ADMINTOOL-92: Add a form token check to Query tools

michitux · michitux · commit 45298b4fbcaf · 2023-08-03T18:09:07.000+02:00
diff --git a/src/main/resources/Admin/Query.xml b/src/main/resources/Admin/Query.xml
@@ -45,12 +45,16 @@
 #if($hasProgramming)
   #set($sqlTools = $xwiki.parseGroovyFromPage('Admin.SQLToolsGroovy'))
   = Query =
-  $sqlTools.getForm($request, $doc, true, true, $xcontext)
+  $sqlTools.getForm($request, $doc, true, true, $xcontext, $services.csrf.token)
   #if($request.query)
-    #set($connection = $sqlTools.getConnectionFromRequest($request))
-    #set($results = $sqlTools.getResults($connection, $request.query, true))
-    = Results =
-    $results
+    #if ($services.csrf.isTokenValid($request.getParameter('form_token')))
+      #set($connection = $sqlTools.getConnectionFromRequest($request))
+      #set($results = $sqlTools.getResults($connection, $request.query, true))
+      = Results =
+      $results
+    #else
+      {{error}}Invalid form token. Please verify the query and resubmit.{{/error}}
+    #end
   #end
 #else
 {{error}}Sorry, you need the programming rights to use this tool{{/error}}
diff --git a/src/main/resources/Admin/QueryOnXWiki.xml b/src/main/resources/Admin/QueryOnXWiki.xml
@@ -47,12 +47,16 @@
   #set($system = $sqlTools.getXWikiDatabaseSystem($xwiki, $xcontext))
   = Query =
   Your database is: **$system**
-  $sqlTools.getForm($request, $doc, false, true, $xcontext)
+  $sqlTools.getForm($request, $doc, false, true, $xcontext, $services.csrf.token)
   #if($request.query)
-    #set($connection = $sqlTools.getXWikiConnection($xwiki, $xcontext))
-    #set($results = $sqlTools.getResults($connection, $request.query, false))
-    = Results =
-    $results
+    #if ($services.csrf.isTokenValid($request.getParameter('form_token')))
+      #set($connection = $sqlTools.getXWikiConnection($xwiki, $xcontext))
+      #set($results = $sqlTools.getResults($connection, $request.query, false))
+      = Results =
+      $results
+    #else
+      {{error}}Invalid form token. Please verify the query and resubmit.{{/error}}
+    #end
   #end
 #else
 {{error}}Sorry, you need the programming rights to use this tool{{/error}}
diff --git a/src/main/resources/Admin/SQLToolsGroovy.xml b/src/main/resources/Admin/SQLToolsGroovy.xml
@@ -114,7 +114,7 @@ class SQLTools{
   /**
    * Get Form
    */
-  String getForm(request, doc, withJDBCForm, withQuery, xcontext){
+  String getForm(request, doc, withJDBCForm, withQuery, xcontext, csrfToken){
     def databaseConfiguration = new DatabaseConfiguration(request, xcontext)
     def escapeTool = new EscapeTool()
     def spageUrl = escapeTool.xml(doc.getURL())
@@ -123,6 +123,7 @@ class SQLTools{
     def toReturn = """
       {{html clean=="false"}}
       &lt;form action="${spageUrl}#HResults" class="xform" method="post"&gt;
+        &lt;input type="hidden" name="form_token" value="${csrfToken}" /&gt;
     """;
     // JDB Form (user, password driver, url)
     if(withJDBCForm){
