Programming exercises: Improve http header for csrf protection for Ba…

…mboo (ls1intum#4906)
Hialus · Apr 14, 2022 · b599dc4 · b599dc4
1 parent 6df21e6
commit b599dc4
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 16 deletions.
diff --git a/docs/dev/setup/bamboo-bitbucket-jira.rst b/docs/dev/setup/bamboo-bitbucket-jira.rst
@@ -35,9 +35,9 @@ Docker-Compose
 Before you start the docker-compose, check if the bamboo version in the
 ``build.gradle`` (search for ``com.atlassian.bamboo:bamboo-specs``) is
 equal to the bamboo version number in the docker compose in
-``src/main/docker/atlassian.yml`` 
-If the version number is not equal, adjust the version number. Further details about the docker-compose setup can be found in 
-``src/main/docker`` 
+``src/main/docker/atlassian.yml``
+If the version number is not equal, adjust the version number. Further details about the docker-compose setup can be found in
+``src/main/docker``
 
 Execute the docker-compose file e.g. with
 ``docker-compose -f src/main/docker/atlassian.yml up -d``.
@@ -50,8 +50,8 @@ command ``docker network prune`` to resolve this issue.
 Make sure that docker has enough memory (~ 6GB). To adapt it, go to ``Settings -> Resources``
 
 
-In case you want to enable Swift or C programming exercises, refer to the readme in 
-``src/main/docker`` 
+In case you want to enable Swift or C programming exercises, refer to the readme in
+``src/main/docker``
 
 
 Configure Bamboo, Bitbucket and Jira
@@ -250,17 +250,6 @@ under ``localhost:7990``.
                   password: <password>
                   token: #insert the token here
 
-#. Disable XSRF checking
-    Although XSRF checking is highly recommended, we currently have to disable it as Artemis does not yet support
-    sending the required headers.
-
-    - Log in as the admin user go to Bamboo -> Overview -> Security Settings
-
-       Edit the settings and disable XSRF checking:
-
-        .. figure:: bamboo-bitbucket-jira/bamboo_xsrf_disable.png
-           :align: center
-
 #. Add a SSH key for the admin user
 
     Artemis can clone/push the repositories during setup and for the online code editor using SSH.

diff --git a/docs/dev/setup/bamboo-bitbucket-jira/bamboo_xsrf_disable.png b/docs/dev/setup/bamboo-bitbucket-jira/bamboo_xsrf_disable.png
diff --git a/...java/de/tum/in/www1/artemis/service/connectors/bamboo/BambooAuthorizationInterceptor.java b/...java/de/tum/in/www1/artemis/service/connectors/bamboo/BambooAuthorizationInterceptor.java
@@ -37,6 +37,8 @@ public ClientHttpResponse intercept(HttpRequest request, @NotNull byte[] body, @
             request.getHeaders().setContentType(MediaType.APPLICATION_JSON);
         }
 
+        request.getHeaders().set("X-Atlassian-Token", "no-check");
+
         // certain Bamboo requests do not support token based authentication, we have to use basic auth then or we need to use cookie authentication
         String uri = request.getURI().toString();
         if (uri.contains(".action") || uri.contains("/artifact/")) {

diff --git a/...e/tum/in/www1/artemis/service/connectors/bitbucket/BitbucketAuthorizationInterceptor.java b/...e/tum/in/www1/artemis/service/connectors/bitbucket/BitbucketAuthorizationInterceptor.java
@@ -39,6 +39,7 @@ public ClientHttpResponse intercept(HttpRequest request, @NotNull byte[] body, @
         if (request.getHeaders().getContentType() == null) {
             request.getHeaders().setContentType(MediaType.APPLICATION_JSON);
         }
+
         // prefer bitbucket token if it is available
         if (bitbucketToken.isPresent() && !needsBasicAuth(request)) {
             request.getHeaders().setBearerAuth(bitbucketToken.get());