CSRF check not applied to localhost and loopback host

ymarcon · ymarcon · commit ed49a6fd6b7f · 2022-07-15T16:18:27.000+02:00
diff --git a/mica-rest/src/main/java/org/obiba/mica/config/JerseyConfiguration.java b/mica-rest/src/main/java/org/obiba/mica/config/JerseyConfiguration.java
@@ -40,7 +40,7 @@ public JerseyConfiguration(Environment environment) {
     register(AuthenticationInterceptor.class);
     register(ConfigurationInterceptor.class);
     register(AuditInterceptor.class);
-    register(new CSRFInterceptor(getServerPort(environment), environment.acceptsProfiles(Profiles.PROD), environment.getProperty("csrf.allowed", "")));
+    register(new CSRFInterceptor(environment.acceptsProfiles(Profiles.PROD), environment.getProperty("csrf.allowed", "")));
     register(MultiPartFeature.class);
     // validation errors will be sent to the client
     property(ServerProperties.BV_SEND_ERROR_IN_RESPONSE, true);
diff --git a/mica-rest/src/main/java/org/obiba/mica/web/rest/security/CSRFInterceptor.java b/mica-rest/src/main/java/org/obiba/mica/web/rest/security/CSRFInterceptor.java
@@ -22,6 +22,7 @@
 import java.io.IOException;
 import java.net.URI;
 import java.util.List;
+import java.util.regex.Pattern;
 
 public class CSRFInterceptor implements ContainerRequestFilter {
 
@@ -31,14 +32,15 @@ public class CSRFInterceptor implements ContainerRequestFilter {
 
   private static final String REFERER_HEADER = "Referer";
 
-  private final String serverPort;
+  private static final Pattern localhostPattern = Pattern.compile("^http[s]?://localhost:");
+
+  private static final Pattern loopbackhostPattern = Pattern.compile("^http[s]?://127\\.0\\.0\\.1:");
 
   private final boolean productionMode;
 
   private final List<String> csrfAllowed;
 
-  public CSRFInterceptor(String port, boolean productionMode, String csrfAllowed) {
-    serverPort = port;
+  public CSRFInterceptor(boolean productionMode, String csrfAllowed) {
     this.productionMode = productionMode;
     this.csrfAllowed = Strings.isNullOrEmpty(csrfAllowed) ? Lists.newArrayList() : Splitter.on(",").splitToList(csrfAllowed.trim());
   }
@@ -61,13 +63,8 @@ public void filter(ContainerRequestContext requestContext)
       // explicitly ok
       if (csrfAllowed.contains(refererHostPort)) return;
 
-      String localhost = String.format("localhost:%s", serverPort);
-      String loopbackhost = String.format("127.0.0.1:%s", serverPort);
       boolean forbidden = false;
-      if (localhost.equals(host) || loopbackhost.equals(host)) {
-        if (!referer.startsWith(String.format("http://%s/", host)))
-          forbidden = true;
-      } else if (!referer.startsWith(String.format("https://%s/", host))) {
+      if (!localhostPattern.matcher(host).matches() && !loopbackhostPattern.matcher(host).matches() && !referer.startsWith(String.format("https://%s/", host))) {
         forbidden = true;
       }
 
