Merge branch 'master' into jakarta

Author: forgedhallpass

assets/images/credentials_included.png

@@ -328,7 +328,6 @@ org.owasp.csrfguard.Config.Print = true
 
 ##################################################################
 ## Javascript servlet settings if not set in web.xml            ##
-## https://wiki.owasp.org/index.php/CSRFGuard_3_Token_Injection ##
 ##################################################################
 
 # This property denotes the location of the JavaScript template file that should be consumed and dynamically

assets/images/csrfguard_3.1.0.png renamed to assets/images/csrfguard.png

@@ -106,7 +106,10 @@ public final class JavaScriptServlet extends HttpServlet {
         JS_REPLACEMENT_MAP.put(SERVLET_PATH_IDENTIFIER, (csrfGuard, request) -> StringUtils.defaultString(request.getContextPath() + request.getServletPath()));
         JS_REPLACEMENT_MAP.put(X_REQUESTED_WITH_IDENTIFIER, (csrfGuard, request) -> StringUtils.defaultString(csrfGuard.getJavascriptXrequestedWith()));
         JS_REPLACEMENT_MAP.put(DYNAMIC_NODE_CREATION_EVENT_NAME_IDENTIFIER, (csrfGuard, request) -> StringUtils.defaultString(csrfGuard.getJavascriptDynamicNodeCreationEventName()));
-        JS_REPLACEMENT_MAP.put(DOMAIN_ORIGIN_IDENTIFIER, (csrfGuard, request) -> ObjectUtils.defaultIfNull(csrfGuard.getDomainOrigin(), StringUtils.defaultString(parseDomain(request.getRequestURL()))));
+        JS_REPLACEMENT_MAP.put(DOMAIN_ORIGIN_IDENTIFIER, (csrfGuard, request) -> ObjectUtils.firstNonNull(
+                csrfGuard.getDomainOrigin(),
+                getFirstHost(request.getHeader("X-Forwarded-Host")),
+                StringUtils.defaultString(JavaScriptServlet.parseDomain(request.getRequestURL()))));
         JS_REPLACEMENT_MAP.put(INJECT_INTO_FORMS_IDENTIFIER, (csrfGuard, request) -> Boolean.toString(csrfGuard.isJavascriptInjectIntoForms()));
         JS_REPLACEMENT_MAP.put(INJECT_GET_FORMS_IDENTIFIER, (csrfGuard, request) -> Boolean.toString(csrfGuard.isJavascriptInjectGetForms()));
         JS_REPLACEMENT_MAP.put(INJECT_FORM_ATTRIBUTES_IDENTIFIER, (csrfGuard, request) -> Boolean.toString(csrfGuard.isJavascriptInjectFormAttributes()));
@@ -242,6 +245,28 @@ private static String parseDomain(final StringBuffer url) {
         }
     }
 
+    /**
+     * @param commaSeparatedHosts (e.g. "fox1:443, spring2:444"). Nullable
+     * @return the first host in the list(e.g. "fox1" without port number). null if commaSeparatedHosts is invalid/null/blank
+     */
+    private static String getFirstHost(String commaSeparatedHosts) {
+        if (StringUtils.isBlank(commaSeparatedHosts)) { 
+            commaSeparatedHosts = null;
+        }else {
+            commaSeparatedHosts = commaSeparatedHosts.split(",")[0];  // if there are multiple proxyPass in cascade, XForwardedHost became for example : "fox1:443, spring2:444", where fox1:443 is the first proxyPass encountered
+            if(commaSeparatedHosts.toLowerCase().startsWith("http")) {
+                try {
+                    commaSeparatedHosts = new URL(commaSeparatedHosts).getHost();
+                } catch (final MalformedURLException e) {
+                    commaSeparatedHosts = null;
+                }
+            } else { 
+                commaSeparatedHosts = commaSeparatedHosts.split(":")[0];
+            }
+        }
+        return commaSeparatedHosts;
+    }
+
     private void writeJavaScript(final CsrfGuard csrfGuard, final HttpServletRequest request, final HttpServletResponse response) throws IOException {
         final String refererHeader = request.getHeader("referer");
 

csrfguard-extensions/csrfguard-jsp-tags/src/main/resources/META-INF/tags/csrfguard.tld renamed to csrfguard-extensions/csrfguard-jsp-tags/src/main/resources/META-INF/csrfguard.tld

