libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-2082

Browse source 
Cross site scripting issues
This commit is contained in:
Stian Thorgersen 2015-11-26 10:12:43 +01:00
parent f5326e1f42
commit bf4d5f4df9
7 changed files with 24 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
forms/common-themes/src/main/resources/theme/base/account/account.ftl
View file

@ -12,7 +12,7 @@
<form action="${url.accountUrl}" class="form-horizontal" method="post"> <form action="${url.accountUrl}" class="form-horizontal" method="post">
<input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker}"> <input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker?html}">
<div class="form-group ${messagesPerField.printIfExists('username','has-error')}"> <div class="form-group ${messagesPerField.printIfExists('username','has-error')}">
<div class="col-sm-2 col-md-2"> <div class="col-sm-2 col-md-2">

4
forms/common-themes/src/main/resources/theme/base/account/applications.ftl
View file

@ -8,8 +8,8 @@
</div> </div>
<form action="${url.revokeClientUrl}" method="post"> <form action="${url.revokeClientUrl}" method="post">
<input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker}"> <input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker?html}">
<input type="hidden" id="referrer" name="referrer" value="${stateChecker}"> <input type="hidden" id="referrer" name="referrer" value="${stateChecker?html}">
<table class="table table-striped table-bordered"> <table class="table table-striped table-bordered">
<thead> <thead>

2
forms/common-themes/src/main/resources/theme/base/account/password.ftl
View file

@ -23,7 +23,7 @@
</div> </div>
</#if> </#if>
<input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker}"> <input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker?html}">
<div class="form-group"> <div class="form-group">
<div class="col-sm-2 col-md-2"> <div class="col-sm-2 col-md-2">

2
forms/common-themes/src/main/resources/theme/base/account/totp.ftl
View file

@ -41,7 +41,7 @@
<hr/> <hr/>
<form action="${url.totpUrl}" class="form-horizontal" method="post"> <form action="${url.totpUrl}" class="form-horizontal" method="post">
<input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker}"> <input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker?html}">
<div class="form-group"> <div class="form-group">
<div class="col-sm-2 col-md-2"> <div class="col-sm-2 col-md-2">
<label for="totp" class="control-label">${msg("authenticatorCode")}</label> <label for="totp" class="control-label">${msg("authenticatorCode")}</label>

11
model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java
View file

@ -1,6 +1,7 @@
package org.keycloak.models.utils; package org.keycloak.models.utils;
import org.bouncycastle.openssl.PEMWriter; import org.bouncycastle.openssl.PEMWriter;
import org.keycloak.common.util.Base64;
import org.keycloak.common.util.Base64Url; import org.keycloak.common.util.Base64Url;
import org.keycloak.models.AuthenticationExecutionModel; import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.AuthenticationFlowModel; import org.keycloak.models.AuthenticationFlowModel;
@ -57,6 +58,16 @@ public final class KeycloakModelUtils {
return UUID.randomUUID().toString(); return UUID.randomUUID().toString();
} }
public static String generateSecret() {
return generateSecret(32);
}
public static String generateSecret(int bytes) {
byte[] buf = new byte[bytes];
new SecureRandom().nextBytes(buf);
return Base64Url.encode(buf);
}
public static PublicKey getPublicKey(String publicKeyPem) { public static PublicKey getPublicKey(String publicKeyPem) {
if (publicKeyPem != null) { if (publicKeyPem != null) {
try { try {

11
services/src/main/java/org/keycloak/services/resources/AbstractSecuredLocalService.java
View file

@ -6,9 +6,11 @@ import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.AbstractOAuthClient; import org.keycloak.AbstractOAuthClient;
import org.keycloak.common.ClientConnection; import org.keycloak.common.ClientConnection;
import org.keycloak.OAuth2Constants; import org.keycloak.OAuth2Constants;
import org.keycloak.common.util.Base64Url;
import org.keycloak.models.ClientModel; import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService; import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.services.ForbiddenException; import org.keycloak.services.ForbiddenException;
import org.keycloak.services.managers.AppAuthManager; import org.keycloak.services.managers.AppAuthManager;
@ -40,6 +42,9 @@ import java.util.UUID;
*/ */
public abstract class AbstractSecuredLocalService { public abstract class AbstractSecuredLocalService {
private static final Logger logger = Logger.getLogger(AbstractSecuredLocalService.class); private static final Logger logger = Logger.getLogger(AbstractSecuredLocalService.class);
private static final String KEYCLOAK_STATE_CHECKER = "KEYCLOAK_STATE_CHECKER";
protected final ClientModel client; protected final ClientModel client;
protected RealmModel realm; protected RealmModel realm;
@ -106,14 +111,14 @@ public abstract class AbstractSecuredLocalService {
} }
protected void updateCsrfChecks() { protected void updateCsrfChecks() {
Cookie cookie = headers.getCookies().get(AccountService.KEYCLOAK_STATE_CHECKER); Cookie cookie = headers.getCookies().get(KEYCLOAK_STATE_CHECKER);
if (cookie != null) { if (cookie != null) {
stateChecker = cookie.getValue(); stateChecker = cookie.getValue();
} else { } else {
stateChecker = UUID.randomUUID().toString(); stateChecker = KeycloakModelUtils.generateSecret();
String cookiePath = AuthenticationManager.getRealmCookiePath(realm, uriInfo); String cookiePath = AuthenticationManager.getRealmCookiePath(realm, uriInfo);
boolean secureOnly = realm.getSslRequired().isRequired(clientConnection); boolean secureOnly = realm.getSslRequired().isRequired(clientConnection);
CookieHelper.addCookie(AccountService.KEYCLOAK_STATE_CHECKER, stateChecker, cookiePath, null, null, -1, secureOnly, true); CookieHelper.addCookie(KEYCLOAK_STATE_CHECKER, stateChecker, cookiePath, null, null, -1, secureOnly, true);
} }
} }

2
services/src/main/java/org/keycloak/services/resources/AccountService.java
View file

@ -117,8 +117,6 @@ public class AccountService extends AbstractSecuredLocalService {
LOG_DETAILS.add(Details.AUTH_METHOD); LOG_DETAILS.add(Details.AUTH_METHOD);
} }
public static final String KEYCLOAK_STATE_CHECKER = "KEYCLOAK_STATE_CHECKER";
// Used when some other context (ie. IdentityBrokerService) wants to forward error to account management and display it here // Used when some other context (ie. IdentityBrokerService) wants to forward error to account management and display it here
public static final String ACCOUNT_MGMT_FORWARDED_ERROR_NOTE = "ACCOUNT_MGMT_FORWARDED_ERROR"; public static final String ACCOUNT_MGMT_FORWARDED_ERROR_NOTE = "ACCOUNT_MGMT_FORWARDED_ERROR";