Issue fixed during security audit

jangidrakesh · jangidrakesh · commit 2367bb132585 · 2020-08-28T18:42:32.000+05:30
1)Implement SameSite=Lax for all request 2)Implement csrf token for all importent request 3)Update privilige level of accessing issue in all user operations 4)Restrict accessing Mis application untill new password is set by new user 5)Block accessing templates by loging in as normal user 6)removed the password from resetPassword api's response 7)Allowed only for admin user to access this url "http://192.168.200.112:8080/NMSReportingSuite/nms/user/roles" 8)Fix issue in API rate limiting 9)removed tomcat banner grabbing
diff --git a/NMSReportingSuite/src/main/java/com/beehyv/nmsreporting/business/impl/CsrfInterceptor.java b/NMSReportingSuite/src/main/java/com/beehyv/nmsreporting/business/impl/CsrfInterceptor.java
@@ -1,28 +1,38 @@
 package com.beehyv.nmsreporting.business.impl;
 
+import com.beehyv.nmsreporting.business.UserService;
+import com.beehyv.nmsreporting.model.User;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.servlet.ModelAndView;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 
-import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-public class CookiesInterceptor extends HandlerInterceptorAdapter {
+public class CsrfInterceptor extends HandlerInterceptorAdapter {
+    @Autowired
+    private UserService userService;
 
-    @Override
-    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
-    }
     @Override
     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
-            Cookie cookie = new Cookie("SameSite", "Lax");
-            response.addCookie(cookie);
+        User currentUser = userService.getCurrentUser();
 
-        return true;
+        if(currentUser == null) {
+            return false;
+        }
+        String token = "dhty" + currentUser.getUserId().toString() + "alkihkf";
+        return request.getHeader("csrfToken").equals(token);
     }
+
     @Override
-    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception exception) throws Exception {}
+    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
+    }
+
+    @Override
+    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
+    }
 
     @Override
     public void afterConcurrentHandlingStarted(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
     }
-}
+}
diff --git a/NMSReportingSuite/src/main/java/com/beehyv/nmsreporting/business/impl/UserServiceImpl.java b/NMSReportingSuite/src/main/java/com/beehyv/nmsreporting/business/impl/UserServiceImpl.java
@@ -143,11 +143,6 @@ public Map<Integer, String> createNewUser(User user) {
             responseMap.put(rowNum, userNameError);
             return responseMap;
         }
-        if (userDao.findByUserName(user.getUsername()) != null) {
-            String userNameError = "Username already exists.";
-            responseMap.put(rowNum, userNameError);
-            return responseMap;
-        }
 
         String userPhone = user.getPhoneNumber();
         String regexStr1 = "^[0-9]*$";
@@ -314,6 +309,11 @@ else if (user.getAccessLevel().equalsIgnoreCase(AccessLevel.DISTRICT.getAccessLe
 //                return responseMap;
 //            }
         }
+        if (userDao.findByUserName(user.getUsername()) != null) {
+            String userNameError = "Username already exists.";
+            responseMap.put(rowNum, userNameError);
+            return responseMap;
+        }
         String password = serviceFunctions.generatePassword();
         user.setPassword(passwordEncoder.encode(password));
         user.setCreationDate(new Date());
diff --git a/NMSReportingSuite/src/main/java/com/beehyv/nmsreporting/controller/AdminController.java b/NMSReportingSuite/src/main/java/com/beehyv/nmsreporting/controller/AdminController.java
@@ -107,7 +107,12 @@ public Map uploadFileHandler(@RequestParam("bulkCsv") MultipartFile file) {
     @ResponseBody
     public String getBulkDataImportCSV(HttpServletResponse response) throws ParseException, java.text.ParseException{
 
