From 01156b23b57eca203465bac7371a9d24d81d7a8d Mon Sep 17 00:00:00 2001
From: Alan Davis <alan.davis@alfresco.com>
Date: Thu, 3 Nov 2016 13:52:23 +0000
Subject: [PATCH] Merged 5.2.N (5.2.1) to HEAD (5.2)    131485 kroast: Merged
 5.2-DEV (5.2.0) to 5.2.N (5.2.N)       131352 kroast: ACE-4881 - [Pentest
 121015] Multiple admin CSRF          - Added CSRF filter config to protect
 the Alfresco Admin Console pages

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@132265 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../alfresco/web-client-security-config.xml   | 118 ++++++++++++++++++
 .../web/WEB-INF/web-application-context.xml   |  33 +++--
 source/web/WEB-INF/web.xml                    |  16 +++
 3 files changed, 159 insertions(+), 8 deletions(-)
 create mode 100644 config/alfresco/web-client-security-config.xml

diff --git a/config/alfresco/web-client-security-config.xml b/config/alfresco/web-client-security-config.xml
new file mode 100644
index 0000000000..bb620d3668
--- /dev/null
+++ b/config/alfresco/web-client-security-config.xml
@@ -0,0 +1,118 @@
+<alfresco-config>
+
+   <!--
+      CSRF filter config to mitigate CSRF/Seasurfing/XSRF attacks
+
+      To disable the CSRF filter override the <filter> to not contain any values, for example:
+         <config evaluator="string-compare" condition="CSRFPolicy" replace="true">
+            <filter/>
+         </config>
+      
+      @since 5.2
+   -->
+   <config evaluator="string-compare" condition="CSRFPolicy">
+      
+      <!--
+         Force creation of a Session when the filter matches a path - this should only be used when you are
+         confident the filtered part of the web application is using an authentication mechanism that will avoid
+         protected pages being accessed until the user is authenticated. Otherwise this would be a route to
+         a Session fixation attack.
+      -->
+      <session>true</session>
+
+      <!--
+         Properties that may be used inside the rest of the CSRFPolicy config to avoid repetition but
+         also making it possible to provide different values in different environments.
+         I.e. Different "Referer" & "Origin" properties for test & production etc.
+         Reference a property using "{propertyName}".
+      -->
+      <properties>
+
+         <!-- There is normally no need to override this property -->
+         <token>alf-csrftoken</token>
+
+         <!--
+            Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
+            does not rewrite the Referer header.
+         -->
+         <referer></referer>
+
+         <!--
+            Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
+            does not rewrite the Origin header.
+         -->
+         <origin></origin>
+      </properties>
+
+      <!--
+        Will be used and exposed to the client side code in Admin.CSRF
+        Use the Admin.CSRF.getHeader() or Admin.CSRF.getParameter() with Admin.CSRF.getToken()
+        to set the token in custom 3rd party code.
+      -->
+      <client>
+         <cookie>{token}</cookie>
+         <header>{token}</header>
+         <parameter>{token}</parameter>
+      </client>
+
+      <!-- The first rule with a matching request will get its action invoked, the remaining rules will be ignored. -->
+      <filter>
+
+         <!-- Refresh token on each new page visit -->
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/service/enterprise/admin/.*</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+
+         <!--
+            Verify multipart requests contain the token as a parameter
+            and also correct referer & origin header if available
+         -->
+         <rule>
+            <request>
+               <method>POST</method>
+               <header name="Content-Type">multipart/.+</header>
+            </request>
+            <action name="assertToken">
+               <param name="session">{token}</param>
+               <param name="parameter">{token}</param>
+            </action>
+            <action name="assertReferer">
+               <param name="referer">{referer}</param>
+            </action>
+            <action name="assertOrigin">
+               <param name="origin">{origin}</param>
+            </action>
+         </rule>
+
+         <!--
