Merge branch 'master' into jakarta

forgedhallpass · forgedhallpass · commit f31d592f3c6a · 2025-03-31T22:21:44.000+03:00
# Conflicts:
#	csrfguard-extensions/csrfguard-extension-session/pom.xml
#	csrfguard-extensions/csrfguard-jsp-tags/pom.xml
#	csrfguard-extensions/pom.xml
#	csrfguard-test/csrfguard-test-jsp/pom.xml
#	csrfguard-test/pom.xml
#	csrfguard/pom.xml
#	pom.xml
diff --git a/csrfguard-extensions/csrfguard-extension-session/pom.xml b/csrfguard-extensions/csrfguard-extension-session/pom.xml
@@ -53,4 +53,4 @@
             <artifactId>jakarta.servlet-api</artifactId>
         </dependency>
     </dependencies>
-</project>
+</project>
diff --git a/csrfguard-extensions/csrfguard-jsp-tags/pom.xml b/csrfguard-extensions/csrfguard-jsp-tags/pom.xml
@@ -69,4 +69,4 @@
             <artifactId>jakarta.servlet.jsp.jstl-api</artifactId>
         </dependency>
     </dependencies>
-</project>
+</project>
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuard.java b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuard.java
@@ -215,6 +215,10 @@ public String getJavascriptCacheControl() {
         return config().getJavascriptCacheControl();
     }
 
+    public String getJavascriptTaggedCacheControl() {
+        return config().getJavascriptTaggedCacheControl();
+    }
+
     public Pattern getJavascriptRefererPattern() {
         return config().getJavascriptRefererPattern();
     }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/ConfigurationProvider.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/ConfigurationProvider.java
@@ -183,6 +183,11 @@ public interface ConfigurationProvider {
      */
     String getJavascriptCacheControl();
 
+    /**
+     * @return the configured JavaScript cache control when queried using a tag query param
+     */
+    String getJavascriptTaggedCacheControl();
+
     /**
      * @return the configured JavaScript "Referer" pattern to be used
      */
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/NullConfigurationProvider.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/NullConfigurationProvider.java
@@ -173,6 +173,10 @@ public String getJavascriptCacheControl() {
         return null;
     }
 
+    @Override public String getJavascriptTaggedCacheControl() {
+        return null;
+    }
+
     @Override
     public Pattern getJavascriptRefererPattern() {
         return null;
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/PropertiesConfigurationProvider.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/PropertiesConfigurationProvider.java
@@ -117,6 +117,8 @@ public class PropertiesConfigurationProvider implements ConfigurationProvider {
 
 	private String javascriptCacheControl;
 
+	private String javascriptTaggedCacheControl;
+
 	private Pattern javascriptRefererPattern;
 
 	private boolean javascriptInjectIntoForms;
@@ -304,6 +306,10 @@ public String getJavascriptCacheControl() {
 		return this.javascriptCacheControl;
 	}
 
+	@Override public String getJavascriptTaggedCacheControl() {
+		return this.javascriptTaggedCacheControl;
+	}
+
 	@Override
 	public Pattern getJavascriptRefererPattern() {
 		return this.javascriptRefererPattern;
@@ -548,6 +554,7 @@ private void javascriptInitParamsIfNeeded() {
 
 			if (servletConfig != null) {
 				this.javascriptCacheControl = getProperty(JavaScriptConfigParameters.CACHE_CONTROL, servletConfig);
+				this.javascriptTaggedCacheControl = getProperty(JavaScriptConfigParameters.CACHE_CONTROL_TAGGED, servletConfig);
 				this.javascriptDomainStrict = getProperty(JavaScriptConfigParameters.DOMAIN_STRICT, servletConfig);
 				this.javascriptInjectIntoAttributes = getProperty(JavaScriptConfigParameters.INJECT_INTO_ATTRIBUTES, servletConfig);
 				this.javascriptInjectGetForms = getProperty(JavaScriptConfigParameters.INJECT_GET_FORMS, servletConfig);
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/JavaScriptConfigParameters.java b/csrfguard/src/main/java/org/owasp/csrfguard/config/properties/javascript/JavaScriptConfigParameters.java
@@ -40,6 +40,7 @@ private JavaScriptConfigParameters() {}
     // TODO document the names of the configurations that can be used for overriding the values from the web.xml in the properties file
 
