Enable Antiforgery validation for rest services in .NET Framework

Author: claudiamurialdo

dotnet/src/dotnetcore/GxNetCoreStartup/Startup.cs

@@ -30,6 +30,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.FileProviders;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using StackExchange.Redis;
 
 
@@ -206,7 +207,14 @@ public void ConfigureServices(IServiceCollection services)
 				}
 			});
 
-
+			if (RestAPIHelpers.ValidateCsrfToken())
+			{
+				services.AddAntiforgery(options =>
+				{
+					options.HeaderName = HttpHeader.X_GXCSRF_TOKEN;
+					options.SuppressXFrameOptionsHeader = false;
+				});
+			}
 			services.AddDirectoryBrowser();
 			if (GXUtil.CompressResponse())
 			{
@@ -230,15 +238,6 @@ public void ConfigureServices(IServiceCollection services)
 					options.EnableForHttps = true;
 				});
 			}
-			if (RestAPIHelpers.ValidateCsrfToken())
-			{
-				services.AddAntiforgery(options =>
-				{
-					options.HeaderName = HttpHeader.X_GXCSRF_TOKEN;
-					options.Cookie.Name = HttpHeader.X_GXCSRF_TOKEN;
-					options.SuppressXFrameOptionsHeader = false;
-				});
-			}
 			DefineCorsPolicy(services);
 			services.AddMvc();
 		}
@@ -424,9 +423,7 @@ public void Configure(IApplicationBuilder app, Microsoft.AspNetCore.Hosting.IHos
 
 					if (string.Equals(requestPath, $"/{restBasePath}VerificationToken", StringComparison.OrdinalIgnoreCase) && antiforgery!=null)
 					{
-						var tokenSet = antiforgery.GetTokens(context);
-						context.Response.Cookies.Append(HttpHeader.X_GXCSRF_TOKEN, tokenSet.RequestToken!,
-							new CookieOptions { HttpOnly = false });
+						ValidateAntiForgeryTokenMiddleware.SetAntiForgeryTokens(antiforgery, context);
 					}
 					return Task.CompletedTask;
 				});
@@ -605,33 +602,31 @@ public async Task Invoke(HttpContext context)
 				HttpMethods.IsDelete(context.Request.Method) ||
 				HttpMethods.IsPut(context.Request.Method))
 				{
-					GXLogging.Debug(log, $"Antiforgery validation starts");  
 					string cookieToken = context.Request.Cookies[HttpHeader.X_GXCSRF_TOKEN];
 					string headerToken = context.Request.Headers[HttpHeader.X_GXCSRF_TOKEN];
+					GXLogging.Debug(log, $"Antiforgery validation, cookieToken:{cookieToken}, headerToken:{headerToken}");
 
-					if (!string.IsNullOrEmpty(headerToken) && !string.IsNullOrEmpty(cookieToken) && headerToken == cookieToken)
-					{
-						GXLogging.Debug(log, $"headerToken == cookieToken OK");
-					}
-					else
-					{
-						await _antiforgery.ValidateRequestAsync(context);
-						GXLogging.Debug(log, $"Antiforgery validation OK");
-					}
+					await _antiforgery.ValidateRequestAsync(context);
+					GXLogging.Debug(log, $"Antiforgery validation OK");
 				}
 				else if (HttpMethods.IsGet(context.Request.Method))
 				{
 					string tokens = context.Request.Cookies[HttpHeader.X_GXCSRF_TOKEN];
 					if (string.IsNullOrEmpty(tokens))
 					{
-						AntiforgeryTokenSet tokenSet = _antiforgery.GetTokens(context);
-						context.Response.Cookies.Append(HttpHeader.X_GXCSRF_TOKEN, tokenSet.RequestToken!,new CookieOptions { HttpOnly = false });
-						GXLogging.Debug(log, $"Setting cookie ", HttpHeader.X_GXCSRF_TOKEN, "=", tokenSet.RequestToken!);
+						SetAntiForgeryTokens(_antiforgery, context);
 					}
 				}
 			}
 			await _next(context);
 		}
-		
+		internal static void SetAntiForgeryTokens(IAntiforgery _antiforgery, HttpContext context)
+		{
+			AntiforgeryTokenSet tokenSet = _antiforgery.GetAndStoreTokens(context);
+			context.Response.Cookies.Append(HttpHeader.X_GXCSRF_TOKEN, tokenSet.RequestToken,
+				new CookieOptions { HttpOnly = false, Secure = GxContext.GetHttpSecure(context) == 1 });
+			GXLogging.Debug(log, $"Setting cookie ", HttpHeader.X_GXCSRF_TOKEN, "=", tokenSet.RequestToken);
+		}
+
 	}
 }

dotnet/src/dotnetframework/GxClasses/Core/GXApplication.cs

@@ -2133,18 +2133,22 @@ public string GetBrowserVersion()
 			}
 		}
 		public virtual short GetHttpSecure()
+		{
+			return GetHttpSecure(_HttpContext);
+		}
+		static internal short GetHttpSecure(HttpContext httpContext)
 		{
 			try
 			{
-				if (HttpContext == null)
+				if (httpContext == null)
 					return 0;
-				if (_HttpContext.Request.GetIsSecureFrontEnd())
+				if (httpContext.Request.GetIsSecureFrontEnd())
 				{
 					GXLogging.Debug(log, "Front-End-Https header activated");
 					return 1;
 				}
 				else
-					return _HttpContext.Request.GetIsSecureConnection();
+					return httpContext.Request.GetIsSecureConnection();
 			}
 			catch
 			{

