#2177 change position of ValidateAntiForgeryToken in svelte apps in header of a request because its future-proof because the ValidateAntiForgeryToken in asp.net core is checking also the header. currently also a CustomValidateAntiForgeryToken will check in this version the header. codeql will certainly not recognize this, but the check exists.

Author: DavidBlaa

Components/App/BExIS.App.Bootstrap/Attributes/CustomValidateAntiForgeryToken.cs

@@ -18,6 +18,7 @@ public void OnAuthorization(AuthorizationContext filterContext)
                 var formToken = request.Form["__RequestVerificationToken"];
 
                 // check header for post from javascript
+
                 if (formToken==null)
                 {
                     formToken = request.Headers["__RequestVerificationToken"];

Console/BExIS.Web.Shell.Svelte/package-lock.json

@@ -52,7 +52,7 @@
 	},
 	"type": "module",
 	"dependencies": {
-		"@bexis2/bexis2-core-ui": "0.4.53",
+		"@bexis2/bexis2-core-ui": "0.4.58",
 		"@sveltejs/adapter-static": "3.0.2",
 		"buffer": "6.0.3",
 		"gray-matter": "4.0.3",

Console/BExIS.Web.Shell.Svelte/package.json

@@ -50,7 +50,7 @@
 	},
 	"type": "module",
 	"dependencies": {
-		"@bexis2/bexis2-core-ui": "0.4.53",
+		"@bexis2/bexis2-core-ui": "0.4.58",
 		"@bexis2/bexis2-rpm-ui": "0.2.11",
 		"@floating-ui/dom": "1.6.8",
 		"@fortawesome/free-solid-svg-icons": "6.6.0",

Console/BExIS.Web.Shell/Areas/DCM/BExIS.Modules.Dcm.UI.Svelte/package-lock.json

@@ -244,7 +244,7 @@ public JsonResult Get(long id)
 
         [JsonNetFilter]
         [HttpPost]
-        [ValidateAntiForgeryToken]
+        [CustomValidateAntiForgeryToken]
         public JsonResult Create(CreateModel data)
         {
             if (data == null) return Json(false);

Console/BExIS.Web.Shell/Areas/DCM/BExIS.Modules.Dcm.UI.Svelte/package.json

@@ -77,7 +77,7 @@ public JsonResult Delete(long id)
 
         [JsonNetFilter]
         [HttpPost]
-        [ValidateAntiForgeryToken]
+        [CustomValidateAntiForgeryToken]
         public JsonResult Update(EntityTemplateModel entityTemplate)
         {
             using (var entityTemplateManager = new EntityTemplateManager())

Console/BExIS.Web.Shell/Areas/DCM/BExIS.Modules.Dcm.UI/Controllers/CreateController.cs

@@ -1555,6 +1555,11 @@ public JsonResult UpdateSimpleUsageWithParty(string xpath, long partyId,long ent
         {
             try
             {
+                if (!XmlUtility.IsSafeXPath(xpath))
+                {
+                    return Json(false, JsonRequestBehavior.AllowGet);
+                }
+
                 AddXmlAttribute(xpath, "partyid", partyId.ToString(), entityId);
 
                 return Json(true, JsonRequestBehavior.AllowGet);
@@ -2059,13 +2064,11 @@ private StepInfo LoadStepsBasedOnUsage(BaseUsage usage, StepInfo current, string
                 if (usage is MetadataPackageUsage)
                 {
                     keyValueDic.Add("type", BExIS.Xml.Helpers.XmlNodeType.MetadataPackageUsage.ToString());
-                    //elements = XmlUtility.GetXElementsByAttribute(usage.Label, keyValueDic, xMetadata).ToList();
                     parentXElement = XmlUtility.GetXElementByXPath(parent.XPath, xMetadata);
                 }
                 else
                 {
                     keyValueDic.Add("type", BExIS.Xml.Helpers.XmlNodeType.MetadataAttributeUsage.ToString());
-                    //elements = XmlUtility.GetXElementsByAttribute(usage.Label, keyValueDic, xMetadata, parentXpath).ToList();
                     parentXElement = XmlUtility.GetXElementByXPath(parent.XPath, xMetadata);
                 }
 