     public static final StringJsConfigParameter CACHE_CONTROL = new StringJsConfigParameter("cache-control", "org.owasp.csrfguard.JavascriptServlet.cacheControl", "private, max-age=28800");
+    public static final StringJsConfigParameter CACHE_CONTROL_TAGGED = new StringJsConfigParameter("cache-control", "org.owasp.csrfguard.JavascriptServlet.cacheControlTagged", "private, max-age=600");
     public static final StringJsConfigParameter REFERER_PATTERN  = new StringJsConfigParameter("referer-pattern", "org.owasp.csrfguard.JavascriptServlet.refererPattern", DEFAULT_REFERER_PATTERN);
     public static final StringJsConfigParameter UNPROTECTED_EXTENSIONS = new StringJsConfigParameter("unprotected-extensions", "org.owasp.csrfguard.JavascriptServlet.UnprotectedExtensions", StringUtils.EMPTY);
     public static final StringJsConfigParameter SOURCE_FILE_LOCATION = new StringJsConfigParameter("source-file", "org.owasp.csrfguard.JavascriptServlet.sourceFile", null);
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/servlet/JavaScriptServlet.java b/csrfguard/src/main/java/org/owasp/csrfguard/servlet/JavaScriptServlet.java
@@ -38,6 +38,7 @@
 import org.owasp.csrfguard.session.LogicalSession;
 import org.owasp.csrfguard.token.storage.LogicalSessionExtractor;
 import org.owasp.csrfguard.token.transferobject.TokenTO;
+import org.owasp.csrfguard.util.ConvertUtil;
 import org.owasp.csrfguard.util.CsrfGuardUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -50,6 +51,7 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.nio.charset.Charset;
+import java.security.MessageDigest;
 import java.util.*;
 import java.util.function.BiFunction;
 import java.util.regex.Pattern;
@@ -198,6 +200,12 @@ public void doPost(final HttpServletRequest request, final HttpServletResponse r
         }
     }
 
+    public static String getJavaScriptEtag(final HttpServletRequest request) {
+        final CsrfGuard csrfGuard = CsrfGuard.getInstance();
+        final String[] replacementList = JS_REPLACEMENT_MAP.values().stream().map(v -> v.apply(csrfGuard, request)).toArray(String[]::new);
+        return md5Hex(StringUtils.replaceEach(csrfGuard.getJavascriptTemplateCode(), JS_REPLACEMENT_MAP.keySet().toArray(new String[0]), replacementList));
+    }
+
     private static void writeTokens(final HttpServletResponse response, final TokenTO tokenTO) throws IOException {
         final String jsonTokenTO = tokenTO.toString();
 
@@ -210,22 +218,24 @@ private static void writeTokens(final HttpServletResponse response, final TokenT
 
     private static void writeJavaScript(final HttpServletRequest request, final HttpServletResponse response) throws IOException {
         final CsrfGuard csrfGuard = CsrfGuard.getInstance();
+        final String[] replacementList = JS_REPLACEMENT_MAP.values().stream().map(v -> v.apply(csrfGuard, request)).toArray(String[]::new);
+        final String code = StringUtils.replaceEach(csrfGuard.getJavascriptTemplateCode(), JS_REPLACEMENT_MAP.keySet().toArray(new String[0]), replacementList);
+        final String etag = md5Hex(code);
+        if (etag != null) response.setHeader("ETag", etag);
+        response.setContentType(JAVASCRIPT_MIME_TYPE);
 
