History

Shrikant Sharat Kandula 32ed0ac9ad fix: Use Spring's native CSRF protection, and fix login page (#37292 ) ## Description The login page, and a few other pages are exempted from CSRF today and aren't doing any check at all. This makes our login page vulnerable to CSRF. But it's not really exploitable in its current form, since there's other points in the login flow that patch this hole up. Nevertheless, CSRF being possible on the login form doesn't sound good in any tone and context. This PR fixes this by not exempting _anything_ from CSRF, and doing a stateless CSRF check where necessary. PR summary: 1. Switches from our home-built CSRF filter implementation to Spring's native implementation. 2. Login form and a few others were previously exempted from CSRF checks, and now that exemption is gone. This is why we need the `X-Requested-By: Appsmith` for the login/signup form submission calls from Cypress. 3. Removes the check on `Content-Type: application/json` header. Previously, if a request had this header, it was considered exempt from CSRF check. This has been removed as it appears it's not a safe assumption in today's JSON-dominated web. ⚠️ verify SCIM flow before merging. ## Automation /test all ### 🔍 Cypress test results <!-- This is an auto-generated comment: Cypress test results --> > [!TIP] > 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉 > Workflow run: <https://github.com/appsmithorg/appsmith/actions/runs/13697073430> > Commit: 0873799e2346e58dac3d59b1a3890b86ab17d5b4 > <a href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=13697073430&attempt=1" target="_blank">Cypress dashboard</a>. > Tags: `@tag.All` > Spec: > <hr>Thu, 06 Mar 2025 12:13:19 UTC <!-- end of auto-generated comment: Cypress test results --> ## Communication Should the DevRel and Marketing teams inform users about this change? - [ ] Yes - [x] No <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes - New Features - Introduced a `CsrfTokenInput` component to enhance security during user authentication and signup processes by including a CSRF token. - Improvements - Enhanced API request headers for login and signup commands to improve security. - Added cookie validation for successful login to ensure session integrity. - Improved error handling for database operations. - Bug Fixes - Removed outdated CSRF filter to streamline CSRF protection handling in the application. - Tests - Added comprehensive unit tests for CSRF protection to ensure correct behavior under various scenarios. - Introduced a new test suite for testing CSRF logout and login functionality. <!-- end of auto-generated comment: release notes by coderabbit.ai -->		2025-03-08 21:01:02 +05:30
..
.run
appsmith-git	chore: Refactor Codebase to Remove Telemetry from CE (#39421 )	2025-02-25 07:48:42 +00:00
appsmith-interfaces	fix: connection pool config added for dynamoDB to avoid stale connections (#38940 )	2025-02-25 22:03:11 +05:30
appsmith-plugins	feat: add configurable connection pool support for MySQL plugin (#39148 )	2025-03-06 17:33:00 +05:30
appsmith-server	fix: Use Spring's native CSRF protection, and fix login page (#37292 )	2025-03-08 21:01:02 +05:30
envs	test: Enable server tests for the PRs with base PG branch (#33429 )	2024-05-22 15:55:20 +05:30
mongo-seed
reactive-caching	feat: Restrict cron execution for single pod in clustered environment (#39171 )	2025-02-25 17:20:11 +05:30
scripts	chore: Revert "chore: delete redundant files" (#35022 )	2024-07-18 16:18:10 +05:30
.gitignore
build.sh	test: Enable server tests for the PRs with base PG branch (#33429 )	2024-05-22 15:55:20 +05:30
buildpack-run.sh
pom.xml	chore: Added capability of running ITs on maven (#38354 )	2024-12-25 02:08:49 +05:30
Procfile
README.md
system.properties

README.md

Appsmith Server

This is the server-side repository for the Appsmith framework.

For details on setting up your development machine, please refer to this Setup Guide.