JSP with CSRF Guard form tag having an action with query parameters fails validation

[Frank-St]

Using version 4.3.0-jakarta of OWASP CSRF Guard.

When using TokenPerPage = true, the CSRF Guard form tag for JSPs creates a page token for the page using the attribute value of the action attribute of the form. If this attribute contains query parameters - e. g. it has the value MyServlet?a=b -, these are included in the page URL in the token map. When validating the CSRF token, however, the code tries to get the token using the HttpServletRequest.getRequestURI() method which omits the query string, e. g it uses only MyServlet in this case to get the page token. Hence no matching token is found and the validation fails.

Workaround is to set TokenPerPage=false.

To fix the bug, the query string should be removed from the action attribute value before using it as the key for the page specific token map.

Related, but another issue: It is valid HTML to omit the action attribute. In this case, the form is posted to the URL from where the form was loaded. Hence, it would be nice to use the current document URL as the page if there is no action attribute in a form. Currently, the form tag just throws an NPE in this case.

[Frank-St]

The "a", "tokenvalue", and "token" tag seem to have the same issue.

I would be willing to send a merge request to fix this. Would I need to send two merge requests, one for the master branch and one for the jakarta branch?

[forgedhallpass]

Hello @Frank-St,

Thank you for pointing this out.
I've checked your commit and it looks good. I would have accepted your PR, but I have by mistake committed the change after I've also tested it locally. It is going to be present in the new release and I have given you credit for it.