-        /* cannot cache if rotate or token-per-page is enabled */
-        if (csrfGuard.isRotateEnabled() || csrfGuard.isTokenPerPageEnabled()) {
-            response.setHeader("Cache-Control", "no-cache, no-store");
-            response.setHeader("Pragma", "no-cache");
-            response.setHeader("Expires", "0");
+        if (request.getHeader("If-None-Match") != null && request.getHeader("If-None-Match").equals(etag)) {
+            response.setStatus(HttpServletResponse.SC_NOT_MODIFIED);
+            return;
+        }
+
+        if (request.getParameter("tag") != null && request.getParameter("tag").equals(etag)) {
+            response.setHeader("Cache-Control", csrfGuard.getJavascriptTaggedCacheControl());
+        } else if (csrfGuard.isRotateEnabled() || csrfGuard.isTokenPerPageEnabled()) {
+            response.setHeader("Cache-Control", "private, no-cache, no-store, max-age=0");
         } else {
             response.setHeader("Cache-Control", csrfGuard.getJavascriptCacheControl());
         }
-
-        response.setContentType(JAVASCRIPT_MIME_TYPE);
-
-        final String[] replacementList = JS_REPLACEMENT_MAP.values().stream().map(v -> v.apply(csrfGuard, request)).toArray(String[]::new);
-
-        final String code = StringUtils.replaceEach(csrfGuard.getJavascriptTemplateCode(), JS_REPLACEMENT_MAP.keySet().toArray(new String[0]), replacementList);
-
         response.getWriter().write(code);
     }
 
@@ -311,4 +321,14 @@ private void writeJavaScript(final CsrfGuard csrfGuard, final HttpServletRequest
 
         writeJavaScript(request, response);
     }
+
+    private static String md5Hex(String input) {
+        try {
+            byte[] digest = MessageDigest.getInstance("MD5").digest(input.getBytes());
+            return ConvertUtil.bytesToHex(digest);
+        } catch (Exception e) {
+            LOGGER.debug("Unable to generate ETag", e);
+        }
+        return null;
+    }
 }
diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/util/ConvertUtil.java b/csrfguard/src/main/java/org/owasp/csrfguard/util/ConvertUtil.java
@@ -0,0 +1,50 @@
+/*
+ * The OWASP CSRFGuard Project, BSD License
+ * Copyright (c) 2011, Eric Sheridan (eric@infraredsecurity.com)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *     this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of OWASP nor the names of its contributors may be used
+ *     to endorse or promote products derived from this software without specific
+ *     prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.owasp.csrfguard.util;
+
+import java.nio.charset.StandardCharsets;
+
+/**
+ * @author Jerome Blanchard
+ */
+public class ConvertUtil {
+
+    private static final byte[] HEX_ARRAY = "0123456789ABCDEF".getBytes(StandardCharsets.US_ASCII);
+
+    public static String bytesToHex(byte[] bytes) {
+        byte[] hexChars = new byte[bytes.length * 2];
+        for (int j = 0; j < bytes.length; j++) {
+            int v = bytes[j] & 0xFF;
+            hexChars[j * 2] = HEX_ARRAY[v >>> 4];
+            hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F];
+        }
+        return new String(hexChars, StandardCharsets.UTF_8);
+    }
+}
diff --git a/csrfguard/src/main/resources/csrfguard.js b/csrfguard/src/main/resources/csrfguard.js
@@ -683,6 +683,7 @@ if (owaspCSRFGuardScriptHasLoaded !== true) {
 
                     /**
                      * For the library to function correctly, all the URLs must start with a forward slash (/)
+                     * or a full URL (http://example.com, https://example.com, //example.com).
                      * Parameters must be removed from the URL
                      */
                     var normalizeUrl = function(url) {
@@ -691,10 +692,8 @@ if (owaspCSRFGuardScriptHasLoaded !== true) {
                             return index > 0 ? currentUrl.substring(0, index) : currentUrl;
                         }
 
