diff options
Diffstat (limited to 'modules/context/csrf.go')
-rw-r--r-- | modules/context/csrf.go | 265 |
1 files changed, 265 insertions, 0 deletions
diff --git a/modules/context/csrf.go b/modules/context/csrf.go new file mode 100644 index 0000000000..4a26664bf3 --- /dev/null +++ b/modules/context/csrf.go @@ -0,0 +1,265 @@ +// Copyright 2013 Martini Authors +// Copyright 2014 The Macaron Authors +// Copyright 2021 The Gitea Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"): you may +// not use this file except in compliance with the License. You may obtain +// a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +// License for the specific language governing permissions and limitations +// under the License. + +// a middleware that generates and validates CSRF tokens. + +package context + +import ( + "net/http" + "time" + + "github.com/unknwon/com" +) + +// CSRF represents a CSRF service and is used to get the current token and validate a suspect token. +type CSRF interface { + // Return HTTP header to search for token. + GetHeaderName() string + // Return form value to search for token. + GetFormName() string + // Return cookie name to search for token. + GetCookieName() string + // Return cookie path + GetCookiePath() string + // Return the flag value used for the csrf token. + GetCookieHTTPOnly() bool + // Return the token. + GetToken() string + // Validate by token. + ValidToken(t string) bool + // Error replies to the request with a custom function when ValidToken fails. + Error(w http.ResponseWriter) +} + +type csrf struct { + // Header name value for setting and getting csrf token. + Header string + // Form name value for setting and getting csrf token. + Form string + // Cookie name value for setting and getting csrf token. + Cookie string + //Cookie domain + CookieDomain string + //Cookie path + CookiePath string + // Cookie HttpOnly flag value used for the csrf token. + CookieHTTPOnly bool + // Token generated to pass via header, cookie, or hidden form value. + Token string + // This value must be unique per user. + ID string + // Secret used along with the unique id above to generate the Token. + Secret string + // ErrorFunc is the custom function that replies to the request when ValidToken fails. + ErrorFunc func(w http.ResponseWriter) +} + +// GetHeaderName returns the name of the HTTP header for csrf token. +func (c *csrf) GetHeaderName() string { + return c.Header +} + +// GetFormName returns the name of the form value for csrf token. +func (c *csrf) GetFormName() string { + return c.Form +} + +// GetCookieName returns the name of the cookie for csrf token. +func (c *csrf) GetCookieName() string { + return c.Cookie +} + +// GetCookiePath returns the path of the cookie for csrf token. +func (c *csrf) GetCookiePath() string { + return c.CookiePath +} + +// GetCookieHTTPOnly returns the flag value used for the csrf token. +func (c *csrf) GetCookieHTTPOnly() bool { + return c.CookieHTTPOnly +} + +// GetToken returns the current token. This is typically used +// to populate a hidden form in an HTML template. +func (c *csrf) GetToken() string { + return c.Token +} + +// ValidToken validates the passed token against the existing Secret and ID. +func (c *csrf) ValidToken(t string) bool { + return ValidToken(t, c.Secret, c.ID, "POST") +} + +// Error replies to the request when ValidToken fails. +func (c *csrf) Error(w http.ResponseWriter) { + c.ErrorFunc(w) +} + +// CsrfOptions maintains options to manage behavior of Generate. +type CsrfOptions struct { + // The global secret value used to generate Tokens. + Secret string + // HTTP header used to set and get token. + Header string + // Form value used to set and get token. + Form string + // Cookie value used to set and get token. + Cookie string + // Cookie domain. + CookieDomain string + // Cookie path. + CookiePath