CSRF Error on custom action

Question

When I try to use my custom action I get an error and seems the action is not available, what can I do? The error is

[CsrfGuard] - potential cross-site request forgery (CSRF) attack thwarted ....  

 

Answer

Checking CSRF token 

Actions are protected against CSRF attacks and must contain a valid CSRF token to be executed. All URLs ending with .do are checked.

When calling an action from a jahia page, the token should be automatically added and you should not worry about it. However, if it's not the case, you can verify why it's not passed.

First, check that the CsrfServlet is correctly called in your page by checking the HTML source :

<script type="text/javascript" src="/modules/CsrfServlet"></script>

This javascript detects forms and links and will add the token. It's added by a filter and should be in all pages served by Jahia. 

  • In forms, a hidden field is added :
    Screenshot 2021-02-10 at 15.13.40.png
  • In tags containing src or href attribute, the token is added in the URL :
    Screenshot 2021-02-10 at 15.12.42.png
  • For XHR calls, the token is transparently added into an HTTP header when the call is executed :
    Screenshot 2021-02-10 at 15.15.30.png

Finally, check in your browser, that when calling the action, the token is properly added. If it not the case, your action is maybe called with a different method. You can debug the javascript in /modules/CsrfServlet to see what is happening.

Disabling CSRF-guard for this action

As a last resort, you can add your action to the CSRF guard allow list. This may be needed if the action is called by a command-line client or another server. In that case, additional security like IP filtering can be added to ensure the action is not called by a malicious third-party.

The non-permanent way

You can configure it for your actions using a configuration file. One way to do it is from the Jahia tools --> OSGI console, there you have the possibility to change the config (under OSGI - Configuration):

image-2020-09-29-12-03-39-841.png

There you have to search for the org.jahia.modules.jahiacsrfguard-default.cfg, when you click on it the configuration pops up:

image-2020-09-29-12-05-50-121.png

There you should see a whitelist. By default, *.myAction.do will be there, and you can comma-separated add other actions to this whitelist, for instance in my example I added *.uploadTest.do

After saving this config, it should be deployed and the action should work as expected.

The permanent way

A configuration file can be packaged directly in your module. This is the best way to allow CsrfGuard executing your actions as these settings will be used on module deployment. Here is a quick way to do it:

  1. First create a new configuration folder src/main/resources/META-INF/configurations
  2. Create a new file org.jahia.modules.jahiacsrfguard-yourModule.cfg in this folder. Note this filename needs to be unique as it will be deployed in your digital-factory-data/karaf/etc. So we suggest replacing yourModule with the name of your module. So for instance if your module name is test-module then you should create such a file src/main/resources/META-INF/configurations/org.jahia.modules.jahiacsrfguard-test-module.cfg
  3. Edit this new configuration file, and  whitelist all your action URLs with such a line:
     
    whitelist = *.action1.do,*.action2.do

See example

Allow GET method

By default, all the actions are restricted to POST. You can explicitly declare that GET is allowed in your spring file with requiredMethods="GET,POST"

Override CSRF Guard configuration

Since versions 1.5.0 and 2.4.0 of the jahia-csrf-guard module, you can override the csrfguard properties in /karaf/etc/org.owasp.csrfguard.cfg (Note that the configuration should be taken on the fly without restart, but it can take up to 60 seconds until they are picked up, they should be automatically propagated and effective around the cluster, also on restarts).

For instance with

org.owasp.csrfguard.Enabled = true

you can (temporarily) disable the CSRF filter without having to stop the jahia-csrf-guard module.