From aa8d753f30a47a2c6ab9de369547e8dbf156c0ff Mon Sep 17 00:00:00 2001 From: Walker Crouse Date: Tue, 3 Jan 2017 00:16:01 -0500 Subject: [PATCH] Fix some security vulnerabilities Note: This will probably break some API actions for now Signed-off-by: Walker Crouse --- app/Filters.scala | 6 ++ app/assets/stylesheets/_project.scss | 10 +++ app/controllers/Organizations.scala | 41 ++++++----- app/controllers/project/Projects.scala | 20 ++++-- app/form/OreForms.scala | 23 +++++-- app/views/bootstrap/layout.scala.html | 1 + app/views/createOrganization.scala.html | 2 + app/views/projects/channels/list.scala.html | 61 ++++++++++++----- .../channels/utils/modalManage.scala.html | 4 +- app/views/projects/create.scala.html | 4 +- app/views/projects/invite.scala.html | 3 + app/views/projects/settings.scala.html | 5 ++ app/views/projects/versions/create.scala.html | 3 + app/views/projects/versions/view.scala.html | 68 ++++++++++++------- app/views/projects/view.scala.html | 2 + app/views/users/memberList.scala.html | 3 + app/views/users/view.scala.html | 26 ++++--- app/views/utils/editor.scala.html | 10 ++- build.sbt | 2 +- conf/routes | 34 +++++----- public/javascripts/channelManage.js | 9 ++- public/javascripts/hideProject.js | 1 + public/javascripts/main.js | 1 + public/javascripts/notifications.js | 2 + public/javascripts/projectDetail.js | 12 +++- public/javascripts/queue.js | 1 + public/javascripts/userPage.js | 12 ++-- 27 files changed, 256 insertions(+), 110 deletions(-) create mode 100644 app/Filters.scala diff --git a/app/Filters.scala b/app/Filters.scala new file mode 100644 index 000000000..0abf16491 --- /dev/null +++ b/app/Filters.scala @@ -0,0 +1,6 @@ +import javax.inject.Inject + +import play.api.http.DefaultHttpFilters +import play.filters.csrf.CSRFFilter + +class Filters @Inject()(csrfFilters: CSRFFilter) extends DefaultHttpFilters(csrfFilters) diff --git a/app/assets/stylesheets/_project.scss b/app/assets/stylesheets/_project.scss index c98c98a79..2d8e0c632 100755 --- a/app/assets/stylesheets/_project.scss +++ b/app/assets/stylesheets/_project.scss @@ -14,6 +14,16 @@ margin-bottom: 10px; } +.form-channel-delete { + margin: 0; + display: inline; +} + +.form-inline { + margin: 0; + display: inline; +} + .version-header { position: relative; margin-top: 0; diff --git a/app/controllers/Organizations.scala b/app/controllers/Organizations.scala index aea24efd7..ee16e78aa 100755 --- a/app/controllers/Organizations.scala +++ b/app/controllers/Organizations.scala @@ -52,25 +52,30 @@ class Organizations @Inject()(forms: OreForms, * @return Redirect to organization page */ def create() = UserLock() { implicit request => - val user = request.user - val failCall = routes.Organizations.showCreator() - if (user.ownedOrganizations.size >= this.createLimit) - BadRequest - else if (user.isLocked) - Redirect(failCall).withError("error.user.locked") - else { - this.forms.OrganizationCreate.bindFromRequest().fold( - hasErrors => - FormError(failCall, hasErrors), - formData => { - this.organizations.create(formData.name, user.id.get, formData.build()) match { - case Left(error) => - Redirect(failCall).withError(error) - case Right(organization) => - Redirect(routes.Users.showProjects(organization.name, None)) + if (true) { + Redirect(routes.Application.showHome(None, None, None, None, None)) + .withError("Creation of new Organizations is temporarily disabled.") + } else { + val user = request.user + val failCall = routes.Organizations.showCreator() + if (user.ownedOrganizations.size >= this.createLimit) + BadRequest + else if (user.isLocked) + Redirect(failCall).withError("error.user.locked") + else { + this.forms.OrganizationCreate.bindFromRequest().fold( + hasErrors => + FormError(failCall, hasErrors), + formData => { + this.organizations.create(formData.name, user.id.get, formData.build()) match { + case Left(error) => + Redirect(failCall).withError(error) + case Right(organization) => + Redirect(routes.Users.showProjects(organization.name, None)) + } } - } - ) + ) + } } } diff --git a/app/controllers/project/Projects.scala b/app/controllers/project/Projects.scala index f2c161831..572fa2d72 100755 --- a/app/controllers/project/Projects.scala +++ b/app/controllers/project/Projects.scala @@ -109,8 +109,14 @@ class Projects @Inject()(stats: StatTracker, case None => Redirect(self.showCreator()) case Some(pendingProject) => - pendingProject.settings.save(pendingProject.underlying, this.forms.ProjectSave.bindFromRequest().get) - Ok(views.invite(pendingProject)) + this.forms.ProjectSave.bindFromRequest().fold( + hasErrors => + FormError(self.showCreator(), hasErrors), + formData => { + pendingProject.settings.save(pendingProject.underlying, formData) + Ok(views.invite(pendingProject)) + } + ) } } @@ -418,8 +424,14 @@ class Projects @Inject()(stats: StatTracker, */ def save(author: String, slug: String) = SettingsEditAction(author, slug) { implicit request => val project = request.project - project.settings.save(project, this.forms.ProjectSave.bindFromRequest().get) - Redirect(self.show(author, slug)) + this.forms.ProjectSave.bindFromRequest().fold( + hasErrors => + FormError(self.showSettings(author, slug), hasErrors), + formData => { + project.settings.save(project, formData) + Redirect(self.show(author, slug)) + } + ) } /** diff --git a/app/form/OreForms.scala b/app/form/OreForms.scala index 847a552c3..d2c40f728 100755 --- a/app/form/OreForms.scala +++ b/app/form/OreForms.scala @@ -1,5 +1,6 @@ package form +import java.net.{MalformedURLException, URL} import javax.inject.Inject import form.organization.{OrganizationAvatarUpdate, OrganizationMembersUpdate, OrganizationRoleSetBuilder} @@ -18,6 +19,20 @@ import play.api.data.Forms._ //noinspection ConvertibleToMethodValue class OreForms @Inject()(implicit config: OreConfig, factory: ProjectFactory) { + val url = text verifying("error.url.invalid", text => { + if (text.isEmpty) + true + else { + try { + new URL(text) + true + } catch { + case _: MalformedURLException => + false + } + } + }) + /** * Submits a member to be removed from a Project. */ @@ -42,10 +57,10 @@ class OreForms @Inject()(implicit config: OreConfig, factory: ProjectFactory) { */ lazy val ProjectSave = Form(mapping( "category" -> text, - "issues" -> text, - "source" -> text, + "issues" -> url, + "source" -> url, "license-name" -> text, - "license-url" -> text, + "license-url" -> url, "description" -> text, "users" -> list(number), "roles" -> list(text), @@ -79,7 +94,7 @@ class OreForms @Inject()(implicit config: OreConfig, factory: ProjectFactory) { */ lazy val OrganizationUpdateAvatar = Form(mapping( "avatar-method" -> nonEmptyText, - "avatar-url" -> optional(nonEmptyText) + "avatar-url" -> optional(url) )(OrganizationAvatarUpdate.apply)(OrganizationAvatarUpdate.unapply)) /** diff --git a/app/views/bootstrap/layout.scala.html b/app/views/bootstrap/layout.scala.html index e8d60b8da..42a149a1a 100755 --- a/app/views/bootstrap/layout.scala.html +++ b/app/views/bootstrap/layout.scala.html @@ -50,6 +50,7 @@ + @@ -15,7 +28,7 @@ $(function() { initChannelManager( "#channel-new", "", "@config.defaultChannelColor.hex", "New channel", - "@projectRoutes.Channels.create(project.ownerName, project.slug)", + "@channelRoutes.create(project.ownerName, project.slug)", "post", "Create channel" ); }); @@ -54,21 +67,32 @@