-       response.setContentType("APPLICATION/OCTECT-STREAM");
+        User user = userService.getCurrentUser();
+        if(user==null||!(user.getRoleName().equals("MASTER ADMIN"))&&!(user.getRoleName().equals("ADMIN"))){
+            return "Not Authorized";
+        }
+
+        response.setContentType("APPLICATION/OCTECT-STREAM");
         try {
             PrintWriter out=response.getWriter();
             String filename="BulkImportData.csv";
@@ -192,7 +197,9 @@ public String getCumulativeCourseCompletion(@PathVariable("state") String State,
             modification.setModifiedByUserId(userService.getCurrentUser().getUserId());
             modificationTrackerService.saveModification(modification);
         }
-        return map;
+        Map<Integer, String> requiredmap=new HashMap<>();
+        requiredmap.put(0,map.get(0));
+        return requiredmap;
     }
     @RequestMapping(value = "/create", method = RequestMethod.GET)
     @ResponseBody
diff --git a/NMSReportingSuite/src/main/java/com/beehyv/nmsreporting/controller/UserController.java b/NMSReportingSuite/src/main/java/com/beehyv/nmsreporting/controller/UserController.java
@@ -136,7 +136,7 @@ public class UserController {
     @RequestMapping(value={"/roles"} , method = RequestMethod.POST)
     public @ResponseBody List<Role> getRoles() {
         User currentUser = userService.getCurrentUser();
-        if(currentUser.getUserId() != null){
+        if(currentUser.getUserId() != null&&((currentUser.getRoleName().equals("MASTER ADMIN"))||(currentUser.getRoleName().equals("ADMIN")))){
             return roleService.getRoles();
         } else
             return null;
diff --git a/NMSReportingSuite/src/main/webapp/WEB-INF/applicationContext.xml b/NMSReportingSuite/src/main/webapp/WEB-INF/applicationContext.xml
@@ -136,11 +136,82 @@
     </bean>
 
 <mvc:interceptors>
+
+<!--    Csrf Interceptor Open-->
+    <mvc:interceptor>
+        <mvc:mapping path="/nms/admin/changePassword"/>
+        <bean class="com.beehyv.nmsreporting.business.impl.CsrfInterceptor">
+        </bean>
+    </mvc:interceptor>
+
+    <mvc:interceptor>
+        <mvc:mapping path="/nms/admin/uploadFile"/>
+        <bean class="com.beehyv.nmsreporting.business.impl.CsrfInterceptor">
+        </bean>
+    </mvc:interceptor>
+
+    <mvc:interceptor>
+        <mvc:mapping path="/nms/mail/sendEmailForContactUs"/>
+        <bean class="com.beehyv.nmsreporting.business.impl.CsrfInterceptor">
+        </bean>
+    </mvc:interceptor>
+
+    <mvc:interceptor>
+        <mvc:mapping path="/nms/mail/sendFeedback"/>
+        <bean class="com.beehyv.nmsreporting.business.impl.CsrfInterceptor">
+        </bean>
+    </mvc:interceptor>
+
+    <mvc:interceptor>
+        <mvc:mapping path="/nms/user/createUser"/>
+        <bean class="com.beehyv.nmsreporting.business.impl.CsrfInterceptor">
+        </bean>
+    </mvc:interceptor>
+
     <mvc:interceptor>
-        <mvc:mapping path="/nms/**"/>
-        <bean class="com.beehyv.nmsreporting.business.impl.CookiesInterceptor">
+        <mvc:mapping path="/nms/user/deleteUser"/>
+        <bean class="com.beehyv.nmsreporting.business.impl.CsrfInterceptor">
         </bean>
     </mvc:interceptor>
+
+    <mvc:interceptor>
+        <mvc:mapping path="/nms/user/downloadAggPdf"/>
+        <bean class="com.beehyv.nmsreporting.business.impl.CsrfInterceptor">
+        </bean>
+    </mvc:interceptor>
+
+    <mvc:interceptor>
+        <mvc:mapping path="/nms/user/generateAgg"/>
+        <bean class="com.beehyv.nmsreporting.business.impl.CsrfInterceptor">
+        </bean>
+    </mvc:interceptor>
+
+    <mvc:interceptor>
+        <mvc:mapping path="/nms/user/getReport"/>
+        <bean class="com.beehyv.nmsreporting.business.impl.CsrfInterceptor">
+        </bean>
+    </mvc:interceptor>
+
+    <mvc:interceptor>
+        <mvc:mapping path="/nms/user/resetPassword"/>
+        <bean class="com.beehyv.nmsreporting.business.impl.CsrfInterceptor">
+        </bean>
+    </mvc:interceptor>
+
+    <mvc:interceptor>
+        <mvc:mapping path="/nms/user/updateContacts"/>
+        <bean class="com.beehyv.nmsreporting.business.impl.CsrfInterceptor">
+        </bean>
+    </mvc:interceptor>
+
+    <mvc:interceptor>
+        <mvc:mapping path="/nms/user/updateUser"/>
+        <bean class="com.beehyv.nmsreporting.business.impl.CsrfInterceptor">
+        </bean>
+    </mvc:interceptor>
+
+<!--    Csrf Interceptor clode-->
+
 </mvc:interceptors>
     <bean id="autoReportMail" class="com.beehyv.nmsreporting.job.AutoReportEmailGeneration"/>
     <task:scheduled-tasks>
diff --git a/app/scripts/app.js b/app/scripts/app.js
@@ -1,3 +1,4 @@
+
 var nmsReportsApp = angular.module('nmsReports', ['vcRecaptcha','ui.bootstrap', 'ui.validate', 'ngMessages', 'ui.router', 'ui.grid', 'ngMaterial', 'ngFileUpload', 'ng.deviceDetector', 'ui.grid.exporter', 'ngStorage', 'ngAnimate', '$idle', 'mdo-angular-cryptography'])
     .run(['$rootScope', '$state', '$stateParams', '$idle', '$http', '$window', function($rootScope, $state, $stateParams, $idle, $http, $window) {
         $rootScope.$state = $state;
@@ -26,12 +27,31 @@ var nmsReportsApp = angular.module('nmsReports', ['vcRecaptcha','ui.bootstrap',
                             if(!result.data){
                                 $state.go('login', {});
                             }
+                            else {
+                                $http.post(backend_root + 'nms/user/currentUser')
+                                    .then(function(result){
+                                        if(result.data.default){
+                                            $state.go('changePassword', {});
+                                        }
+                                    });
+                            }
                         });
                 }
             };
         }
     ])
 
