Fixed CSRF security vulnerability issue. per Alvin Lindstam. Fixes #4217

Initial patch by: Khushboo Vashi Modified by: Ashesh Vashi and Murtuza Zabuawala
2025-02-25 18:55:31 -06:00 · 2019-05-28 10:59:51 +05:30
parent 90a45557b9
commit 6f0eafb223
36 changed files with 387 additions and 124 deletions
--- a/web/pgadmin/tools/backup/static/js/backup_dialog.js
+++ b/web/pgadmin/tools/backup/static/js/backup_dialog.js
@@ -43,8 +43,7 @@ export class BackupDialog extends Dialog {
    const baseUrl = this.url_for_utility_exists(sid, params);
    // Check pg_dump or pg_dumpall utility exists or not.
    let that = this;
-    let service = axios.create({});
-    service.get(
+    axios.get(
      baseUrl
    ).then(function(res) {
      if (!res.data.success) {
--- a/web/pgadmin/tools/backup/static/js/backup_dialog_wrapper.js
+++ b/web/pgadmin/tools/backup/static/js/backup_dialog_wrapper.js
@@ -142,8 +142,7 @@ export class BackupDialogWrapper extends DialogWrapper {

      this.setExtraParameters(selectedTreeNode, treeInfo);

-      let service = axios.create({});
-      service.post(
+      axios.post(
        baseUrl,
        this.view.model.toJSON()
      ).then(function (res) {
--- a/web/pgadmin/tools/debugger/static/js/direct.js
+++ b/web/pgadmin/tools/debugger/static/js/direct.js
@@ -353,7 +353,10 @@ define([
            $.ajax({
              url: baseUrl,
              method: 'GET',
-              beforeSend: function() {
+              beforeSend: function(xhr) {
+                xhr.setRequestHeader(
+                  pgAdmin.csrf_token_header, pgAdmin.csrf_token
+                );
                // set cursor to progress before every poll.
                $('.debugger-container').addClass('show_progress');
              },
--- a/web/pgadmin/tools/restore/static/js/restore_dialog.js
+++ b/web/pgadmin/tools/restore/static/js/restore_dialog.js
@@ -43,8 +43,7 @@ export class RestoreDialog extends Dialog {
    const baseUrl = this.url_for_utility_exists(sid);
    // Check pg_restore utility exists or not.
    let that = this;
-    let service = axios.create({});
-    service.get(
+    axios.get(
      baseUrl
    ).then(function(res) {
      if (!res.data.success) {
--- a/web/pgadmin/tools/restore/static/js/restore_dialog_wrapper.js
+++ b/web/pgadmin/tools/restore/static/js/restore_dialog_wrapper.js
@@ -140,8 +140,7 @@ export class RestoreDialogWrapper extends DialogWrapper {

      this.setExtraParameters(selectedTreeNode, treeInfo);

-      let service = axios.create({});
-      service.post(
+      axios.post(
        baseUrl,
        this.view.model.toJSON()
      ).then(function (res) {
--- a/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
+++ b/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
@@ -35,6 +35,7 @@ define('tools.querytool', [
  'sources/sqleditor/calculate_query_run_time',
  'sources/sqleditor/call_render_after_poll',
  'sources/sqleditor/query_tool_preferences',
+  'sources/csrf',
  'sources/../bundle/slickgrid',
  'pgadmin.file_manager',
  'backgrid.sizeable.columns',
@@ -49,7 +50,7 @@ define('tools.querytool', [
  XCellSelectionModel, setStagedRows, SqlEditorUtils, ExecuteQuery, httpErrorHandler, FilterHandler,
  GeometryViewer, historyColl, queryHist,
  keyboardShortcuts, queryToolActions, queryToolNotifications, Datagrid,
-  modifyAnimation, calculateQueryRunTime, callRenderAfterPoll, queryToolPref) {
+  modifyAnimation, calculateQueryRunTime, callRenderAfterPoll, queryToolPref, csrfToken) {
  /* Return back, this has been called more than once */
  if (pgAdmin.SqlEditor)
    return pgAdmin.SqlEditor;
@@ -63,6 +64,8 @@ define('tools.querytool', [
    HistoryCollection = historyColl.default,
    QueryHistory = queryHist.default;

+  csrfToken.setPGCSRFToken(pgAdmin.csrf_token_header, pgAdmin.csrf_token);
+
  var is_query_running = false;

  // Defining Backbone view for the sql grid.
@@ -1892,6 +1895,7 @@ define('tools.querytool', [
        var self = this;
        this.container = container;
        this.state = {};
+        this.csrf_token = pgAdmin.csrf_token;
        // Disable animation first
        modifyAnimation.modifyAlertifyAnimation();

--- a/web/pgadmin/tools/user_management/init.py
+++ b/web/pgadmin/tools/user_management/init.py
@@ -22,6 +22,7 @@ import config
 from pgadmin.utils import PgAdminModule
 from pgadmin.utils.ajax import make_response as ajax_response, \
    make_json_response, bad_request, internal_server_error
+from pgadmin.utils.csrf import pgCSRFProtect

 from pgadmin.model import db, Role, User, UserPreference, Server, \
    ServerGroup, Process, Setting
@@ -136,6 +137,7 @@ def script():


@blueprint.route("/current_user.js")
+@pgCSRFProtect.exempt
@login_required
 def current_user_info():
    return Response(