds.js
+++ b/js/ckeditor.feeds.js
@@ -16,11 +16,7 @@ const CombodoCKEditorFeeds = {
 		return async function(queryText) {
 			return new Promise( resolve => {
 				setTimeout( () => {
-					fetch(options.url + queryText, {
+					CombodoHTTP.Fetch(options.url + queryText)
 						headers: {
 							'X-Combodo-Ajax': true
 						}
 					})
 						.then(response => {
 							return response.json();
 						})
--- a/js/ckeditor.handler.js
+++ b/js/ckeditor.handler.js
@@ -112,12 +112,9 @@ const CombodoCKEditorHandler = {
 								const formData = new FormData();
 								formData.append('upload', file);
-								fetch(uploadUrl, {
+								CombodoHTTP.Fetch(uploadUrl, {
 									method: 'POST',
-									body: formData,
+									body: formData
 									headers: {
 										'X-Combodo-Ajax': true
 									},
 								})
 									.then(response => response.json())
 									.then(responseData => {
--- a/js/icon_select.js
+++ b/js/icon_select.js
@@ -247,12 +247,8 @@ $(function()
 			var file = event.target.files[0];
 			var formData = new FormData();
 			formData.append('file', file);
-
+			CombodoHTTP.Fetch(this.options.post_upload_to, {
 			fetch(this.options.post_upload_to, {
 				method: 'POST',
 				headers: {
 					'X-Combodo-Ajax': true
 				},
 				body: formData
 			})
 				.then(response => {
--- a/js/pages/backoffice/on-ready.js
+++ b/js/pages/backoffice/on-ready.js
@@ -8,11 +8,6 @@
 */
 $(document).ready(function () {
 	// AJAX calls handling
 	// - Custom headers
 	$(document).ajaxSend(function (event, jqxhr, options) {
 		jqxhr.setRequestHeader('X-Combodo-Ajax', 'true');
 	});
 	// - Error messages regarding the error code
 	$(document).ajaxError(function (event, jqxhr, options) {
 		// User is not logged in
--- a/js/utils.js
+++ b/js/utils.js
@@ -1296,6 +1296,23 @@ const CombodoInlineImage = {
 	}
 };
 /**
 * Abstract Fetch API wrapper to manage AJAX requests in iTop.
 */
 const CombodoHTTP = {
 	/**
 	 * @param {string} sUrl URL to fetch
 	 * @param {Object} oOptions Fetch options
 	 * @return {Promise<Response>}
 	 */
 	Fetch: function(sUrl, oOptions) {
 		oOptions = oOptions || {};
 		oOptions.headers = oOptions.headers || {};
 		oOptions.headers['X-Combodo-Ajax'] = true;
 		return fetch(sUrl, oOptions);
 	}
 }
 /**
 * Abstract wrapper to manage modal dialogs in iTop.
 * Implementations for the various GUIs may vary but APIs are the same.
--- a/pages/ajax.render.php
+++ b/pages/ajax.render.php
@@ -29,12 +29,12 @@ require_once('../approot.inc.php');
 // check if header contains X-Combodo-Ajax for POST request (CSRF protection for ajax calls)
-/*if (!isset($_SERVER['HTTP_X_COMBODO_AJAX']) && $_SERVER['REQUEST_METHOD'] === 'POST') {
+if (!isset($_SERVER['HTTP_X_COMBODO_AJAX']) && $_SERVER['REQUEST_METHOD'] === 'POST') {
 	$sReferer = utils::HtmlEntities($_SERVER['HTTP_REFERER']);
 	IssueLog::Error("Unprotected ajax call from: $sReferer", 'SECURITY');
 	header('HTTP/1.1 401 Unauthorized');
 	die('Unauthorized access. Please see https://www.itophub.io/wiki/page?id=3_2_0:release:developer#checking_for_the_presence_of_specific_header_in_the_post_to_enhance_protection_against_csrf_attacks');
-}*/
+}
 function LogErrorMessage($sMsgPrefix, $aContextInfo) {
--- a/sources/Application/WebPage/NiceWebPage.php
+++ b/sources/Application/WebPage/NiceWebPage.php
@@ -153,6 +153,7 @@ JS
 		// Used throughout the app.
 		$this->LinkScriptFromAppRoot('node_modules/jquery/dist/jquery.min.js');
 		$this->LinkScriptFromAppRoot('js/ajax_hook.js');
 		$this->LinkScriptFromAppRoot('js/jquery.blockUI.js');
 		if (utils::IsDevelopmentEnvironment()) // Needed since many other plugins still rely on oldies like $.browser
 		{
--- a/sources/Controller/OAuth/OAuthLandingController.php
+++ b/sources/Controller/OAuth/OAuthLandingController.php
@@ -10,6 +10,7 @@ class OAuthLandingController extends Controller
 	public function OperationLanding()
 	{
 		$this->AddLinkedScript(utils::GetAbsoluteUrlAppRoot().'node_modules/jquery/dist/jquery.min.js');
 		$this->AddLinkedScript(utils::GetAbsoluteUrlAppRoot().'js/ajax_hook.js');
 		$this->DisplayPage([], null, static::ENUM_PAGE_TYPE_BASIC_HTML);
 	}
 }