+    .factory('httpRequestInterceptor',
+        function () {
+            return {
+                request: function (config) {
+                    config.headers['SameSite'] = 'Lax';
+                    return config;
+                }
+            };
+        }
+    )
+
     .factory('authorizationRole', ['$http', '$state',
         function($http, $state) {
             return {
@@ -350,6 +370,11 @@ var nmsReportsApp = angular.module('nmsReports', ['vcRecaptcha','ui.bootstrap',
         $idleProvider.interrupt('keydown mousedown touchstart touchmove');
         $idleProvider.setIdleTime(1800);
     }])
+
+    .config(function ($httpProvider) {
+        $httpProvider.interceptors.push('httpRequestInterceptor');
+    })
+
     .config(['$cryptoProvider', function($cryptoProvider) {
         $cryptoProvider.setCryptographyKey('ABCD123');
     }]);
diff --git a/app/scripts/controllers/bulkUser.js b/app/scripts/controllers/bulkUser.js
@@ -37,9 +37,10 @@
 	//We can send anything in name parameter,
 //it is hard coded to abc as it is irrelavant in this case.
 				var uploadUrl = backend_root + "nms/admin/uploadFile";
+				var token = 'dhty'+UserFormFactory.getCurrentUser().userId+'alkihkf';
 				$http.post(uploadUrl, fd, {
 					transformRequest: angular.identity,
-					headers: {'Content-Type': undefined}
+					headers: {'Content-Type': undefined, 'csrfToken': token}
 				})
 				.then(function(result){
 					$scope.listErrors(result.data)
diff --git a/app/scripts/controllers/changePassword.js b/app/scripts/controllers/changePassword.js
@@ -43,11 +43,12 @@
                     //"cipherTextHexOld": encryptedOld.ciphertext.toString(),
                     //"saltHexOld":newPassword encryptedOld.salt.toString()
                     };
+                    var token = 'dhty'+UserFormFactory.getCurrentUser().userId+'alkihkf';
                     $http({
                         method: 'POST',
                         url: backend_root + 'nms/user/resetPassword',
                         data: JSON.stringify(data),
-                        headers: {'Content-Type': 'application/json'}
+                        headers: {'Content-Type': 'application/json', 'csrfToken': token}
                     }).then(function(result){
 //                    $http({
 //                        method  : 'POST',
diff --git a/app/scripts/controllers/contactUs.js b/app/scripts/controllers/contactUs.js
@@ -202,11 +202,13 @@
                         "subject" : $scope.email.subject,
                         "phoneNo" : $scope.email.phoneNo
                     };
+                    var token = 'dhty'+UserFormFactory.getCurrentUser().userId+'alkihkf';
+
                     $http({
                         method  : 'POST',
                         url     : backend_root + 'nms/mail/sendEmailForContactUs',
                         data    : JSON.stringify(data), //forms user object
-                        headers : {'Content-Type': 'application/json'}
+                        headers : {'Content-Type': 'application/json', 'csrfToken': token}
                     }).then(function(){
                         if(UserFormFactory.isInternetExplorer()){
                             alert('Contact-us form submitted successfully')
diff --git a/app/scripts/controllers/createUser.js b/app/scripts/controllers/createUser.js
@@ -106,11 +106,12 @@
 			$scope.createUserSubmit = function() {
 				if ($scope.createUserForm.$valid) {
 					delete $scope.newUser.$$hashKey;
+					var token = 'dhty'+UserFormFactory.getCurrentUser().userId+'alkihkf';
 					$http({
 						method  : 'post',
 						url     : backend_root + 'nms/user/createUser',
 						data    : $scope.newUser, //forms user object
-						headers : {'Content-Type': 'application/json'} 
+						headers : {'Content-Type': 'application/json', 'csrfToken': token}
 					}).then(function(result){
