ensure csrf is enabled

2025-10-25 11:17:28 +02:00 · 2024-12-10 11:17:50 +00:00 · 2024-12-10 11:17:50 +00:00 · c1c3eba398
commit c1c3eba398
parent 1639e0fc4c
4 changed files with 102 additions and 6 deletions
--- a/src/main/java/stirling/software/SPDF/config/InitialSetup.java
+++ b/src/main/java/stirling/software/SPDF/config/InitialSetup.java
@ -1,11 +1,14 @@
 package stirling.software.SPDF.config;

 import java.io.IOException;
+import java.util.Properties;
 import java.util.UUID;

 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
 import org.springframework.stereotype.Component;

 import io.micrometer.common.util.StringUtils;
@ -23,6 +26,18 @@ public class InitialSetup {
    @Autowired private ApplicationProperties applicationProperties;

    @PostConstruct
+    public void init() throws IOException {
+        initUUIDKey();
+        
+        initSecretKey();
+        
+        initEnableCSRFSecurity();
+        
+        initLegalUrls();
+        
+        initSetAppVersion();
+    }
+    
    public void initUUIDKey() throws IOException {
        String uuid = applicationProperties.getAutomaticallyGenerated().getUUID();
        if (!GeneralUtils.isValidUUID(uuid)) {
@ -32,7 +47,6 @@ public class InitialSetup {
        }
    }

-    @PostConstruct
    public void initSecretKey() throws IOException {
        String secretKey = applicationProperties.getAutomaticallyGenerated().getKey();
        if (!GeneralUtils.isValidUUID(secretKey)) {
@ -42,13 +56,24 @@ public class InitialSetup {
        }
    }

-    @PostConstruct
+    public void initEnableCSRFSecurity() throws IOException {
+    	if(GeneralUtils.isVersionHigher("0.36.0", applicationProperties.getAutomaticallyGenerated().getAppVersion())) {
+	        Boolean csrf = applicationProperties.getSecurity().getCsrfDisabled();
+			if (!csrf) {
+	            GeneralUtils.saveKeyToConfig("security.csrfDisabled", false, false);
+	            GeneralUtils.saveKeyToConfig("system.enableAnalytics", "true", false);
+	            applicationProperties.getSecurity().setCsrfDisabled(false);
+	            
+	        }
+    	}
+    }
+    
    public void initLegalUrls() throws IOException {
        // Initialize Terms and Conditions
        String termsUrl = applicationProperties.getLegal().getTermsAndConditions();
        if (StringUtils.isEmpty(termsUrl)) {
            String defaultTermsUrl = "https://www.stirlingpdf.com/terms-and-conditions";
-            GeneralUtils.saveKeyToConfig("legal.termsAndConditions", defaultTermsUrl);
+            GeneralUtils.saveKeyToConfig("legal.termsAndConditions", defaultTermsUrl, false);
            applicationProperties.getLegal().setTermsAndConditions(defaultTermsUrl);
        }

@ -56,8 +81,24 @@ public class InitialSetup {
        String privacyUrl = applicationProperties.getLegal().getPrivacyPolicy();
        if (StringUtils.isEmpty(privacyUrl)) {
            String defaultPrivacyUrl = "https://www.stirlingpdf.com/privacy-policy";
-            GeneralUtils.saveKeyToConfig("legal.privacyPolicy", defaultPrivacyUrl);
+            GeneralUtils.saveKeyToConfig("legal.privacyPolicy", defaultPrivacyUrl, false);
            applicationProperties.getLegal().setPrivacyPolicy(defaultPrivacyUrl);
        }
    }
+    
+    public void initSetAppVersion() throws IOException {
+    	
+    	String appVersion = "0.0.0";
+    	Resource resource = new ClassPathResource("version.properties");
+        Properties props = new Properties();
+        try {
+            props.load(resource.getInputStream());
+            appVersion =props.getProperty("version");
+        } catch(Exception e) {
+        	
+        }
+        applicationProperties.getAutomaticallyGenerated().setAppVersion(appVersion);
+        GeneralUtils.saveKeyToConfig("AutomaticallyGenerated.appVersion", appVersion,false);
+    	}
+    
 }
--- a/src/main/java/stirling/software/SPDF/model/ApplicationProperties.java
+++ b/src/main/java/stirling/software/SPDF/model/ApplicationProperties.java
@ -285,6 +285,7 @@ public class ApplicationProperties {
    public static class AutomaticallyGenerated {
        @ToString.Exclude private String key;
        private String UUID;
+        private String appVersion;
    }

