mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16865 Commits
17 Branches
Tree: 35db5a373b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '35db5a373b'
${ noResults }
gitea/modules/context/csrf.go

csrf.go 7.0KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242 
  1. // Copyright 2013 Martini Authors

  2. // Copyright 2014 The Macaron Authors

  3. // Copyright 2021 The Gitea Authors

  4. //

  5. // Licensed under the Apache License, Version 2.0 (the "License"): you may

  6. // not use this file except in compliance with the License. You may obtain

  7. // a copy of the License at

  8. //

  9. //     http://www.apache.org/licenses/LICENSE-2.0

  10. //

  11. // Unless required by applicable law or agreed to in writing, software

  12. // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

  13. // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the

  14. // License for the specific language governing permissions and limitations

  15. // under the License.

  16. // SPDX-License-Identifier: Apache-2.0

  17. 

  18. // a middleware that generates and validates CSRF tokens.

  19. 

  20. package context

  21. 

  22. import (

  23. 	"encoding/base32"

  24. 	"fmt"

  25. 	"net/http"

  26. 	"strconv"

  27. 	"time"

  28. 

  29. 	"code.gitea.io/gitea/modules/log"

  30. 	"code.gitea.io/gitea/modules/setting"

  31. 	"code.gitea.io/gitea/modules/util"

  32. 	"code.gitea.io/gitea/modules/web/middleware"

  33. )

  34. 

  35. // CSRFProtector represents a CSRF protector and is used to get the current token and validate the token.

  36. type CSRFProtector interface {

  37. 	// GetHeaderName returns HTTP header to search for token.

  38. 	GetHeaderName() string

  39. 	// GetFormName returns form value to search for token.

  40. 	GetFormName() string

  41. 	// GetToken returns the token.

  42. 	GetToken() string

  43. 	// Validate validates the token in http context.

  44. 	Validate(ctx *Context)

  45. 	// DeleteCookie deletes the cookie

  46. 	DeleteCookie(ctx *Context)

  47. }

  48. 

  49. type csrfProtector struct {

  50. 	opt CsrfOptions

  51. 	// Token generated to pass via header, cookie, or hidden form value.

  52. 	Token string

  53. 	// This value must be unique per user.

  54. 	ID string

  55. }

  56. 

  57. // GetHeaderName returns the name of the HTTP header for csrf token.

  58. func (c *csrfProtector) GetHeaderName() string {

  59. 	return c.opt.Header

  60. }

  61. 

  62. // GetFormName returns the name of the form value for csrf token.

  63. func (c *csrfProtector) GetFormName() string {

  64. 	return c.opt.Form

  65. }

  66. 

  67. // GetToken returns the current token. This is typically used

  68. // to populate a hidden form in an HTML template.

  69. func (c *csrfProtector) GetToken() string {

  70. 	return c.Token

  71. }

  72. 

  73. // CsrfOptions maintains options to manage behavior of Generate.

  74. type CsrfOptions struct {

  75. 	// The global secret value used to generate Tokens.

  76. 	Secret string

  77. 	// HTTP header used to set and get token.

  78. 	Header string

  79. 	// Form value used to set and get token.

  80. 	Form string

  81. 	// Cookie value used to set and get token.

  82. 	Cookie string

  83. 	// Cookie domain.

  84. 	CookieDomain string

  85. 	// Cookie path.

  86. 	CookiePath     string

  87. 	CookieHTTPOnly bool

  88. 	// SameSite set the cookie SameSite type

  89. 	SameSite http.SameSite

  90. 	// Key used for getting the unique ID per user.

  91. 	SessionKey string

  92. 	// oldSessionKey saves old value corresponding to SessionKey.

  93. 	oldSessionKey string

  94. 	// If true, send token via X-Csrf-Token header.

  95. 	SetHeader bool

  96. 	// If true, send token via _csrf cookie.

  97. 	SetCookie bool

  98. 	// Set the Secure flag to true on the cookie.

  99. 	Secure bool

  100. 	// Disallow Origin appear in request header.

  101. 	Origin bool

  102. 	// Cookie lifetime. Default is 0

  103. 	CookieLifeTime int

  104. }

  105. 

  106. func prepareDefaultCsrfOptions(opt CsrfOptions) CsrfOptions {

  107. 	if opt.Secret == "" {

  108. 		randBytes, err := util.CryptoRandomBytes(8)

  109. 		if err != nil {

  110. 			// this panic can be handled by the recover() in http handlers

  111. 			panic(fmt.Errorf("failed to generate random bytes: %w", err))

  112. 		}

  113. 		opt.Secret = base32.StdEncoding.EncodeToString(randBytes)

  114. 	}

  115. 	if opt.Header == "" {

  116. 		opt.Header = "X-Csrf-Token"

  117. 	}

  118. 	if opt.Form == "" {

  119. 		opt.Form = "_csrf"

  120. 	}

  121. 	if opt.Cookie == "" {

  122. 		opt.Cookie = "_csrf"

  123. 	}

  124. 	if opt.CookiePath == "" {

  125. 		opt.CookiePath = "/"

  126. 	}

  127. 	if opt.SessionKey == "" {

  128. 		opt.SessionKey = "uid"

  129. 	}

  130. 	if opt.CookieLifeTime == 0 {

  131. 		opt.CookieLifeTime = int(CsrfTokenTimeout.Seconds())

  132. 	}

  133. 

