Skip to content

Fix/captcha repeater vulnerability

backups requested to merge github/fork/ivanmrsulja/fix/captcha-repeater-vulnerability into main

Created by: ivanmrsulja

VIVO GitHub issue: Mitigate vulnerability of Captcha feature VIVO PR

What does this pull request do?

This PR mitigates vulnerability of captcha feature by introducing new methods of challenge generation: nanocaptcha and Google reCAPTCHA.

What's new?

A CaptrchaServiceBean is created which can both provide and validate text-based challenges as well as provide validation services for Google reCaptcha through Google API. I also included a configuration for which captcha method is used so you can use both methods interchangeably (just change configuration options).

How should this be tested?

Unit tests for CaptchaServiceBean are created. If you want to test manually, simply run the application and follow instructions on how to configure each captcha method (instructions are available in example.runtime.properties file). Captcha is currently only used on /contact page. Keep in mind that you have to setup SMTP properties as well as default contact email for feedback form to be accessible.

Interested parties

@litvinovg @chenejac @brianjlowe

Merge request reports