FileDownload - cookie is blocked by WAF

UI Components for JSF
Post Reply
ThomasSchindler
Posts: 17
Joined: 27 Mar 2014, 09:44

24 Jun 2022, 11:54

Hello,

we are developing an JSF Web Application with PrimeFaces as component library for several customer. One of our new customers uses a Web Application Firewall (WAF) and has now a problem with the generated cookie for the file download. This is set when downloading a file using the <p:fileDownload> component:

Code: Select all

primefaces.download_ui_file_download.xhtml=true; Path=/showcase
The customer compolains, that the cookie name does not follow his security requirements and hence the request is blocked by the WAF.

My Question: Is it possible to change the cookie name, which is obviously containing the facelet name with the .xhtml extension, which causes the problem?
PrimeFaces Version: PrimeFaces 11.0.1

PrimeNG Version: 12.0.0

Application Server: JBoss Wildfly 23.0.2 Final

JSF Implementation: Mojarra 2.3.14.SP04

Melloware
Posts: 3716
Joined: 22 Apr 2013, 15:48

24 Jun 2022, 14:39

Can you tell us what the cookie requirements are for proper naming?

Unfortunately this is embedded in the PF code so we will need to make a code fix...

Code: Select all

public static final String DOWNLOAD_COOKIE = "primefaces.download";

public static String getMonitorKeyCookieName(FacesContext context, ValueExpression monitorKey) {
        String monitorKeyCookieName = Constants.DOWNLOAD_COOKIE + context.getViewRoot().getViewId().replace('/', '_');
        if (monitorKey != null) {
            String evaluated = (String) monitorKey.getValue(context.getELContext());
            if (LangUtils.isNotBlank(evaluated)) {
                monitorKeyCookieName += "_" + evaluated;
            }
        }
        return monitorKeyCookieName;
    }
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1

ThomasSchindler
Posts: 17
Joined: 27 Mar 2014, 09:44

30 Jun 2022, 10:46

Our customer is using Microsoft Azur Application Gateway as a WAF and there is the following rule defined on the cookie names:

Pattern match (?i)\\s\\S((?:x(?:link:href|html|mlns)|!ENTITY.?SYSTEM|data:text\\/html|formaction|\\@import|base64)\\b|patternb.?=) at REQUEST_COOKIES_NAMES.

I'm not sure, which regular expression syntax is used here - but obviously the part ".xhtml" in the cookie name violates the cookie name restriction and the request is blocked. This is the detail message emitted by the WAF:
Matched Data: .xhtml found within REQUEST_COOKIES_NAMES: primefaces.download_genericformhandling_formsDownload.xhtml
PrimeFaces Version: PrimeFaces 11.0.1

PrimeNG Version: 12.0.0

Application Server: JBoss Wildfly 23.0.2 Final

JSF Implementation: Mojarra 2.3.14.SP04

Melloware
Posts: 3716
Joined: 22 Apr 2013, 15:48

30 Jun 2022, 13:53

Weird I am trying to test that regex against the cookie name and I can't get it to match.

See my tester here: https://regex101.com/r/b5GrZw/1
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1

ThomasSchindler
Posts: 17
Joined: 27 Mar 2014, 09:44

16 Dec 2022, 12:32

Hello,

Sorry for coming back so late to this issue. I think, there was just an error with the escapes in the regex. It should be like this:

(?i)[\s\S]((?:x(?:link:href|html|mlns)|!ENTITY.?SYSTEM|data:text\\/html|formaction|\\@import|base64)\b|pattern
b.?=)


Taking that, I get a match in the regex tester you used: https://regex101.com/r/y4UsMt/1
PrimeFaces Version: PrimeFaces 11.0.1

PrimeNG Version: 12.0.0

Application Server: JBoss Wildfly 23.0.2 Final

JSF Implementation: Mojarra 2.3.14.SP04

Melloware
Posts: 3716
Joined: 22 Apr 2013, 15:48

16 Dec 2022, 15:07

OK I see the match now. I guess you should open a GitHub Issue ticket with all this information so it can be discussed by the team?
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1

ThomasSchindler
Posts: 17
Joined: 27 Mar 2014, 09:44

19 Dec 2022, 08:25

Hi,

thank you for the quick response. I opened a feature issue on github: https://github.com/primefaces/primefaces/issues/9521

Kind regards
Thomas
PrimeFaces Version: PrimeFaces 11.0.1

PrimeNG Version: 12.0.0

Application Server: JBoss Wildfly 23.0.2 Final

JSF Implementation: Mojarra 2.3.14.SP04

Post Reply

Return to “PrimeFaces”

  • Information
  • Who is online

    Users browsing this forum: No registered users and 11 guests