    @Data
--- a/src/main/java/stirling/software/SPDF/utils/GeneralUtils.java
+++ b/src/main/java/stirling/software/SPDF/utils/GeneralUtils.java
@ -288,6 +288,10 @@ public class GeneralUtils {
    public static void saveKeyToConfig(String id, String key) throws IOException {
        saveKeyToConfig(id, key, true);
    }
+    public static void saveKeyToConfig(String id, boolean key) throws IOException {
+        saveKeyToConfig(id, key, true);
+    }
+    

    public static void saveKeyToConfig(String id, String key, boolean autoGenerated)
            throws IOException {
@ -306,6 +310,25 @@ public class GeneralUtils {
        }
        settingsYml.save();
    }
+    
+    public static void saveKeyToConfig(String id, boolean key, boolean autoGenerated) 
+    		throws IOException {
+    		    Path path = Paths.get("configs", "settings.yml");
+    		    
+    		    final YamlFile settingsYml = new YamlFile(path.toFile());
+    		    DumperOptions yamlOptionssettingsYml = 
+    		        ((SimpleYamlImplementation) settingsYml.getImplementation()).getDumperOptions();
+    		    yamlOptionssettingsYml.setSplitLines(false);
+    		    
+    		    settingsYml.loadWithComments();
+    		    
+    		    YamlFileWrapper writer = settingsYml.path(id).set(key);
+    		    if (autoGenerated) {
+    		        writer.comment("# Automatically Generated Settings (Do Not Edit Directly)");
+    		    }
+    		    settingsYml.save();
+    		}
+    

    public static String generateMachineFingerprint() {
        try {
@ -349,4 +372,34 @@ public class GeneralUtils {
            return "GenericID";
        }
    }
+    
+    public static boolean isVersionHigher(String currentVersion, String compareVersion) {
+        if (currentVersion == null || compareVersion == null) {
+            return false;
+        }
+
+        // Split versions into components
+        String[] current = currentVersion.split("\\.");
+        String[] compare = compareVersion.split("\\.");
+
+        // Get the length of the shorter version array
+        int length = Math.min(current.length, compare.length);
+
+        // Compare each component
+        for (int i = 0; i < length; i++) {
+            int currentPart = Integer.parseInt(current[i]);
+            int comparePart = Integer.parseInt(compare[i]);
+
+            if (currentPart > comparePart) {
+                return true;
+            }
+            if (currentPart < comparePart) {
+                return false;
+            }
+        }
+
+        // If all components so far are equal, the longer version is considered higher
+        return current.length > compare.length;
+    }
+    
 }
--- a/src/main/resources/settings.yml.template
+++ b/src/main/resources/settings.yml.template
@ -13,7 +13,7 @@

 security:
  enableLogin: false # set to 'true' to enable login
-  csrfDisabled: true # set to 'true' to disable CSRF protection (not recommended for production)
+  csrfDisabled: false # set to 'true' to disable CSRF protection (not recommended for production)
  loginAttemptCount: 5 # lock user account after 5 tries; when using e.g. Fail2Ban you can deactivate the function with -1
  loginResetTimeMinutes: 120 # lock account for 2 hours after x attempts
  loginMethod: all # Accepts values like 'all' and 'normal'(only Login with Username/Password), 'oauth2'(only Login with OAuth2) or 'saml2'(only Login with SAML2) 
@ -102,7 +102,8 @@ metrics:
 AutomaticallyGenerated:
  key: example
  UUID: example
-
+  appVersion: 0.35.0
+  
 processExecutor:
  sessionLimit:    # Process executor instances limits
    libreOfficeSessionLimit: 1