Picklist: DOM tampering and ajax request forgery #12059
Description
Hello, I'm creating the issue from this forum page initiated by my client @evguen.
Here is a reproducer, written by another colleague, for both dom tampering and ajax request forgery, with JDK 17 and primefaces 14.0.0 (tested with firefox)
run mvn clean jetty:run -Pmyfaces23next and browse http:localhost:8080
primefaces-test_picklist_cleaned.zip
click either link in main page to chose the demo injection :
dom page :
ajax page:
original message:
Hello,
Configuration : PrimeFaces 12.0.3, JSF, MyFaces 3.0.0
When a form is submitted, the components passes through validators phase of JSF life cycle.
Example #1 - with MyFaces selectOneMenu component
For instance, when rendered on a webpage a listbox contains 3 values :
<h:selectOneMenu value="#{page.selectedFruit}" id="fruit">
<f:selectItem itemLabel="Apple" itemValue="1" />
<f:selectItem itemLabel="Banana" itemValue="2" />
<f:selectItem itemLabel="Pear" itemValue="3" />
</h:selectOneMenu>the rendered HTML will be :
<select id="fruit" name="fruit" size="1">
<option value="1">Apple</option>
<option value="2">Banana</option>
<option value="3">Pear</option>
</select>When the form is submitted, if we tamper the HTTP request to set a value which is outside of the possible values (1, 2 or 3) by submitting another value, for example 10 - the JSF validation component will throw an error fruit: Validation Error: Value is not valid - because the value 10 was not initially available. This error is thrown by jakarta.faces.component.UISelectOne#processValidators.
Example #2 - with PrimeFaces selectOneMenu component
This validation is also available when using PrimeFaces components like
<p:selectOneMenu value="#{page.selectedFruit}">
<f:selectItem itemLabel="Apple" itemValue="1" />
<f:selectItem itemLabel="Banana" itemValue="2" />
<f:selectItem itemLabel="Pear" itemValue="3" />
</p:selectOneMenu>The validator called is implemented in org.primefaces.component.selectonemenu.SelectOneMenu#validateValue wich will call super.validateValue(context, value); (which is jakarta.faces.component.UISelectOne#processValidators - same as the first example)
Example #3 - with PrimeFaces pickList component
Inspired from : http://www.primefaces.org:8080/showcase/ui/data/pickList.xhtml
XHTML :
<p:pickList id="pickList" value="#{frag.cities}" var="cities" itemLabel="#{cities}" itemValue="#{cities}"/>Java :
@Named
@RequestScoped
public class PickListView {
private DualListModel<String> cities;
@PostConstruct
public void init() {
//Cities
List<String> citiesSource = new ArrayList<>();
List<String> citiesTarget = new ArrayList<>();
citiesSource.add("San Francisco");
citiesSource.add("London");
citiesSource.add("Paris");
citiesSource.add("Istanbul");
citiesSource.add("Berlin");
citiesSource.add("Barcelona");
citiesSource.add("Rome");
cities = new DualListModel<>(citiesSource, citiesTarget);
}
public DualListModel<String> getCities() {
return cities;
}
public void setCities(DualListModel<String> cities) {
this.cities = cities;
}
}On the web page I select and move to the right column "San Francisco" and "London". Then I tamper the HTTP request (or modify the HTML source code within the browser before submitting the form) to modify all occurrences of "London" by "Petrus" and submit the form.
The java cities will contain "San Francisco" and "Petrus".
Same behavious with more complex objects with converters.
I beleive there should be a validator to verify that submited values are from the initial list.
From my point of view, this is kind a security issue for users relying on validators phase of JSF life cycle as it works for many other components.
Could you please share your point of view and confirm is this is an issue ?
Best Regards
Originally posted by @evguen in primefaces/community#1490