Set StatusCode to 400 on web panels and REST procedures that fail CSR…

…F token validation
genexuslabs · Dec 26, 2023 · 6b8ec0e · 6b8ec0e
1 parent 32eada9
commit 6b8ec0e
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 14 deletions.
diff --git a/dotnet/src/dotnetcore/GxNetCoreStartup/Startup.cs b/dotnet/src/dotnetcore/GxNetCoreStartup/Startup.cs
@@ -501,7 +501,6 @@ bool IsAspx(HttpContext context, string basePath)
 	}
 	public class CustomExceptionHandlerMiddleware
 	{
-		const string InvalidCSRFToken = "InvalidCSRFToken";
 		static readonly IGXLogger log = GXLoggerFactory.GetLogger<CustomExceptionHandlerMiddleware>();
 		public async Task Invoke(HttpContext httpContext)
 		{
@@ -516,9 +515,8 @@ public async Task Invoke(HttpContext httpContext)
 				}
 				else if (ex is AntiforgeryValidationException)
 				{
-					//"The required antiforgery header value "X-GXCSRF-TOKEN" is not present.
 					httpStatusCode = HttpStatusCode.BadRequest;
-					httpReasonPhrase = InvalidCSRFToken;
+					httpReasonPhrase = HttpHelper.InvalidCSRFToken;
 					GXLogging.Error(log, $"Validation of antiforgery failed", ex);
 				}
 				else

diff --git a/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs b/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs
@@ -93,7 +93,7 @@ public class HttpHelper
 		const string GAM_CODE_TFA_USER_MUST_VALIDATE = "410";
 		const string GAM_CODE_TOKEN_EXPIRED = "103";
 		static Regex CapitalsToTitle = new Regex(@"(?<=[A-Z])(?=[A-Z][a-z]) | (?<=[^A-Z])(?=[A-Z]) | (?<=[A-Za-z])(?=[^A-Za-z])", RegexOptions.IgnorePatternWhitespace);
-
+		internal const string InvalidCSRFToken = "InvalidCSRFToken";
 		const string CORS_MAX_AGE_SECONDS = "86400";
 		internal static void CorsHeaders(HttpContext httpContext)
 		{
@@ -286,10 +286,14 @@ internal static void TraceUnexpectedError(Exception ex)
 		}
 
 		internal static void SetUnexpectedError(HttpContext httpContext, HttpStatusCode statusCode, Exception ex)
+		{
+			string statusCodeDesc = StatusCodeToTitle(statusCode);
+			SetUnexpectedError(httpContext, statusCode, statusCodeDesc, ex);
+		}
+		internal static void SetUnexpectedError(HttpContext httpContext, HttpStatusCode statusCode, string statusCodeDesc, Exception ex)
 		{
 			TraceUnexpectedError(ex);
 			string statusCodeStr = statusCode.ToString(INT_FORMAT);
-			string statusCodeDesc = StatusCodeToTitle(statusCode);
 			SetResponseStatus(httpContext, statusCode, statusCodeDesc);
 			SetJsonError(httpContext, statusCodeStr, statusCodeDesc);
 		}

diff --git a/dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs b/dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs
@@ -36,17 +36,17 @@ namespace GeneXus.Http
 	using System.Web;
 	using System.Web.UI;
 	using System.Web.UI.WebControls;
-	using System.Web.Script.Serialization;
 	using System.Net;
 	using GeneXus.Notifications;
 	using Web.Security;
 	using System.Web.SessionState;
-	using GeneXus.Mock;
 	using GeneXus.Data.NTier;
-#endif
+	using System.Web.Mvc;
+	using System.Security;
 
 
 
+#endif
 #if NETCORE
 	public abstract class GXHttpHandler : GXBaseObject, IHttpHandler
 #else
@@ -1905,8 +1905,9 @@ public bool IsMain
 			get { return _isMain; }
 		}
 #endif
-
-
+#if !NETCORE
+		[SecuritySafeCritical]
+#endif
 		public void ProcessRequest(HttpContext httpContext)
 		{
 			localHttpContext = httpContext;
@@ -1981,9 +1982,20 @@ public void ProcessRequest(HttpContext httpContext)
 					context.CloseConnections();
 				}
 				catch { }
-				Exception exceptionToHandle = e.InnerException ?? e;
-				handleException(exceptionToHandle.GetType().FullName, exceptionToHandle.Message, exceptionToHandle.StackTrace);
-				throw new Exception("GXApplication exception", e);
+#if !NETCORE
+				if (e is HttpAntiForgeryException)
+				{
+					httpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest;
+					httpContext.Response.StatusDescription = HttpHelper.InvalidCSRFToken;
+					GXLogging.Error(log, $"Validation of antiforgery failed", e);
+				}
+				else
+#endif
+				{
+					Exception exceptionToHandle = e.InnerException ?? e;
+					handleException(exceptionToHandle.GetType().FullName, exceptionToHandle.Message, exceptionToHandle.StackTrace);
+					throw new Exception("GXApplication exception", e);
+				}
 			}
 		}
 		protected virtual bool ChunkedStreaming() { return false; }

diff --git a/dotnet/src/dotnetframework/GxClasses/Services/GXRestServices.cs b/dotnet/src/dotnetframework/GxClasses/Services/GXRestServices.cs
@@ -389,10 +389,14 @@ public void WebException(Exception ex)
             {
                 throw ex;
             }
-            else if (ex is FormatException || (RestAPIHelpers.ValidateCsrfToken() && AntiForgeryException(ex)))
+            else if (ex is FormatException)
 			{
 				HttpHelper.SetUnexpectedError(httpContext, HttpStatusCode.BadRequest, ex);
 			}
+			else if (RestAPIHelpers.ValidateCsrfToken() && AntiForgeryException(ex))
+			{
+				HttpHelper.SetUnexpectedError(httpContext, HttpStatusCode.BadRequest, HttpHelper.InvalidCSRFToken, ex);
+			}
 			else
             {
 				HttpHelper.SetUnexpectedError(httpContext, HttpStatusCode.InternalServerError, ex);