@@ -327,7 +327,7 @@ org.owasp.csrfguard.Config.Print = true
 
 ##################################################################
 ## Javascript servlet settings if not set in web.xml            ##
-## https://wiki.owasp.org/index.php/CSRFGuard_3_Token_Injection ##
+## https://owasp.org/www-project-csrfguard                      ##
 ##################################################################
 
 # This property denotes the location of the JavaScript template file that should be consumed and dynamically

csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties

@@ -79,8 +79,8 @@ If you have questions, would like to share or discuss ideas, please use the offi
 
 ## CSRFGuard 4.0 Release Notes:
 
-* [Support for stateless web applications](https://github.com/aramrami/OWASP-CSRFGuard/issues/122)
-* [Apply "TokenPerPage" approach to AJAX](https://github.com/aramrami/OWASP-CSRFGuard/issues/123)
+* [Support for stateless web applications](https://github.com/OWASP/www-project-csrfguard/issues/4)
+* [Apply "TokenPerPage" approach to AJAX](https://github.com/OWASP/www-project-csrfguard/issues/2)
 * [Reduced code duplication](https://github.com/aramrami/OWASP-CSRFGuard/issues/127)
 * [Proper multi-module maven project structure](https://github.com/aramrami/OWASP-CSRFGuard/issues/128)
 * [The test JSP web application now relies on the latest development JavaScript code](https://github.com/aramrami/OWASP-CSRFGuard/issues/133)

csrfguard/src/main/java/org/owasp/csrfguard/servlet/JavaScriptServlet.java

@@ -119,29 +119,29 @@
         <jsp-api.version>3.1.1</jsp-api.version>
         <jstl.version>3.0.0</jstl.version>
 
-        <maven-surefire-plugin.version>3.1.0</maven-surefire-plugin.version>
-        <maven-jar-plugin.version>3.3.0</maven-jar-plugin.version>
-        <maven-source-plugin.version>3.3.0</maven-source-plugin.version>
-        <maven-compiler-plugin.version>3.11.0</maven-compiler-plugin.version>
-        <maven-javadoc-plugin.version>3.5.0</maven-javadoc-plugin.version>
-        <maven-war-plugin.version>3.3.2</maven-war-plugin.version>
-        <maven-scm-plugin.version>2.0.1</maven-scm-plugin.version>
-        <maven-release-plugin.version>3.0.0-M7</maven-release-plugin.version>
-        <maven-deploy-plugin.version>3.1.1</maven-deploy-plugin.version>
+        <maven-surefire-plugin.version>3.3.0</maven-surefire-plugin.version>
+        <maven-jar-plugin.version>3.4.2</maven-jar-plugin.version>
+        <maven-source-plugin.version>3.3.1</maven-source-plugin.version>
+        <maven-compiler-plugin.version>3.13.0</maven-compiler-plugin.version>
+        <maven-javadoc-plugin.version>3.8.0</maven-javadoc-plugin.version>
+        <maven-war-plugin.version>3.4.0</maven-war-plugin.version>
+        <maven-scm-plugin.version>2.1.0</maven-scm-plugin.version>
+        <maven-release-plugin.version>3.1.1</maven-release-plugin.version>
+        <maven-deploy-plugin.version>3.1.2</maven-deploy-plugin.version>
 
-        <nexus-staging-maven-plugin.version>1.6.13</nexus-staging-maven-plugin.version>
-        <maven-gpg-plugin.version>3.1.0</maven-gpg-plugin.version>
+        <nexus-staging-maven-plugin.version>1.7.0</nexus-staging-maven-plugin.version>
+        <maven-gpg-plugin.version>3.2.4</maven-gpg-plugin.version>
 
-        <commons-lang3.version>3.12.0</commons-lang3.version>
-        <commons-io.version>2.12.0</commons-io.version>
-        <gson.version>2.10.1</gson.version>
-        <slf4j-api.version>2.0.6</slf4j-api.version>
+        <commons-lang3.version>3.14.0</commons-lang3.version>
+        <commons-io.version>2.16.1</commons-io.version>
+        <gson.version>2.11.0</gson.version>
+        <slf4j-api.version>2.0.13</slf4j-api.version>
 
