From ac4e28e2c5aa9faf5fd0cebfddb835a0c02bb15e Mon Sep 17 00:00:00 2001
From: yogur <abed.kibbe@gmail.com>
Date: Wed, 1 Nov 2023 14:34:15 +0100
Subject: [PATCH 1/2] Add CSRF protection to workspace settings forms

---
 .../onpremises/web/security/CsrfSecurityRequestMatcher.java  | 2 +-
 .../src/main/webapp/WEB-INF/views/images.jsp                 | 1 +
 .../src/main/webapp/WEB-INF/views/users.jsp                  | 1 +
 .../src/main/webapp/WEB-INF/views/workspace-settings.jsp     | 5 +++++
 4 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java b/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java
index f4b157e..aa2830e 100644
--- a/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java
+++ b/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java
@@ -14,7 +14,7 @@ public boolean matches(HttpServletRequest request) {
             String uri = request.getRequestURI();
 
             if (
-                    uri.startsWith("/login")
+                    uri.startsWith("/login") || uri.startsWith("/workspace")
             ) {
                 return true;
             }
diff --git a/structurizr-onpremises/src/main/webapp/WEB-INF/views/images.jsp b/structurizr-onpremises/src/main/webapp/WEB-INF/views/images.jsp
index f125cb2..1fed0a1 100644
--- a/structurizr-onpremises/src/main/webapp/WEB-INF/views/images.jsp
+++ b/structurizr-onpremises/src/main/webapp/WEB-INF/views/images.jsp
@@ -32,6 +32,7 @@
         <c:if test="${workspace.editable}">
         <div class="centered">
             <form id="deleteImagesForm" class="form-inline small centered" style="display: inline-block; margin-bottom: 5px" action="/workspace/${workspace.id}/images/delete" method="post">
+                <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
                 <button class="btn btn-default" type="submit" name="action" value="delete" title="Delete published images"><img src="${structurizrConfiguration.cdnUrl}/bootstrap-icons/trash3.svg" class="icon-btn" /> Delete published images</button>
             </form>
         </div>
diff --git a/structurizr-onpremises/src/main/webapp/WEB-INF/views/users.jsp b/structurizr-onpremises/src/main/webapp/WEB-INF/views/users.jsp
index 3dced47..f805834 100644
--- a/structurizr-onpremises/src/main/webapp/WEB-INF/views/users.jsp
+++ b/structurizr-onpremises/src/main/webapp/WEB-INF/views/users.jsp
@@ -47,6 +47,7 @@
         <c:choose>
             <c:when test="${workspace.editable}">
             <form action="/workspace/${workspace.id}/users" method="post">
+                <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
 
                 <div class="row">
                     <div class="col-sm-6">
diff --git a/structurizr-onpremises/src/main/webapp/WEB-INF/views/workspace-settings.jsp b/structurizr-onpremises/src/main/webapp/WEB-INF/views/workspace-settings.jsp
index 04114bf..fde93a5 100644
--- a/structurizr-onpremises/src/main/webapp/WEB-INF/views/workspace-settings.jsp
+++ b/structurizr-onpremises/src/main/webapp/WEB-INF/views/workspace-settings.jsp
@@ -82,12 +82,14 @@
                                 <c:when test="${workspace.publicWorkspace}">
                                     <form id="privateWorkspaceForm" class="form-inline small centered" style="display: inline-block; margin-bottom: 5px" action="/workspace/${workspace.id}/private" method="post">
                                         <input type="hidden" name="workspaceId" value="${workspace.id}" />
+                                        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
                                         <button class="btn btn-default small" type="submit" name="action" value="private" title="Make workspace private"><img src="/static/bootstrap-icons/lock.svg" class="icon-btn" /> Make private</button>
                                     </form>
                                 </c:when>
                                 <c:otherwise>
                                     <form id="publicWorkspaceForm" class="form-inline small centered" style="display: inline-block; margin-bottom: 5px" action="/workspace/${workspace.id}/public" method="post">
                                         <input type="hidden" name="workspaceId" value="${workspace.id}" />
+                                        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
                                         <button class="btn btn-default small" type="submit" name="action" value="public" title="Make workspace public"><img src="/static/bootstrap-icons/unlock.svg" class="icon-btn" /> Make public</button>
                                     </form>
                                 </c:otherwise>
@@ -110,12 +112,14 @@
                                 <c:when test="${not empty workspace.sharingToken}">
                                     <form id="unshareWorkspaceForm" class="form-inline small centered" style="display: inline-block; margin-bottom: 5px" action="/workspace/${workspace.id}/unshare" method="post">
                                         <input type="hidden" name="workspaceId" value="${workspace.id}" />
+                                        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
                                         <button class="btn btn-default small" type="submit" name="action" value="unshare" title="Disable sharing link"><img src="/static/bootstrap-icons/link.svg" class="icon-btn" /> Disable sharing link</button>
                                     </form>
                                 </c:when>
                                 <c:otherwise>
                                     <form id="shareWorkspaceForm" class="form-inline small centered" style="display: inline-block; margin-bottom: 5px" action="/workspace/${workspace.id}/share" method="post">
                                         <input type="hidden" name="workspaceId" value="${workspace.id}" />
+                                        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
                                         <button class="btn btn-default small" type="submit" name="action" value="share" title="Enable sharing link"><img src="/static/bootstrap-icons/link.svg" class="icon-btn" /> Enable sharing link</button>
                                     </form>
                                 </c:otherwise>
@@ -135,6 +139,7 @@
                         <button id="exportWorkspaceButton" class="btn btn-default small" title="Export workspace as JSON"><img src="${structurizrConfiguration.cdnUrl}/bootstrap-icons/filetype-json.svg" class="icon-btn" /> Export workspace</button>
                         <form id="deleteWorkspaceForm" class="form-inline small centered" style="display: inline-block; margin-bottom: 5px" action="/workspace/${workspace.id}/delete" method="post">
                             <input type="hidden" name="workspaceId" value="${workspace.id}" />
+                            <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
                             <button class="btn btn-danger small" type="submit" name="action" value="remove" title="Delete workspace"><img src="/static/bootstrap-icons/folder-x.svg" class="icon-white icon-btn" /> Delete workspace</button>
                         </form>
                     </c:if>

From 14ae72ae9f77378d5d64e42e32bff93fed27ef19 Mon Sep 17 00:00:00 2001
From: yogur <abed.kibbe@gmail.com>
Date: Wed, 28 Aug 2024 09:57:12 +0200
Subject: [PATCH 2/2] Use regex for specific CSRF uri matching

---
 .../web/security/CsrfSecurityRequestMatcher.java  | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java b/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java
index aa2830e..0d519ac 100644
--- a/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java
+++ b/structurizr-onpremises/src/main/java/com/structurizr/onpremises/web/security/CsrfSecurityRequestMatcher.java
@@ -13,9 +13,18 @@ public boolean matches(HttpServletRequest request) {
         if ("POST".equals(method)) {
             String uri = request.getRequestURI();
 
-            if (
-                    uri.startsWith("/login") || uri.startsWith("/workspace")
-            ) {
+            /*
+             * Matches URIs like:
+             * /login*
+             * /workspace/123/images/delete
+             * /workspace/123/private
+             * /workspace/123/public
+             * /workspace/123/unshare
+             * /workspace/123/share
+             * /workspace/123/delete
+             */
+            if (uri.startsWith("/login")
+                    || uri.matches("/workspace/\\d+/(images/delete|private|public|unshare|share|delete)")) {
                 return true;
             }
         }