+            Verify that all remaining state changing requests contain a token in the header and correct referer & origin headers
+            if available. We "catch" all content types since just setting it to "application/json.*" since a webscript that doesn't
+            require a json request body otherwise would be successfully executed using i.e."text/plain".
+         -->
+         <rule>
+            <request>
+               <method>POST|PUT|DELETE</method>
+            </request>
+            <action name="assertToken">
+               <param name="session">{token}</param>
+               <param name="header">{token}</param>
+            </action>
+            <action name="assertReferer">
+               <param name="referer">{referer}</param>
+            </action>
+            <action name="assertOrigin">
+               <param name="origin">{origin}</param>
+            </action>
+         </rule>
+      </filter>
+
+   </config>
+
+</alfresco-config>
\ No newline at end of file
diff --git a/source/web/WEB-INF/web-application-context.xml b/source/web/WEB-INF/web-application-context.xml
index b5d44df9bc..4928a19dee 100644
--- a/source/web/WEB-INF/web-application-context.xml
+++ b/source/web/WEB-INF/web-application-context.xml
@@ -2,12 +2,29 @@
 <!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
 <!-- Top-level imports of XML configuration -->
 <beans>
-    <import resource="classpath:alfresco/application-context.xml" />
-    <import resource="classpath:alfresco/web-scripts-application-context.xml" />
-    <import resource="classpath*:alfresco/enterprise-web-scripts-application-context.xml" />
-    <!--
-        To give final control over the tuning of the custom environment, the custom-web-context.xml file is processed
-        last (note: custom-web-context.xml isn't part of the source tree itself).
-    -->
-    <import resource="classpath*:alfresco/extension/custom-web-context.xml" />
+   <import resource="classpath:alfresco/application-context.xml" />
+   <import resource="classpath:alfresco/web-scripts-application-context.xml" />
+   <import resource="classpath*:alfresco/enterprise-web-scripts-application-context.xml" />
+   <!--
+       To give final control over the tuning of the custom environment, the custom-web-context.xml file is processed
+       last (note: custom-web-context.xml isn't part of the source tree itself).
+   -->
+   <import resource="classpath*:alfresco/extension/custom-web-context.xml" />
+
+   <!-- Apply web-client-security-config.xml to web/webscript config sources -->
+   <bean id="webscripts.configsource" class="org.springframework.extensions.config.source.UrlConfigSource">
+      <constructor-arg>
+         <list>
+            <value>classpath:alfresco/web-scripts-config.xml</value>
+            <value>classpath:alfresco/web-client-security-config.xml</value>
+            <value>classpath:alfresco/extension/web-scripts-config-custom.xml</value>
+         </list>
+      </constructor-arg>
+   </bean>
+
+   <bean id="web.config" class="org.springframework.extensions.config.xml.XMLConfigService" init-method="init">
+      <constructor-arg>
+         <ref bean="webscripts.configsource" />
+      </constructor-arg>
+   </bean>
 </beans>
\ No newline at end of file
diff --git a/source/web/WEB-INF/web.xml b/source/web/WEB-INF/web.xml
index 6b84d1f14e..3c89e4fa47 100644
--- a/source/web/WEB-INF/web.xml
+++ b/source/web/WEB-INF/web.xml
@@ -98,6 +98,12 @@
       -->
    </filter>
 
+   <filter>
+      <description>CSRF Token filter. Checks for a session based CSRF token in request headers (or form parameters) based on config.</description>
+      <filter-name>CSRF Token Filter</filter-name>
+      <filter-class>org.springframework.extensions.webscripts.servlet.CSRFFilter</filter-class>
+   </filter>
+
    <!-- AOSM filter placeholder -->
 
    <!-- CORS Filter Begin -->
@@ -232,6 +238,16 @@
       <url-pattern>/wcs/api/solr/*</url-pattern>
    </filter-mapping>
 
+   <filter-mapping>
+      <filter-name>CSRF Token Filter</filter-name>
+      <url-pattern>/service/enterprise/admin/*</url-pattern>
+   </filter-mapping>
+
+   <filter-mapping>
+      <filter-name>CSRF Token Filter</filter-name>
+      <url-pattern>/s/enterprise/admin/*</url-pattern>
+   </filter-mapping>
+
    <!-- AOSM filter-mapping placeholder -->
 
    <!-- Enterprise filter-mapping placeholder -->