-        <junit.version>5.9.3</junit.version>
+        <junit.version>5.10.3</junit.version>
         <mockito.version>4.11.0</mockito.version>
         <logback.version>1.3.5</logback.version> <!--versions starting from 1.4.x were compiled with Java 11-->
 
-        <dependency-check-maven.version>8.2.1</dependency-check-maven.version>
+        <dependency-check-maven.version>10.0.3</dependency-check-maven.version>
     </properties>
 
     <dependencyManagement>
@@ -396,6 +396,11 @@
                                 </goals>
                             </execution>
                         </executions>
+                        <configuration>
+                            <excludes>
+                                <exclude>ch.qos.logback:logback-classic</exclude>
+                            </excludes>
+                        </configuration>
                     </plugin>
                 </plugins>
             </build>

csrfguard/src/main/resources/csrfguard.properties

@@ -175,30 +175,4 @@ git push origin <tag_name>
 You can download pre-compiled versions from:
 
 * [Maven Central repository](https://search.maven.org/search?q=csrfguard)
-* [OSS Sonatype Nexus repository](https://oss.sonatype.org/#nexus-search;gav~~csrfguard~~~)
-
-## CSRFGuard 4.0.0 Release Notes
-
-* [Support for stateless web applications](https://github.com/aramrami/OWASP-CSRFGuard/issues/122)
-* [Apply "TokenPerPage" approach to AJAX](https://github.com/aramrami/OWASP-CSRFGuard/issues/123)
-* [Reduced code duplication](https://github.com/aramrami/OWASP-CSRFGuard/issues/127)
-* [Proper multi-module maven project structure](https://github.com/aramrami/OWASP-CSRFGuard/issues/128)
-* [The test JSP web application now relies on the latest development JavaScript code](https://github.com/aramrami/OWASP-CSRFGuard/issues/133)
-* [Improved code quality](https://github.com/aramrami/OWASP-CSRFGuard/issues/134)
-* [Addressing synchronous XMLHttpRequest deprecation](https://github.com/aramrami/OWASP-CSRFGuard/issues/137)
-* [Approach changed for master and page token retrieval](https://github.com/aramrami/OWASP-CSRFGuard/issues/139)
-* [Improved test coverage](https://github.com/aramrami/OWASP-CSRFGuard/issues/140)
-* [Better solution for looking up page tokens in the JS](https://github.com/aramrami/OWASP-CSRFGuard/issues/141)
-* [The javascript template is now parsable and minifiable](https://github.com/aramrami/OWASP-CSRFGuard/issues/142)
-* [Short-circuit the solution logic if CSRFGuard is disabled](https://github.com/aramrami/OWASP-CSRFGuard/issues/143)
-* [Do not generate page tokens for pages that are not protected](https://github.com/aramrami/OWASP-CSRFGuard/issues/144)
-* [Page tokens generated on first use are not sent back to the client](https://github.com/aramrami/OWASP-CSRFGuard/issues/145)
-* [Issue with the token-per-page support for REST endpoint containing path parameters](https://github.com/aramrami/OWASP-CSRFGuard/issues/146)
-* [Possible race condition on first access of endpoints when token-per-page and AJAX request options are enabled](https://github.com/aramrami/OWASP-CSRFGuard/issues/147)
-* [Tokens are not injected into dynamically created DOM elements ](https://github.com/aramrami/OWASP-CSRFGuard/issues/148)
-* [Make the configuration more resilient to errors](https://github.com/aramrami/OWASP-CSRFGuard/issues/149)
-* [Tokens should not be injected into external links if the domainStrict property is set to true](https://github.com/aramrami/OWASP-CSRFGuard/issues/150)
-* [Tokens not injected in dynamic content returned from Ajax](https://github.com/aramrami/OWASP-CSRFGuard/issues/151)
-* Heavily refactored, improved and more optimized code-base
-* Documentation update and typo fixes.
-* Copyright update and unification.
+* [OSS Sonatype Nexus repository](https://oss.sonatype.org/#nexus-search;gav~~csrfguard~~~)