Upgraded libraries recommended by Renovate that it couldnt automatica…#526
Open
scottatwell1 wants to merge 15 commits intomasterfrom
Open
Upgraded libraries recommended by Renovate that it couldnt automatica…#526scottatwell1 wants to merge 15 commits intomasterfrom
scottatwell1 wants to merge 15 commits intomasterfrom
Conversation
…lly apply. Note, due the pmd upgrade a LOT of test classes had to be amended
…s when getting court sites to exclude obsolete court sites
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+106
to
+115
| return http.securityMatcher("/login/**", "/oauth2/**", "/", "/dashboard/**") | ||
| .authorizeHttpRequests(auth -> auth.requestMatchers(AUTH_WHITELIST).permitAll() | ||
| .anyRequest().authenticated()) | ||
| .oauth2Login( | ||
| auth -> auth.successHandler(getSuccessHandler()).failureHandler(getFailureHandler()) | ||
| .authorizationEndpoint(endpoint -> endpoint | ||
| .authorizationRequestRepository(cookieAuthorizationRequestRepository()))) | ||
| .addFilterAfter(new AuthorisationTokenExistenceFilter(), | ||
| SecurityContextHolderFilter.class) | ||
| .csrf(AbstractHttpConfigurer::disable) |
Check failure
Code scanning / CodeQL
Disabled Spring CSRF protection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, CSRF protection should be enabled for the affected endpoints. This can be achieved by removing the csrf(AbstractHttpConfigurer::disable) line from the authorizationClientSecurityFilterChain method. Additionally, if there are specific endpoints that do not require CSRF protection (e.g., APIs used by non-browser clients), CSRF protection can be selectively disabled for those endpoints using requestMatchers.
Steps to fix:
- Remove the
csrf(AbstractHttpConfigurer::disable)line from theauthorizationClientSecurityFilterChainmethod. - Ensure CSRF protection is enabled for browser-accessible endpoints.
- If necessary, selectively disable CSRF protection for non-browser client endpoints using
requestMatchers.
Suggested changeset
1
src/main/java/uk/gov/hmcts/pdm/publicdisplay/manager/web/logon/WebSecurityConfig.java
| @@ -100,3 +100,3 @@ | ||
| SecurityContextHolderFilter.class) | ||
| .csrf(AbstractHttpConfigurer::disable) | ||
| .csrf(Customizer.withDefaults()) | ||
| .cors(cors -> cors.configurationSource(request -> getCorsConfiguration())).build(); |
Copilot is powered by AI and may make mistakes. Always verify output.
hmcts-jenkins-cnp
bot
added
ns:pdda
prd:pdda
rel:pdda-public-display-manager-pr-526
labels
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…lly apply. Note, due the pmd upgrade a LOT of test classes had to be amended
Before creating a pull request make sure that:
Please remove this line and everything above and fill the following sections:
JIRA link (if applicable)
Change description
Does this PR introduce a breaking change? (check one with "x")