BuildEdgeIndexServlet XSRF

XMLWordPrintable

    • 6.4

      The BuildEdgeIndexServlet is responsible for rebuilding the edge index. As this is a servlet and not a Webwork action, XSRF checks must be implemented programmatically. The Servlet does not currently implement any XSRF token checks, meaning the edge index can be forced to be rebuilt when attacked.

      The information at https://developer.atlassian.com/display/CONFDEV/Form+Token+Handling should be used to programmatically check the doPost method for the required token.

      BuildEdgeIndexServlet.java
      public class BuildEdgeIndexServlet extends HttpServlet
{
...
  protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException
  {
    if (!permissionManager.hasPermission(AuthenticatedUserThreadLocal.getUser(), Permission.ADMINISTER, PermissionManager.TARGET_APPLICATION))
      resp.sendError(403, "Insufficient privileges.");
    try
    {
      edgeIndexBuilder.build(2);
    }
    catch (Exception e)
    {
      resp.sendError(500, "Error rebuilding edge index: " + e.getMessage());
    }
    resp.getWriter().append("Build index completed successfully");
  }

              Assignee:
              fabs (Inactive)
              Reporter:
              Dan Hodson
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: