BuildEdgeIndexServlet XSRF

2012-11-29T12:52:42
ID ATLASSIAN:CONFCLOUD-54305
Type atlassian
Reporter danh
Modified 2017-04-02T05:39:46

Description

The {{BuildEdgeIndexServlet}} is responsible for rebuilding the edge index. As this is a servlet and not a Webwork action, XSRF checks must be implemented programmatically. The Servlet does not currently implement any XSRF token checks, meaning the edge index can be forced to be rebuilt when attacked.

The information at https://developer.atlassian.com/display/CONFDEV/Form+Token+Handling should be used to programmatically check the {{doPost}} method for the required token.

{code:title=BuildEdgeIndexServlet.java|borderStyle=solid} public class BuildEdgeIndexServlet extends HttpServlet { ... protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { if (!permissionManager.hasPermission(AuthenticatedUserThreadLocal.getUser(), Permission.ADMINISTER, PermissionManager.TARGET_APPLICATION)) resp.sendError(403, "Insufficient privileges."); try { edgeIndexBuilder.build(2); } catch (Exception e) { resp.sendError(500, "Error rebuilding edge index: " + e.getMessage()); } resp.getWriter().append("Build index completed successfully"); } {code}