Using a context path can break XSRF Check

XMLWordPrintable

    • Severity 3 - Minor
    • 28

      Issue Summary

      When accessing Fecru through a context path <base_url>/context, XSRF checks when performing oauth dance with application links fail.

      Steps to Reproduce

      1. Setup Jira (latest version)
      2. Setup Fisheye 4.8.15 with a context path
      3. Create an application link
      4. Attempt to authenticate
      5. Click "Allow"

      Expected Results

      The Oauth token is created and application link features are accessible to the user

      Actual Results

      The popup changes into

      XSRF Validation Failed

      Workaround

      Reconfigure network routing and Fisheye to not use a web context.
      or
      Use the following Byteman script to whitelist the jira base url:

      RULE url-whitelist
CLASS com.atlassian.sal.fisheye.xsrf.FisheyeXsrfTokenAccessor
METHOD foundValidCsrfEntry
AT ENTRY
BIND
 # <base_url> -> replace with jira domain for the client eg. https://my.jira.com:8080
IF TRUE
DO
 return $3.startsWith("<base_url>") || $1.urlMatches($2) && $1.referrerMatches($3) && $1.tokenMatches($4);
ENDRULE

        1. screenshot-1.png
          screenshot-1.png
          88 kB

              Assignee:
              Oleksii Barandii (Inactive)
              Reporter:
              Aaron
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 0.15h
                  0.15h