-                        /*
-                         * TODO should other checks be done here like in the isValidUrl?
-                         * Could the url parameter contain full URLs with protocol domain, port etc?
-                         */
+                        let splittedUrl = /^(?:https?:)?\/\/[^\/]*(\/[^#?]*)?.*/.exec(url);
+                        url = (splittedUrl) ? splittedUrl[1] || "/" : url;
                         let normalizedUrl = startsWith(url, '/') ? url : '/' + url;
 
                         normalizedUrl = removeParameters(normalizedUrl, '?');
diff --git a/csrfguard/src/main/resources/csrfguard.properties b/csrfguard/src/main/resources/csrfguard.properties
@@ -351,12 +351,18 @@ org.owasp.csrfguard.JavascriptServlet.domainStrict = true
 # "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
 org.owasp.csrfguard.JavascriptServlet.cacheControl = private, max-age=28800
 
-# Allows the developer to specify a regular expression describing the required value of the 
-# Referer header. Any attempts to access the servlet with a Referer header that does not 
-# match the captured expression is discarded. Inclusion of referer header checking is to 
-# help minimize the risk of JavaScript Hijacking attacks that attempt to steal tokens from 
-# the dynamically generated JavaScript. While the primary defenses against JavaScript 
-# Hijacking attacks are implemented within the dynamic JavaScript itself, referer header 
+# Allows the developer to specify the value of the Cache-Control header in the HTTP response
+# when serving the dynamic JavaScript file included with a tag query param that equals the generated ETag.
+# In that specific case you can assume a client cache without revalidation and use a custom cache duration.
+# Be aware to NOT USE that option together with the "Rotate" or "TokenPerPage" options.
+org.owasp.csrfguard.JavascriptServlet.cacheControlTagged = private, max-age=600
+
+# Allows the developer to specify a regular expression describing the required value of the
+# Referer header. Any attempts to access the servlet with a Referer header that does not
+# match the captured expression is discarded. Inclusion of referer header checking is to
+# help minimize the risk of JavaScript Hijacking attacks that attempt to steal tokens from
+# the dynamically generated JavaScript. While the primary defenses against JavaScript
+# Hijacking attacks are implemented within the dynamic JavaScript itself, referer header
 # checking is implemented to achieve defense in depth.
 org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
 
@@ -496,4 +502,4 @@ org.owasp.csrfguard.forceSynchronousAjax = false
 # The purpose of this feature is to provide a way to prevent Internet Explorer users from accessing the web application.
 # Internet Explorer is identified using the "msie" and "trident" strings.
 org.owasp.csrfguard.bannedUserAgentProperty.InternetExplorer1 = msie
-org.owasp.csrfguard.bannedUserAgentProperty.InternetExplorer2 = trident
+org.owasp.csrfguard.bannedUserAgentProperty.InternetExplorer2 = trident
diff --git a/info.md b/info.md
@@ -33,21 +33,21 @@ Add the following dependencies to your Maven POM file to use the library:
 <dependency>
     <groupId>org.owasp</groupId>
     <artifactId>csrfguard</artifactId>
-    <version>4.3.0</version>
+    <version>4.4.0</version>
 </dependency>
 
 <!-- Stateful web application support -->
 <dependency>
-	<groupId>org.owasp</groupId>
-	<artifactId>csrfguard-extension-session</artifactId>
-	<version>4.3.0</version>
+    <groupId>org.owasp</groupId>
+    <artifactId>csrfguard-extension-session</artifactId>
+    <version>4.4.0</version>
 </dependency>
 