 					    if(UserFormFactory.isInternetExplorer()){
                             alert(result.data['0'])
diff --git a/app/scripts/controllers/editUser.js b/app/scripts/controllers/editUser.js
@@ -21,7 +21,7 @@
 					}
 				});
 			});
-
+			var token = 'dhty'+UserFormFactory.getCurrentUser().userId+'alkihkf';
 			$scope.editUser = {};
 			$scope.place = {};
 			$scope.accessLevelList = ["NATIONAL", "STATE", "DISTRICT", "BLOCK"];
@@ -144,7 +144,7 @@
 						method  : 'POST',
 						url     : backend_root + 'nms/user/updateUser',
 						data    : $scope.editUser, //forms user object
-						headers : {'Content-Type': 'application/json'} 
+						headers : {'Content-Type': 'application/json', 'csrfToken': token}
 					}).then(function(result){
                         if (UserFormFactory.isInternetExplorer()) {
                             alert(result.data['0']);
@@ -177,7 +177,7 @@
                     method  : 'POST',
                     url     : backend_root + 'nms/admin/changePassword',
                     data    : password, //forms user object
-                    headers : {'Content-Type': 'application/json'}
+                    headers : {'Content-Type': 'application/json', 'csrfToken': token}
                 }).then(function(result){
                     if(UserFormFactory.isInternetExplorer()){
                         alert(result.data['0']);
@@ -195,7 +195,6 @@
             };
 	//changed delete user to post, added a token for verification
             $scope.deactivateUserSubmit = function() {
-            	var token = 'dhty'+UserFormFactory.getCurrentUser().userId+'alkihkf';
 				$http({
 					method  : 'POST',
 					url     : backend_root + 'nms/user/deleteUser',
diff --git a/app/scripts/controllers/feedbackForm.js b/app/scripts/controllers/feedbackForm.js
@@ -194,11 +194,12 @@ UserFormFactory.downloadCurrentUser()
                         "body" : $scope.email.body,
                         "phoneNo" : $scope.email.phoneNo
                     };
+                    var token = 'dhty'+UserFormFactory.getCurrentUser().userId+'alkihkf';
                     $http({
                         method  : 'POST',
                         url     : backend_root + 'nms/mail/sendFeedback',
                         data    : JSON.stringify(data), //forms user object
-                        headers : {'Content-Type': 'application/json'}
+                        headers : {'Content-Type': 'application/json', 'csrfToken': token}
                     }).then(function(){
                         if(UserFormFactory.isInternetExplorer()){
                             alert('feedback form submitted successfully')
diff --git a/app/scripts/controllers/profile.js b/app/scripts/controllers/profile.js
@@ -8,7 +8,7 @@
 					$state.go('login', {});
 				}
 			})
-
+			var token = 'dhty'+UserFormFactory.getCurrentUser().userId+'alkihkf';
 			$http.get(backend_root + 'nms/user/profile')
 			.then(function(result){
 				$scope.user = result.data;
@@ -51,7 +51,7 @@
 						method  : 'POST',
 						url     : backend_root + 'nms/user/updateContacts',
 						data    : $scope.contact, //forms user object
-						headers : {'Content-Type': 'application/json'} 
+						headers : {'Content-Type': 'application/json', 'csrfToken': token}
 					}).then(function(result){
                         if(UserFormFactory.isInternetExplorer()){
                             alert(result.data['0'])
@@ -89,7 +89,7 @@
 						method  : 'POST',
 						url     : backend_root + 'nms/user/resetPassword',
 						data    : $scope.password, //forms user object
-						headers : {'Content-Type': 'application/json'} 
+						headers : {'Content-Type': 'application/json', 'csrfToken': token}
 					}).then(function(result){
 						if(UserFormFactory.isInternetExplorer()){
                             alert(result.data['0'])
diff --git a/app/scripts/controllers/reports.js b/app/scripts/controllers/reports.js
