Skip to content

Commit

Permalink
Merge pull request #1470 from sebastien-helbert/master
Browse files Browse the repository at this point in the history 
CSRF header should not be sent to cross domain sites #1469
  • Loading branch information
@bnasslahsen
bnasslahsen authored Jan 26, 2022
2 parents d37b96f + 2f7cdc5 commit 9ae0ac6
Showing 1 changed file with 23 additions and 16 deletions.
39 changes: 23 additions & 16 deletions springdoc-openapi-common/src/main/java/org/springdoc/ui/AbstractSwaggerIndexTransformer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,18 +199,21 @@ private String addParameter(String html, String key, String value) {
*/
protected String addCSRF(String html) {
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.append("requestInterceptor: (request) => {\n");
stringBuilder.append("const value = `; ${document.cookie}`;\n");
stringBuilder.append("const parts = value.split(`; ");
stringBuilder.append(swaggerUiConfig.getCsrf().getCookieName());
stringBuilder.append("=`);\n");
stringBuilder.append("if (parts.length === 2)\n");
stringBuilder.append("request.headers['");
stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
stringBuilder.append("'] = parts.pop().split(';').shift();\n");
stringBuilder.append("return request;\n");
stringBuilder.append("},\n");
stringBuilder.append(PRESETS);
stringBuilder.append("requestInterceptor: (request) => {\n");
stringBuilder.append("\t\t\tconst value = `; ${document.cookie}`;\n");
stringBuilder.append("\t\t\tconst parts = value.split(`; ");
stringBuilder.append(swaggerUiConfig.getCsrf().getCookieName());
stringBuilder.append("=`);\n");
stringBuilder.append("\t\t\tconst currentURL = new URL(document.URL);\n");
stringBuilder.append("\t\t\tconst requestURL = new URL(request.url, document.location.origin);\n");
stringBuilder.append("\t\t\tconst isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
stringBuilder.append("\t\t\tif (isSameOrigin && parts.length === 2) ");
stringBuilder.append("request.headers['");
stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
stringBuilder.append("'] = parts.pop().split(';').shift();\n");
stringBuilder.append("\t\t\treturn request;\n");
stringBuilder.append("\t\t},\n");
stringBuilder.append("\t\t" + PRESETS);
return html.replace(PRESETS, stringBuilder.toString());
}

Expand All @@ -223,14 +226,18 @@ protected String addCSRF(String html) {
protected String addCSRFLocalStorage(String html) {
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.append("requestInterceptor: (request) => {\n");
stringBuilder.append("const value = window.localStorage.getItem('");
stringBuilder.append("t\t\tconst value = window.localStorage.getItem('");
stringBuilder.append(swaggerUiConfig.getCsrf().getLocalStorageKey() + "');\n");
stringBuilder.append("t\t\tconst currentURL = new URL(document.URL);\n");
stringBuilder.append("t\t\tconst requestURL = new URL(request.url, document.location.origin);\n");
stringBuilder.append("t\t\tconst isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
stringBuilder.append("t\t\tif (isSameOrigin) ");
stringBuilder.append("request.headers['");
stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
stringBuilder.append("'] = value;\n");
stringBuilder.append("return request;\n");
stringBuilder.append("},\n");
stringBuilder.append(PRESETS);
stringBuilder.append("t\t\treturn request;\n");
stringBuilder.append("\t\t},\n");
stringBuilder.append("\t\t" + PRESETS);
return html.replace(PRESETS, stringBuilder.toString());
}

Expand Down

0 comments on commit 9ae0ac6

Please sign in to comment.