 <!-- JSP TAG support -->
 <dependency>
-	<groupId>org.owasp</groupId>
-	<artifactId>csrfguard-jsp-tags</artifactId>
-	<version>4.3.0</version>
+    <groupId>org.owasp</groupId>
+    <artifactId>csrfguard-jsp-tags</artifactId>
+    <version>4.4.0</version>
 </dependency>
 ```
 
diff --git a/pom.xml b/pom.xml
@@ -119,31 +119,31 @@
         <jsp-api.version>3.1.1</jsp-api.version>
         <jstl.version>3.0.0</jstl.version>
 
-        <maven-surefire-plugin.version>3.5.1</maven-surefire-plugin.version>
+        <maven-surefire-plugin.version>3.5.2</maven-surefire-plugin.version>
         <maven-jar-plugin.version>3.4.2</maven-jar-plugin.version>
         <maven-source-plugin.version>3.3.1</maven-source-plugin.version>
         <maven-compiler-plugin.version>3.13.0</maven-compiler-plugin.version>
-        <maven-javadoc-plugin.version>3.10.1</maven-javadoc-plugin.version>
+        <maven-javadoc-plugin.version>3.11.2</maven-javadoc-plugin.version>
         <maven-war-plugin.version>3.4.0</maven-war-plugin.version>
         <maven-scm-plugin.version>2.1.0</maven-scm-plugin.version>
         <maven-release-plugin.version>3.1.1</maven-release-plugin.version>
         <maven-deploy-plugin.version>3.1.3</maven-deploy-plugin.version>
-		<maven-clean-plugin.version>3.4.0</maven-clean-plugin.version>
-		<exec-maven-plugin.version>3.3.0</exec-maven-plugin.version>
+		<maven-clean-plugin.version>3.4.1</maven-clean-plugin.version>
+		<exec-maven-plugin.version>3.5.0</exec-maven-plugin.version>
 
         <nexus-staging-maven-plugin.version>1.7.0</nexus-staging-maven-plugin.version>
         <maven-gpg-plugin.version>3.2.7</maven-gpg-plugin.version>
 
         <commons-lang3.version>3.17.0</commons-lang3.version>
-        <commons-io.version>2.17.0</commons-io.version>
-        <gson.version>2.11.0</gson.version>
+        <commons-io.version>2.18.0</commons-io.version>
+        <gson.version>2.12.1</gson.version>
         <slf4j-api.version>2.0.16</slf4j-api.version>
 
-        <junit.version>5.11.2</junit.version>
+        <junit.version>5.11.4</junit.version>
         <mockito.version>4.11.0</mockito.version>
         <logback.version>1.5.11</logback.version> <!--versions starting from 1.4.x were compiled with Java 11-->
 
-        <dependency-check-maven.version>10.0.4</dependency-check-maven.version>
+        <dependency-check-maven.version>12.1.0</dependency-check-maven.version>
     </properties>
 
     <dependencyManagement>
diff --git a/readme.md b/readme.md
@@ -35,21 +35,21 @@ Add the following dependencies to your Maven POM file to use the library:
 <dependency>
     <groupId>org.owasp</groupId>
     <artifactId>csrfguard</artifactId>
-    <version>4.3.0</version>
+    <version>4.4.0</version>
 </dependency>
 
 <!-- Stateful web application support -->
 <dependency>
-	<groupId>org.owasp</groupId>
-	<artifactId>csrfguard-extension-session</artifactId>
-	<version>4.3.0</version>
+    <groupId>org.owasp</groupId>
+    <artifactId>csrfguard-extension-session</artifactId>
+    <version>4.4.0</version>
 </dependency>
 
 <!-- JSP TAG support -->
 <dependency>
-	<groupId>org.owasp</groupId>
-	<artifactId>csrfguard-jsp-tags</artifactId>
-	<version>4.3.0</version>
+    <groupId>org.owasp</groupId>
+    <artifactId>csrfguard-jsp-tags</artifactId>
+    <version>4.4.0</version>
 </dependency>
 ```
 

Original file line number	Diff line number	Diff line change
`@@ -215,6 +215,10 @@ public String getJavascriptCacheControl() {`
`215`	`215`	`return config().getJavascriptCacheControl();`
`216`	`216`	`}`
`217`	`217`
	`218`	`+ public String getJavascriptTaggedCacheControl() {`
	`219`	`+ return config().getJavascriptTaggedCacheControl();`
	`220`	`+ }`
	`221`	`+`
`218`	`222`	`public Pattern getJavascriptRefererPattern() {`
`219`	`223`	`return config().getJavascriptRefererPattern();`
`220`	`224`	`}`