@@ -2764,7 +2767,7 @@ private string storeGeneratedFilePathToContentDiscriptor(long datasetId, Dataset
         /// Is called when the user write a letter in Autocomplete User Component
         /// </summary>
         [HttpPost]
-        [ValidateAntiForgeryToken]
+        [CustomValidateAntiForgeryToken]
         public ActionResult _AutoCompleteAjaxLoading(string text, long id, string type)
         {
             // if mapping with etities exits
@@ -3101,6 +3104,11 @@ private void UpdateAttribute(BaseUsage parentUsage, int packageNumber, BaseUsage
         //ToDo really said function, but cant find a other solution for now
         private void AddXmlAttribute(string xpath, string attrName, string attrValue,long entityId)
         {
+            if(XmlUtility.IsSafeXPath(xpath) == false)
+            {
+                throw new Exception("The provided xpath is not safe.");
+            }
+
             TaskManager = FormHelper.GetTaskManager(entityId);
             XDocument metadataXml = getMetadata(TaskManager);
 
@@ -3239,7 +3247,7 @@ private void validationAgainstJsonSchema()
 
         //XX number of index des values nötig
         [HttpPost]
-        [ValidateAntiForgeryToken]
+        [CustomValidateAntiForgeryToken]
         public ActionResult ValidateMetadataAttributeUsage(string value, int id, int parentid, string parentname, int number, int parentModelNumber, int parentStepId, long entityId)
         {
             //delete all white spaces from start and end
@@ -3329,7 +3337,7 @@ public ActionResult ValidateMetadataAttributeUsage(string value, int id, int par
         }
 
         [HttpPost]
-        [ValidateAntiForgeryToken]
+        [CustomValidateAntiForgeryToken]
         public ActionResult ValidateMetadataParameterUsage(string value, int id, long attrUsageId, int number, int parentModelNumber, int parentStepId, long entityId)
         {
             //delete all white spaces from start and end

Console/BExIS.Web.Shell/Areas/DCM/BExIS.Modules.Dcm.UI/Controllers/EntityTemplatesController.cs

@@ -89,7 +89,7 @@ public JsonResult Load(long id, int version)
         }
 
         [HttpPost]
-        [ValidateAntiForgeryToken]
+        [CustomValidateAntiForgeryToken]
         public JsonResult Upload(long id)
         {
             // load edit dataset cache
@@ -161,7 +161,7 @@ public JsonResult Upload(long id)
         }
 
         [HttpPost]
-        [ValidateAntiForgeryToken]
+        [CustomValidateAntiForgeryToken]
         public JsonResult RemoveFile(long id, BExIS.UI.Hooks.Caches.FileInfo file)
         {
             // load edit dataset cache
@@ -226,7 +226,7 @@ public JsonResult RemoveFile(long id, BExIS.UI.Hooks.Caches.FileInfo file)
         }
 
         [HttpPost]
-        [ValidateAntiForgeryToken]
+        [CustomValidateAntiForgeryToken]
         public JsonResult SaveFileDescription(long id, BExIS.UI.Hooks.Caches.FileInfo file, string description)
         {
             HookManager hookManager = new HookManager();

Console/BExIS.Web.Shell/Areas/DCM/BExIS.Modules.Dcm.UI/Controllers/FormController.cs

@@ -106,7 +106,7 @@ public JsonResult Load(long id, int version)
         }
 
         [HttpPost]
-        [ValidateAntiForgeryToken]
+        [CustomValidateAntiForgeryToken]
         public JsonResult RemoveFile(long id, FileInfo file)
         {
             // remove file from server
@@ -142,7 +142,7 @@ public JsonResult RemoveFile(long id, FileInfo file)
         /// <param name="file"></param>
         /// <returns></returns>
         [HttpPost]
-        [ValidateAntiForgeryToken]
+        [CustomValidateAntiForgeryToken]
         public JsonResult RevertFile(long id, FileInfo file)
         {
             // remove file from server
@@ -186,7 +186,7 @@ public JsonResult RevertFile(long id, FileInfo file)
         /// <returns></returns>
         /// <exception cref="Exception"></exception>
         [HttpPost]
-        [ValidateAntiForgeryToken]
+        [CustomValidateAntiForgeryToken]
         public JsonResult SaveFileDescription(long id, BExIS.UI.Hooks.Caches.FileInfo file)
         {
             // remove file from cache