#158 add CSRF protection

project/Dependencies.scala

@@ -11,6 +11,7 @@ object Dependencies {
       val cache = "com.typesafe.play" %% "play-cache" % version
       val test = "com.typesafe.play" %% "play-test" % version
       val specs2 = "com.typesafe.play" %% "play-specs2" % version
+      val filters = "com.typesafe.play" %% "filters-helpers" % version
       object Specs2 {
         private val version = "3.6.6"
         val matcherExtra = "org.specs2" %% "specs2-matcher-extra" % version

thehive-backend/app/global/Filters.scala

@@ -1,13 +1,44 @@
 package global
 
-import javax.inject.{ Inject, Singleton }
+import javax.inject.{ Inject, Provider, Singleton }
+
+import akka.stream.Materializer
+import play.api.Logger
+import play.api.http.HttpFilters
+import play.api.libs.crypto.CSRFTokenSigner
+import play.api.mvc.{ EssentialFilter, RequestHeader }
+import play.filters.csrf.CSRF.{ ErrorHandler, TokenProvider }
+import play.filters.csrf.CSRFConfig
 
 import scala.collection.immutable
 
-import play.api.http.HttpFilters
-import play.api.mvc.Filter
+@Singleton
+class TheHiveFilters @Inject() (injectedFilters: immutable.Set[EssentialFilter]) extends HttpFilters {
+  override val filters = injectedFilters.toSeq
+}
+
+object CSRFFilter {
+  private[CSRFFilter] lazy val logger = Logger(getClass)
+
+  def shouldProtect(request: RequestHeader): Boolean = {
+    val isLogin = request.uri.startsWith("/api/login")
+    val isApi = request.uri.startsWith("/api")
+    val isInSession = request.session.data.nonEmpty
+    val check = !isLogin && isApi && isInSession
+    logger.debug(s"[csrf] uri ${request.uri} (isLogin=$isLogin, isApi=$isApi, isInSession=$isInSession): ${if (check) "" else "don't"} check")
+    check
+  }
+
+}
 
 @Singleton
-class TheHiveFilters @Inject() (injectedFilters: immutable.Set[Filter]) extends HttpFilters {
-  val filters = injectedFilters.toSeq
-}
+class CSRFFilter @Inject() (
+  config: Provider[CSRFConfig],
+  tokenSignerProvider: Provider[CSRFTokenSigner],
+  tokenProvider: TokenProvider,
+  errorHandler: ErrorHandler)(mat: Materializer)
+    extends play.filters.csrf.CSRFFilter(
+      config.get.copy(shouldProtect = CSRFFilter.shouldProtect),
+      tokenSignerProvider.get,
+      tokenProvider,
+      errorHandler)(mat)

thehive-backend/app/global/Module.scala

@@ -2,36 +2,29 @@ package global
 
 import java.net.{ URL, URLClassLoader }
 
-import javax.inject.Singleton
-
-import scala.collection.JavaConversions.asScalaSet
-
-import play.api.{ Configuration, Environment, Logger, Mode }
-import play.api.libs.concurrent.AkkaGuiceSupport
-import play.api.mvc.Filter
-
-import org.elastic4play.Timed
-import org.elastic4play.models.BaseModelDef
-import org.elastic4play.services.{ AuthSrv, AuthSrvFactory, MigrationOperations, TempFilter }
-import org.elastic4play.services.auth.MultiAuthSrv
-import org.reflections.Reflections
-
-import net.codingwell.scalaguice.{ ScalaModule, ScalaMultibinder }
-
 import com.google.inject.AbstractModule
 import com.google.inject.name.Names
-
 import connectors.Connector
 import controllers.{ AssetCtrl, AssetCtrlDev, AssetCtrlProd }
 import models.Migration
+import net.codingwell.scalaguice.{ ScalaModule, ScalaMultibinder }
+import org.elastic4play.models.BaseModelDef
+import org.elastic4play.services.auth.MultiAuthSrv
+import org.elastic4play.services.{ AuthSrv, AuthSrvFactory, MigrationOperations, TempFilter }
+import org.reflections.Reflections
+import play.api.libs.concurrent.AkkaGuiceSupport
+import play.api.mvc.EssentialFilter
+import play.api.{ Configuration, Environment, Logger, Mode }
 import services.{ AuditSrv, AuditedModel, StreamFilter, StreamMonitor }
 
+import scala.collection.JavaConversions.asScalaSet
+
 class TheHive(
     environment: Environment,
     val configuration: Configuration) extends AbstractModule with ScalaModule with AkkaGuiceSupport {
-  val log = Logger(s"module")
+  private[TheHive] lazy val logger = Logger(s"module")
 
-  def configure = {
+  override def configure(): Unit = {
     bind[org.elastic4play.services.UserSrv].to[services.UserSrv]
     bind[Int].annotatedWith(Names.named("databaseVersion")).toInstance(models.version)
 
@@ -51,7 +44,7 @@ class TheHive(
       .getSubTypesOf(classOf[BaseModelDef])
       .filterNot(c ⇒ java.lang.reflect.Modifier.isAbstract(c.getModifiers))
       .foreach { modelClass ⇒
-        log.info(s"Loading model $modelClass")
+        logger.info(s"Loading model $modelClass")
         modelBindings.addBinding.to(modelClass)
         if (classOf[AuditedModel].isAssignableFrom(modelClass)) {
           auditedModelBindings.addBinding.to(modelClass.asInstanceOf[Class[AuditedModel]])
@@ -62,7 +55,7 @@ class TheHive(
       .addUrls(packageUrls: _*)
       .setScanners(new org.reflections.scanners.SubTypesScanner(false)))
       .getSubTypesOf(classOf[AuthSrv])
-      .filterNot(c ⇒ java.lang.reflect.Modifier.isAbstract(c.getModifiers) || c.isMemberClass())
+      .filterNot(c ⇒ java.lang.reflect.Modifier.isAbstract(c.getModifiers) || c.isMemberClass)
       .filterNot(_ == classOf[MultiAuthSrv])
       .foreach { modelClass ⇒
         authBindings.addBinding.to(modelClass)
@@ -77,9 +70,10 @@ class TheHive(
         authFactoryBindings.addBinding.to(modelClass)
       }
 
-    val filterBindings = ScalaMultibinder.newSetBinder[Filter](binder)
+    val filterBindings = ScalaMultibinder.newSetBinder[EssentialFilter](binder)
     filterBindings.addBinding.to[StreamFilter]
     filterBindings.addBinding.to[TempFilter]
+    filterBindings.addBinding.to[CSRFFilter]
 
     bind[MigrationOperations].to[Migration]
     bind[AuthSrv].to[MultiAuthSrv]

thehive-backend/build.sbt

@@ -3,6 +3,7 @@ import Dependencies._
 libraryDependencies ++= Seq(
   Library.Play.cache,
   Library.Play.ws,
+  Library.Play.filters,
   Library.scalaGuice,
   Library.elastic4play,
   Library.zip4j,