  134. 	opt.oldSessionKey = "_old_" + opt.SessionKey

  135. 	return opt

  136. }

  137. 

  138. func newCsrfCookie(c *csrfProtector, value string) *http.Cookie {

  139. 	return &http.Cookie{

  140. 		Name:     c.opt.Cookie,

  141. 		Value:    value,

  142. 		Path:     c.opt.CookiePath,

  143. 		Domain:   c.opt.CookieDomain,

  144. 		MaxAge:   c.opt.CookieLifeTime,

  145. 		Secure:   c.opt.Secure,

  146. 		HttpOnly: c.opt.CookieHTTPOnly,

  147. 		SameSite: c.opt.SameSite,

  148. 	}

  149. }

  150. 

  151. // PrepareCSRFProtector returns a CSRFProtector to be used for every request.

  152. // Additionally, depending on options set, generated tokens will be sent via Header and/or Cookie.

  153. func PrepareCSRFProtector(opt CsrfOptions, ctx *Context) CSRFProtector {

  154. 	opt = prepareDefaultCsrfOptions(opt)

  155. 	x := &csrfProtector{opt: opt}

  156. 

  157. 	if opt.Origin && len(ctx.Req.Header.Get("Origin")) > 0 {

  158. 		return x

  159. 	}

  160. 

  161. 	x.ID = "0"

  162. 	uidAny := ctx.Session.Get(opt.SessionKey)

  163. 	if uidAny != nil {

  164. 		switch uidVal := uidAny.(type) {

  165. 		case string:

  166. 			x.ID = uidVal

  167. 		case int64:

  168. 			x.ID = strconv.FormatInt(uidVal, 10)

  169. 		default:

  170. 			log.Error("invalid uid type in session: %T", uidAny)

  171. 		}

  172. 	}

  173. 

  174. 	oldUID := ctx.Session.Get(opt.oldSessionKey)

  175. 	uidChanged := oldUID == nil || oldUID.(string) != x.ID

  176. 	cookieToken := ctx.GetSiteCookie(opt.Cookie)

  177. 

  178. 	needsNew := true

  179. 	if uidChanged {

  180. 		_ = ctx.Session.Set(opt.oldSessionKey, x.ID)

  181. 	} else if cookieToken != "" {

  182. 		// If cookie token presents, re-use existing unexpired token, else generate a new one.

  183. 		if issueTime, ok := ParseCsrfToken(cookieToken); ok {

  184. 			dur := time.Since(issueTime) // issueTime is not a monotonic-clock, the server time may change a lot to an early time.

  185. 			if dur >= -CsrfTokenRegenerationInterval && dur <= CsrfTokenRegenerationInterval {

  186. 				x.Token = cookieToken

  187. 				needsNew = false

  188. 			}

  189. 		}

  190. 	}

  191. 

  192. 	if needsNew {

  193. 		// FIXME: actionId.

  194. 		x.Token = GenerateCsrfToken(x.opt.Secret, x.ID, "POST", time.Now())

  195. 		if opt.SetCookie {

  196. 			cookie := newCsrfCookie(x, x.Token)

  197. 			ctx.Resp.Header().Add("Set-Cookie", cookie.String())

  198. 		}

  199. 	}

  200. 

  201. 	if opt.SetHeader {

  202. 		ctx.Resp.Header().Add(opt.Header, x.Token)

  203. 	}

  204. 	return x

  205. }

  206. 

  207. func (c *csrfProtector) validateToken(ctx *Context, token string) {

  208. 	if !ValidCsrfToken(token, c.opt.Secret, c.ID, "POST", time.Now()) {

  209. 		c.DeleteCookie(ctx)

  210. 		if middleware.IsAPIPath(ctx.Req) {

  211. 			// currently, there should be no access to the APIPath with CSRF token. because templates shouldn't use the `/api/` endpoints.

  212. 			http.Error(ctx.Resp, "Invalid CSRF token.", http.StatusBadRequest)

  213. 		} else {

  214. 			ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))

  215. 			ctx.Redirect(setting.AppSubURL + "/")

  216. 		}

  217. 	}

  218. }

  219. 

  220. // Validate should be used as a per route middleware. It attempts to get a token from an "X-Csrf-Token"

  221. // HTTP header and then a "_csrf" form value. If one of these is found, the token will be validated.

  222. // If this validation fails, custom Error is sent in the reply.

  223. // If neither a header nor form value is found, http.StatusBadRequest is sent.

  224. func (c *csrfProtector) Validate(ctx *Context) {

  225. 	if token := ctx.Req.Header.Get(c.GetHeaderName()); token != "" {

  226. 		c.validateToken(ctx, token)

  227. 		return

  228. 	}

  229. 	if token := ctx.Req.FormValue(c.GetFormName()); token != "" {

  230. 		c.validateToken(ctx, token)

  231. 		return

  232. 	}

  233. 	c.validateToken(ctx, "") // no csrf token, use an empty token to respond error

  234. }

  235. 

  236. func (c *csrfProtector) DeleteCookie(ctx *Context) {

  237. 	if c.opt.SetCookie {

  238. 		cookie := newCsrfCookie(c, "")

  239. 		cookie.MaxAge = -1

  240. 		ctx.Resp.Header().Add("Set-Cookie", cookie.String())

  241. 	}

  242. }