SEC-2403: CsrfFilter and CsrfRequestDataValueProcessor is not consistent on policy of injection.

[spring-projects-issues]

Kazuki Shimizu (Migrated from SEC-2403) said:

I think so that CsrfFileter and CsrfRequestDataValueProcessor is not consistent on policy of injection.

Reasons is following:

CsrfFileter is able to inject the http method of processing target. But, CsrfRequestDataValueProcessor is not able to inject the http method of processing target. Http method of processing target is fixed in private constants.

I think so that should be use same strategy for determine the http method of processing target.

What do you think ?

[spring-projects-issues]

Rob Winch said:

What are you trying to do?

[spring-projects-issues]

Kazuki Shimizu said:

This report was not bug. sorry.

I thought better following code in consideration of the symmetry with the CsrfFilter.
But, possibility to customize the http method of processing target may be very rare case within CSRF protection functionality.
Therefore ,this improvement is not important.

h6.[current implementation]

private Pattern DISABLE_CSRF_TOKEN_PATTERN = Pattern.compile("(?i)^(GET|HEAD|TRACE|OPTIONS)$");

h6.[modified implementation]

private static final Pattern DEFAULT_DISABLE_CSRF_TOKEN_METHOD_PATTERN = Pattern.compile("(?i)^(GET|HEAD|TRACE|OPTIONS)$");
private Pattern disableCsrfTokenMethodPattern = DEFAULT_DISABLE_CSRF_TOKEN_METHOD_PATTERN;
// omitted
public void setDisableCsrfTokenMethodPattern(Pattern disableCsrfTokenMethodPattern){
    this.disableCsrfTokenMethodPattern = disableCsrfTokenMethodPattern;
}
// omitted
public String processAction(HttpServletRequest request, String action, String method) {
    if(method != null && disableCsrfTokenMethodPattern != null && disableCsrfTokenMethodPattern.matcher(method).matches()) {
        request.setAttribute(DISABLE_CSRF_TOKEN_ATTR, Boolean.TRUE);
    } else {
        request.removeAttribute(DISABLE_CSRF_TOKEN_ATTR);
    }
    return action;
}
// omitted

In terms of symmetry with CsrfFilter, improvement points is one more.
May be a better that be able to disable csrf token by action attribute in form:form tag.
The reason is because can be customized the request of protection target using the RequestMatcher in CsrfFilter.

I thought a better that create a class like RequestMatcher for the CsrfRequestDataValueProcessor.

p.s)
Because I'm not good at English,words and syntax and phrases might be wrong...
If difficult understand, it is sorry.

[spring-projects-issues]

Rob Winch said:

I'll keep this open as an enhancement until we have a concrete reason we need to add additional functionality. There is no harm in including the token in these requests since it is only included in POST, PUT, etc. Additionally, we cannot really use RequestMatcher since the request that we want to match is actually the URL we submit the form to not the current request.