@messages("channel.list.title")

- + + + } else { @if(channel.versions.nonEmpty) { - data-toggle="modal" data-target="#modal-delete" + + + } else { - href="@projectRoutes.Channels.delete( - project.ownerName, project.slug, channel.name)" + @form(action = channelRoutes.delete( + project.ownerName, project.slug, channel.name), + 'id -> s"form-delete-${channel.id.get}", + 'class -> "form-channel-delete") { + @CSRF.formField + + + + } } - } - > - - + } @@ -77,7 +101,7 @@

@messages("channel.list.title")

initChannelDelete('#channel-delete-@channel.id', '@channel.name', @channel.versions.size); initChannelManager( "#channel-edit-@channel.id", "@channel.name", "@channel.color.hex", - "Edit channel", "@projectRoutes.Channels.save( + "Edit channel", "@channelRoutes.save( project.ownerName, project.slug, channel.name)", "post", "Save changes" ); @@ -86,7 +110,7 @@

@messages("channel.list.title")

} - @@ -126,7 +150,10 @@ - @messages("channel.delete") +
+ @CSRF.formField + +
diff --git a/app/views/projects/channels/utils/modalManage.scala.html b/app/views/projects/channels/utils/modalManage.scala.html index 99ac83ab0..e9f752666 100755 --- a/app/views/projects/channels/utils/modalManage.scala.html +++ b/app/views/projects/channels/utils/modalManage.scala.html @@ -1,6 +1,7 @@ @import ore.OreConfig @import views.html.helper.form -@()(implicit messages: Messages, config: OreConfig) +@import views.html.helper.CSRF +@()(implicit messages: Messages, config: OreConfig, request: Request[_])