From aae87ebffd9e50c467d9c41fda8a635b8223be3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Piotr=20=C5=BBurek?= <Piotr.Zurek@hyland.com>
Date: Tue, 11 Oct 2022 12:05:35 +0200
Subject: [PATCH] PRODSEC-6550 Fix CSRF in the WebScript console Refresh
 Scripts form (#1483)

---
 .../alfresco/web-client-security-config.xml   | 27 ++++++
 packaging/war/src/main/webapp/WEB-INF/web.xml |  6 ++
 .../extensions/webscripts/index.get.html.ftl  | 82 +++++++++++++++++++
 3 files changed, 115 insertions(+)
 create mode 100644 remote-api/src/main/resources/alfresco/templates/webscripts/org/springframework/extensions/webscripts/index.get.html.ftl

diff --git a/packaging/war/src/main/resources/alfresco/web-client-security-config.xml b/packaging/war/src/main/resources/alfresco/web-client-security-config.xml
index 0d5362bd14..9098134659 100644
--- a/packaging/war/src/main/resources/alfresco/web-client-security-config.xml
+++ b/packaging/war/src/main/resources/alfresco/web-client-security-config.xml
@@ -139,6 +139,33 @@
                <param name="cookie">{token}</param>
             </action>
          </rule>
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/s/index|/s/</path>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+         <rule>
+            <request>
+               <method>POST</method>
+               <path>/s/index|/s/</path>
+            </request>
+            <action name="assertToken">
+               <param name="session">{token}</param>
+               <param name="parameter">{token}</param>
+            </action>
+            <action name="assertReferer">
+               <param name="referer">{referer}</param>
+            </action>
+            <action name="assertOrigin">
+               <param name="origin">{origin}</param>
+            </action>
+         </rule>
+
 
          <!--
             Verify multipart requests contain the token as a parameter
diff --git a/packaging/war/src/main/webapp/WEB-INF/web.xml b/packaging/war/src/main/webapp/WEB-INF/web.xml
index 97af943fd3..ad5277771d 100644
--- a/packaging/war/src/main/webapp/WEB-INF/web.xml
+++ b/packaging/war/src/main/webapp/WEB-INF/web.xml
@@ -231,6 +231,12 @@
       <url-pattern>/wcs/admin/*</url-pattern>
    </filter-mapping>
 
+   <filter-mapping>
+      <filter-name>CSRF Token Filter</filter-name>
+      <url-pattern>/s/index</url-pattern>
+      <url-pattern>/s/</url-pattern>
+   </filter-mapping>
+
    <filter-mapping>
       <filter-name>Security Headers Filter</filter-name>
       <url-pattern>/*</url-pattern>
diff --git a/remote-api/src/main/resources/alfresco/templates/webscripts/org/springframework/extensions/webscripts/index.get.html.ftl b/remote-api/src/main/resources/alfresco/templates/webscripts/org/springframework/extensions/webscripts/index.get.html.ftl
new file mode 100644
index 0000000000..cd1004a03c
--- /dev/null
+++ b/remote-api/src/main/resources/alfresco/templates/webscripts/org/springframework/extensions/webscripts/index.get.html.ftl
@@ -0,0 +1,82 @@
+<#import "/org/springframework/extensions/webscripts/webscripts.lib.html.ftl" as wsLib/>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<@wsLib.head>${msg("alfresco.index.title")}</@wsLib.head>
+<body>
+<div>
+    <@wsLib.indexheader>Web Scripts Home</@wsLib.indexheader>
+    <#if failures?size &gt; 0>
+        <br/>
+        <table>
+            <tr><td><a href="${url.serviceContext}/index/failures">(+${failures?size} failed)</td></tr>
+        </table>
+    </#if>
+    <br>
+    <@wsLib.onlinedoc/>
+    <br/>
+    <span class="mainSubTitle">Index</span>
+    <#if rootfamily.children?size &gt; 0>
+        <table>
+            <#list rootfamily.children as childpath>
+                <tr><td><a href="${url.serviceContext}/index/family${childpath.path}">Browse '${childpath.name}' Web Scripts</a></td></tr>
+            </#list>
+        </table>
+        <br/>
+    </#if>
+    <table>
+        <tr><td><a href="${url.serviceContext}/index/all">Browse all Web Scripts</a></td></tr>
+        <tr><td><a href="${url.serviceContext}/index/uri/">Browse by Web Script URI</a></td></tr>
+        <tr><td><a href="${url.serviceContext}/index/package/">Browse by Web Script Package</a></td></tr>
+        <tr><td><a href="${url.serviceContext}/index/lifecycle/">Browse by Web Script Lifecycle</a></td></tr>
+    </table>
+    <br/>
+    <br/>
+    <span class="mainSubTitle">Maintenance</span>
+    <form id="refresh" action="${url.serviceContext}${url.match}" method="post">
+        <input type="hidden" name="reset" value="on"/>
+        <table>
+            <#if failures?size &gt; 0>
+                <tr><td><a href="${url.serviceContext}/index/failures">Browse failed Web Scripts</a></td></tr>
+            </#if>
+            <tr><td><a href="${url.serviceContext}/api/javascript/debugger">Alfresco Javascript Debugger</a></td></tr>
+        </table>
+        <br/>
+        <table>
+            <tr><td><input type="submit" name="submit" value="Refresh Web Scripts"/></td></tr>
+        </table>
+    </form>
+</div>
+<#assign CSRF=(config.scoped["CSRFPolicy"]["filter"].getChildren("rule")?size != 0)!false>
+<#if CSRF>
+<script type="text/javascript">
+function addCsrfTokenToRefreshForm() {
+   const properties = {};
+    <#if config.scoped["CSRFPolicy"]["properties"]??>
+        <#assign csrfProperties = (config.scoped["CSRFPolicy"]["properties"].children)![]>
+        <#list csrfProperties as p>
+   properties["${p.name?js_string}"] = "${(p.value!"")?js_string}";
+        </#list>
+   </#if>
+
+   function substitute(str) {
+      for (const prop in properties) {
+         str = str.replace("{" + prop + "}", properties[prop]);
+      }
+      return str;
+   }
+
+   const csrfCookieName = substitute("${config.scoped["CSRFPolicy"]["client"].getChildValue("cookie")!""}");
+   const csrfParamName = substitute("${config.scoped["CSRFPolicy"]["client"].getChildValue("parameter")!""}");
+   const matchingCookies = document.cookie.match(new RegExp("(?:^|; )" + csrfCookieName + "=([^;]*)"));
+   if (matchingCookies) {
+      const csrfToken = decodeURIComponent(matchingCookies[1]).replace(/"/g, '');
+      const form = document.getElementById('refresh');
+      const originalAction = form.attributes.action.value;
+      form.attributes.action.value = originalAction + (originalAction.lastIndexOf('?') === -1 ? "?" : "&") + csrfParamName + "=" + encodeURIComponent(csrfToken);
+   }
+}
+window.addEventListener('load', addCsrfTokenToRefreshForm, false);
+</script>
+</#if>
+</body>
+</html>
\ No newline at end of file