Adding missing Anti-Xsrf token validations in some Post actions

1. Also adding this validation on a AJAX only used action.
2014-08-08 12:46:36 -07:00 · 2014-08-08 12:46:36 -07:00 · ca515e3e87
parent 907a3c6cf3
commit ca515e3e87
4 changed files with 57 additions and 26 deletions
--- a/src/MusicStore/Controllers/ShoppingCartController.cs
+++ b/src/MusicStore/Controllers/ShoppingCartController.cs
@ -2,6 +2,8 @@
 using MusicStore.Models;
 using MusicStore.ViewModels;
 using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.Framework.DependencyInjection;

 namespace MusicStore.Controllers
 {
@ -19,7 +21,7 @@ namespace MusicStore.Controllers

        public IActionResult Index()
        {
-            var cart = ShoppingCart.GetCart(db, this.Context);
+            var cart = ShoppingCart.GetCart(db, Context);

            // Set up our ViewModel
            var viewModel = new ShoppingCartViewModel
@ -42,7 +44,7 @@ namespace MusicStore.Controllers
                .Single(album => album.AlbumId == id);

            // Add it to the shopping cart
-            var cart = ShoppingCart.GetCart(db, this.Context);
+            var cart = ShoppingCart.GetCart(db, Context);

            cart.AddToCart(addedAlbum);

@ -54,12 +56,30 @@ namespace MusicStore.Controllers

        //
        // AJAX: /ShoppingCart/RemoveFromCart/5
-
        [HttpPost]
-        public IActionResult RemoveFromCart(int id)
+        public async Task<IActionResult> RemoveFromCart(int id)
        {
+            var formParameters = await Context.Request.GetFormAsync();
+            var requestVerification = formParameters["RequestVerificationToken"];
+            string cookieToken = null;
+            string formToken = null;
+
+            if (!string.IsNullOrWhiteSpace(requestVerification))
+            {
+                var tokens = requestVerification.Split(':');
+
+                if (tokens != null && tokens.Length == 2)
+                {
+                    cookieToken = tokens[0];
+                    formToken = tokens[1];
+                }
+            }
+
+            var antiForgery = Context.RequestServices.GetService<AntiForgery>();
+            antiForgery.Validate(Context, new AntiForgeryTokenSet(formToken, cookieToken));
+
            // Retrieve the current user's shopping cart
-            var cart = ShoppingCart.GetCart(db, this.Context);
+            var cart = ShoppingCart.GetCart(db, Context);

            // Get the name of the album to display confirmation
            // TODO [EF] Turn into one query once query of related data is enabled
--- a/src/MusicStore/Controllers/StoreManagerController.cs
+++ b/src/MusicStore/Controllers/StoreManagerController.cs
@ -61,6 +61,7 @@ namespace MusicStore.Controllers

        // POST: /StoreManager/Create
        [HttpPost]
+        [ValidateAntiForgeryToken]
        public IActionResult Create(Album album)
        {
            if (ModelState.IsValid)
@ -94,6 +95,7 @@ namespace MusicStore.Controllers
        //
        // POST: /StoreManager/Edit/5
        [HttpPost]
+        [ValidateAntiForgeryToken]
        public IActionResult Edit(Album album)
        {
            if (ModelState.IsValid)
--- a/src/MusicStore/Models/ShoppingCart.cs
+++ b/src/MusicStore/Models/ShoppingCart.cs
@ -1,8 +1,7 @@
-using Microsoft.AspNet.Http;
-using Microsoft.Data.Entity;
-using System;
+using System;
 using System.Collections.Generic;
 using System.Linq;
+using Microsoft.AspNet.Http;

 namespace MusicStore.Models
 {
--- a/src/MusicStore/Views/ShoppingCart/Index.cshtml
+++ b/src/MusicStore/Views/ShoppingCart/Index.cshtml
@ -1,8 +1,18 @@
@model MusicStore.ViewModels.ShoppingCartViewModel
+@inject AntiForgery Xsrf
@{
    ViewBag.Title = "Shopping Cart";
 }

+@functions
+{
+    public string GetAntiXsrfToken()
+    {
+        var tokens = Xsrf.GetTokens(Context, null);
+        return tokens.CookieToken + ":" + tokens.FormToken;
+    }
+}
+
@section Scripts {
    <script type="text/javascript">
        $(function () {
@ -14,7 +24,7 @@
                if (recordToDelete != '') {

                    // Perform the ajax post
-                    $.post(PostToUrl, { "id": recordToDelete },
+                    $.post(PostToUrl, { "id": recordToDelete, "RequestVerificationToken": '@GetAntiXsrfToken()' },
                        function (data) {
                            // Successful requests get here
                            // Update the page elements
@ -58,24 +68,24 @@
    </tr>
    @foreach (var item in Model.CartItems)
    {
-        <tr id="row-@item.CartItemId">
-            <td>
-                @Html.ActionLink(item.Album.Title,
+    <tr id="row-@item.CartItemId">
+        <td>
+            @Html.ActionLink(item.Album.Title,
                    "Details", "Store", new { id = item.AlbumId }, null)
-            </td>
-            <td>
-                @item.Album.Price
-            </td>
-            <td id="item-count-@item.CartItemId">
-                @item.Count
-            </td>
-            <td>
-                <a href="#" class="RemoveLink" data-id="@item.CartItemId"
-                       data-url='@Url.Content("~/ShoppingCart/RemoveFromCart")'>
-                        Remove from cart
-                    </a>
-            </td>
-        </tr>
+        </td>
+        <td>
+            @item.Album.Price
+        </td>
+        <td id="item-count-@item.CartItemId">
+            @item.Count
+        </td>
+        <td>
+            <a href="#" class="RemoveLink" data-id="@item.CartItemId"
+               data-url='@Url.Content("~/ShoppingCart/RemoveFromCart")'>
+                Remove from cart
+            </a>
+        </td>
+    </tr>
    }
    <tr>
        <td>