verify-csrf-interceptor
To mitigate CSRF attacks, CFML has two built-in methods to handle CSRF tokens
— csrfGenerateToken
and
csrfVerifyToken
. You should include a
generate token in any form submission in your application and verify it in your
handlers or controllers.
It's very easy to miss this, though, because you have to wire up both the token generation in the form and the token verification in the handler. This interceptor takes care of the token verification.
It's such a short function, let's take a look at it in its entirety here:
/** * Verifies the CSRF token on all non-GET requests */ component extends="coldbox.system.Interceptor"{ public void function configure() {} public void function preEvent( event, interceptData ) { if ( event.getHTTPMethod() == "GET" ) { return; } if ( actionMarkedToSkip( event, interceptData ) ) { return; } if ( ! event.valueExists( "_token" ) ) { throw( type = "TokenMismatchException", message = "The CSRF token was not included." ); } if ( ! CSRFVerifyToken( event.getValue( "_token" ) ) ) { throw( type = "TokenMismatchException", message = "The CSRF token is invalid." ); } } private boolean function actionMarkedToSkip( required event, required struct interceptData ) { var handler = getController() .getHandlerService() .getRegisteredHandler( interceptData.processedEvent ); var md = getComponentMetadata( "#handler.getInvocationPath()#.#handler.getHandler()#" ); var funcs = arrayFilter( md.functions, function( func ) { return func.name == handler.getMethod(); } ); if ( NOT arrayIsEmpty( funcs ) ) { if ( structKeyExists( funcs[1], "skipCSRFCheck" ) ) { return true; } } return false; } }
Wrap Up
Protect yourself from simple omissions like forgetting to generate and verify
CSRF tokens — install verify-csrf-interceptor
today and it will start verifying for you with no further configuration.
That's the power of ColdBox modules!
Add Your Comment