string + CookieHTTPOnly bool + // SameSite set the cookie SameSite type + SameSite http.SameSite + // Key used for getting the unique ID per user. + SessionKey string + // oldSessionKey saves old value corresponding to SessionKey. + oldSessionKey string + // If true, send token via X-CSRFToken header. + SetHeader bool + // If true, send token via _csrf cookie. + SetCookie bool + // Set the Secure flag to true on the cookie. + Secure bool + // Disallow Origin appear in request header. + Origin bool + // The function called when Validate fails. + ErrorFunc func(w http.ResponseWriter) + // Cookie life time. Default is 0 + CookieLifeTime int +} + +func prepareOptions(options []CsrfOptions) CsrfOptions { + var opt CsrfOptions + if len(options) > 0 { + opt = options[0] + } + + // Defaults. + if len(opt.Secret) == 0 { + opt.Secret = string(com.RandomCreateBytes(10)) + } + if len(opt.Header) == 0 { + opt.Header = "X-CSRFToken" + } + if len(opt.Form) == 0 { + opt.Form = "_csrf" + } + if len(opt.Cookie) == 0 { + opt.Cookie = "_csrf" + } + if len(opt.CookiePath) == 0 { + opt.CookiePath = "/" + } + if len(opt.SessionKey) == 0 { + opt.SessionKey = "uid" + } + opt.oldSessionKey = "_old_" + opt.SessionKey + if opt.ErrorFunc == nil { + opt.ErrorFunc = func(w http.ResponseWriter) { + http.Error(w, "Invalid csrf token.", http.StatusBadRequest) + } + } + + return opt +} + +// Csrfer maps CSRF to each request. If this request is a Get request, it will generate a new token. +// Additionally, depending on options set, generated tokens will be sent via Header and/or Cookie. +func Csrfer(opt CsrfOptions, ctx *Context) CSRF { + opt = prepareOptions([]CsrfOptions{opt}) + x := &csrf{ + Secret: opt.Secret, + Header: opt.Header, + Form: opt.Form, + Cookie: opt.Cookie, + CookieDomain: opt.CookieDomain, + CookiePath: opt.CookiePath, + CookieHTTPOnly: opt.CookieHTTPOnly, + ErrorFunc: opt.ErrorFunc, + } + + if opt.Origin && len(ctx.Req.Header.Get("Origin")) > 0 { + return x + } + + x.ID = "0" + uid := ctx.Session.Get(opt.SessionKey) + if uid != nil { + x.ID = com.ToStr(uid) + } + + needsNew := false + oldUID := ctx.Session.Get(opt.oldSessionKey) + if oldUID == nil || oldUID.(string) != x.ID { + needsNew = true + _ = ctx.Session.Set(opt.oldSessionKey, x.ID) + } else { + // If cookie present, map existing token, else generate a new one. + if val := ctx.GetCookie(opt.Cookie); len(val) > 0 { + // FIXME: test coverage. + x.Token = val + } else { + needsNew = true + } + } + + if needsNew { + // FIXME: actionId. + x.Token = GenerateToken(x.Secret, x.ID, "POST") + if opt.SetCookie { + var expires interface{} + if opt.CookieLifeTime == 0 { + expires = time.Now().AddDate(0, 0, 1) + } + ctx.SetCookie(opt.Cookie, x.Token, opt.CookieLifeTime, opt.CookiePath, opt.CookieDomain, opt.Secure, opt.CookieHTTPOnly, expires, + func(c *http.Cookie) { + c.SameSite = opt.SameSite + }, + ) + } + } + + if opt.SetHeader { + ctx.Resp.Header().Add(opt.Header, x.Token) + } + return x +} + +// Validate should be used as a per route middleware. It attempts to get a token from a "X-CSRFToken" +// HTTP header and then a "_csrf" form value. If one of these is found, the token will be validated +// using ValidToken. If this validation fails, custom Error is sent in the reply. +// If neither a header or form value is found, http.StatusBadRequest is sent. +func Validate(ctx *Context, x CSRF) { + if token := ctx.Req.Header.Get(x.GetHeaderName()); len(token) > 0 { + if !x.ValidToken(token) { + ctx.SetCookie(x.GetCookieName(), "", -1, x.GetCookiePath()) + x.Error(ctx.Resp) + } + return + } + if token := ctx.Req.FormValue(x.GetFormName()); len(token) > 0 { + if !x.ValidToken(token) { + ctx.SetCookie(x.GetCookieName(), "", -1, x.GetCookiePath()) + x.Error(ctx.Resp) + } + return + } + + http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest) +} |