dotnet/src/dotnetframework/GxClasses/GxClasses.csproj

@@ -12,6 +12,7 @@
 	<ItemGroup>
 		<PackageReference Include="GeneXus.NodaTime" Version="2.4.19.1" />
 		<PackageReference Include="ManagedFusion.Rewriter" Version="3.7.0" />
+		<PackageReference Include="Microsoft.AspNet.WebPages" Version="3.2.9" />
 		<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="6.5.1" />
 		<PackageReference Include="Microsoft.Net.Http.Headers" Version="2.2.0" />
 		<PackageReference Include="MySqlConnector" Version="2.2.3" />

dotnet/src/dotnetframework/GxClasses/Services/GXRestServices.cs

@@ -7,6 +7,7 @@
 using System.Net.Http;
 using System.Runtime.Serialization;
 using System.Runtime.Serialization.Json;
+using System.Security;
 using System.ServiceModel;
 using System.ServiceModel.Channels;
 using System.ServiceModel.Configuration;
@@ -15,13 +16,16 @@
 using System.ServiceModel.Web;
 using System.Text;
 using System.Web;
+using System.Web.Helpers;
+using System.Web.Mvc;
 using GeneXus.Application;
 using GeneXus.Configuration;
 using GeneXus.Data;
 using GeneXus.Http;
 using GeneXus.Metadata;
 using GeneXus.Security;
 using log4net;
+using Microsoft.IdentityModel.Tokens;
 using Microsoft.Net.Http.Headers;
 
 namespace GeneXus.Utils
@@ -388,7 +392,7 @@ public void WebException(Exception ex)
             {
                 throw ex;
             }
-            else if (ex is FormatException)
+            else if (ex is FormatException || ex is HttpAntiForgeryException)
 			{
 				HttpHelper.SetUnexpectedError(httpContext, HttpStatusCode.BadRequest, ex);
 			}
@@ -556,8 +560,13 @@ void AddHeader(string header, string value)
                 httpContext.Response.Headers[header]= value;
             }
         }
+		[SecuritySafeCritical]
 		public bool ProcessHeaders(string queryId)
 		{
+			if (RestAPIHelpers.ValidateCsrfToken())
+			{
+				ValidateAntiforgery();
+			}
 
 			NameValueCollection headers = GetHeaders();
 			String language = null, theme = null, etag = null;
@@ -597,6 +606,39 @@ public bool ProcessHeaders(string queryId)
 			return true;
 		}
 
+		[SecurityCritical]
+		private void ValidateAntiforgery()
+		{
+			string cookieToken, formToken;
+			string httpMethod = context.HttpContext.Request.HttpMethod;
+			string tokens = context.HttpContext.Request.Cookies[HttpHeader.X_GXCSRF_TOKEN]?.Value;
+			string internalCookieToken = context.HttpContext.Request.Cookies[HttpHeader.X_GXCSRF_TOKEN]?.Value;
+			if (httpMethod == HttpMethod.Get.Method && (string.IsNullOrEmpty(tokens) || string.IsNullOrEmpty(internalCookieToken)))
+			{
+				AntiForgery.GetTokens(null, out cookieToken, out formToken);
+#pragma warning disable SCS0009 // The cookie is missing security flag HttpOnly
+				HttpCookie cookie = new HttpCookie(HttpHeader.X_GXCSRF_TOKEN, formToken)
+				{
+					HttpOnly = false,
+					Secure = context.GetHttpSecure() == 1,
+				};
+#pragma warning restore SCS0009 // The cookie is missing security flag HttpOnly
+				HttpCookie internalCookie = new HttpCookie(AntiForgeryConfig.CookieName, cookieToken)
+				{
+					HttpOnly = true,
+					Secure = context.GetHttpSecure() == 1,
+				};
+				context.HttpContext.Response.SetCookie(cookie);
+				context.HttpContext.Response.SetCookie(internalCookie);
+			}
+			if (httpMethod == HttpMethod.Delete.Method || httpMethod == HttpMethod.Post.Method || httpMethod == HttpMethod.Put.Method)
+			{
+				cookieToken = context.HttpContext.Request.Cookies[AntiForgeryConfig.CookieName]?.Value;
+				string headerToken = context.HttpContext.Request.Headers[HttpHeader.X_GXCSRF_TOKEN];
+				AntiForgery.Validate(cookieToken, headerToken);
+			}
+		}
+
 		private void SendCacheHeaders()
 		{
 			if (string.IsNullOrEmpty(context.GetHeader(HttpHeader.CACHE_CONTROL)))

dotnet/test/DotNetCoreAttackMitigationTest/Middleware/RestServiceTest.cs

@@ -35,7 +35,7 @@ public async Task TestSimpleRestPost()
 			Assert.Equal(System.Net.HttpStatusCode.BadRequest, response.StatusCode);
 		}
 
-		[Fact(Skip ="Disable until solve concurrency issue")]
+		[Fact]
 		public async Task RunController()
 		{