123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242 |
- // Copyright 2013 Martini Authors
- // Copyright 2014 The Macaron Authors
- // Copyright 2021 The Gitea Authors
- //
- // Licensed under the Apache License, Version 2.0 (the "License"): you may
- // not use this file except in compliance with the License. You may obtain
- // a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- // License for the specific language governing permissions and limitations
- // under the License.
- // SPDX-License-Identifier: Apache-2.0
-
- // a middleware that generates and validates CSRF tokens.
-
- package context
-
- import (
- "encoding/base32"
- "fmt"
- "net/http"
- "strconv"
- "time"
-
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/util"
- "code.gitea.io/gitea/modules/web/middleware"
- )
-
- // CSRFProtector represents a CSRF protector and is used to get the current token and validate the token.
- type CSRFProtector interface {
- // GetHeaderName returns HTTP header to search for token.
- GetHeaderName() string
- // GetFormName returns form value to search for token.
- GetFormName() string
- // GetToken returns the token.
- GetToken() string
- // Validate validates the token in http context.
- Validate(ctx *Context)
- // DeleteCookie deletes the cookie
- DeleteCookie(ctx *Context)
- }
-
- type csrfProtector struct {
- opt CsrfOptions
- // Token generated to pass via header, cookie, or hidden form value.
- Token string
- // This value must be unique per user.
- ID string
- }
-
- // GetHeaderName returns the name of the HTTP header for csrf token.
- func (c *csrfProtector) GetHeaderName() string {
- return c.opt.Header
- }
-
- // GetFormName returns the name of the form value for csrf token.
- func (c *csrfProtector) GetFormName() string {
- return c.opt.Form
- }
-
- // GetToken returns the current token. This is typically used
- // to populate a hidden form in an HTML template.
- func (c *csrfProtector) GetToken() string {
- return c.Token
- }
-
- // CsrfOptions maintains options to manage behavior of Generate.
- type CsrfOptions struct {
- // The global secret value used to generate Tokens.
- Secret string
- // HTTP header used to set and get token.
- Header string
- // Form value used to set and get token.
- Form string
- // Cookie value used to set and get token.
- Cookie string
- // Cookie domain.
- CookieDomain string
- // Cookie path.
- CookiePath string
- CookieHTTPOnly bool
- // SameSite set the cookie SameSite type
- SameSite http.SameSite
- // Key used for getting the unique ID per user.
- SessionKey string
- // oldSessionKey saves old value corresponding to SessionKey.
- oldSessionKey string
- // If true, send token via X-Csrf-Token header.
- SetHeader bool
- // If true, send token via _csrf cookie.
- SetCookie bool
- // Set the Secure flag to true on the cookie.
- Secure bool
- // Disallow Origin appear in request header.
- Origin bool
- // Cookie lifetime. Default is 0
- CookieLifeTime int
- }
-
- func prepareDefaultCsrfOptions(opt CsrfOptions) CsrfOptions {
- if opt.Secret == "" {
- randBytes, err := util.CryptoRandomBytes(8)
- if err != nil {
- // this panic can be handled by the recover() in http handlers
- panic(fmt.Errorf("failed to generate random bytes: %w", err))
- }
- opt.Secret = base32.StdEncoding.EncodeToString(randBytes)
- }
- if opt.Header == "" {
- opt.Header = "X-Csrf-Token"
- }
- if opt.Form == "" {
- opt.Form = "_csrf"
- }
- if opt.Cookie == "" {
- opt.Cookie = "_csrf"
- }
- if opt.CookiePath == "" {
- opt.CookiePath = "/"
- }
- if opt.SessionKey == "" {
- opt.SessionKey = "uid"
- }
- if opt.CookieLifeTime == 0 {
- opt.CookieLifeTime = int(CsrfTokenTimeout.Seconds())
- }
-
- opt.oldSessionKey = "_old_" + opt.SessionKey
- return opt
- }
-
- func newCsrfCookie(c *csrfProtector, value string) *http.Cookie {
- return &http.Cookie{
- Name: c.opt.Cookie,
- Value: value,
- Path: c.opt.CookiePath,
- Domain: c.opt.CookieDomain,
- MaxAge: c.opt.CookieLifeTime,
- Secure: c.opt.Secure,
- HttpOnly: c.opt.CookieHTTPOnly,
- SameSite: c.opt.SameSite,
- }
- }
-
- // PrepareCSRFProtector returns a CSRFProtector to be used for every request.
- // Additionally, depending on options set, generated tokens will be sent via Header and/or Cookie.
- func PrepareCSRFProtector(opt CsrfOptions, ctx *Context) CSRFProtector {
- opt = prepareDefaultCsrfOptions(opt)
- x := &csrfProtector{opt: opt}
-
- if opt.Origin && len(ctx.Req.Header.Get("Origin")) > 0 {
- return x
- }
-
- x.ID = "0"
- uidAny := ctx.Session.Get(opt.SessionKey)
- if uidAny != nil {
- switch uidVal := uidAny.(type) {
- case string:
- x.ID = uidVal
- case int64:
- x.ID = strconv.FormatInt(uidVal, 10)
- default:
- log.Error("invalid uid type in session: %T", uidAny)
- }
- }
-
- oldUID := ctx.Session.Get(opt.oldSessionKey)
- uidChanged := oldUID == nil || oldUID.(string) != x.ID
- cookieToken := ctx.GetSiteCookie(opt.Cookie)
-
- needsNew := true
- if uidChanged {
- _ = ctx.Session.Set(opt.oldSessionKey, x.ID)
- } else if cookieToken != "" {
- // If cookie token presents, re-use existing unexpired token, else generate a new one.
- if issueTime, ok := ParseCsrfToken(cookieToken); ok {
- dur := time.Since(issueTime) // issueTime is not a monotonic-clock, the server time may change a lot to an early time.
- if dur >= -CsrfTokenRegenerationInterval && dur <= CsrfTokenRegenerationInterval {
- x.Token = cookieToken
- needsNew = false
- }
- }
- }
-
- if needsNew {
- // FIXME: actionId.
- x.Token = GenerateCsrfToken(x.opt.Secret, x.ID, "POST", time.Now())
- if opt.SetCookie {
- cookie := newCsrfCookie(x, x.Token)
- ctx.Resp.Header().Add("Set-Cookie", cookie.String())
- }
- }
-
- if opt.SetHeader {
- ctx.Resp.Header().Add(opt.Header, x.Token)
- }
- return x
- }
-
- func (c *csrfProtector) validateToken(ctx *Context, token string) {
- if !ValidCsrfToken(token, c.opt.Secret, c.ID, "POST", time.Now()) {
- c.DeleteCookie(ctx)
- if middleware.IsAPIPath(ctx.Req) {
- // currently, there should be no access to the APIPath with CSRF token. because templates shouldn't use the `/api/` endpoints.
- http.Error(ctx.Resp, "Invalid CSRF token.", http.StatusBadRequest)
- } else {
- ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))
- ctx.Redirect(setting.AppSubURL + "/")
- }
- }
- }
-
- // Validate should be used as a per route middleware. It attempts to get a token from an "X-Csrf-Token"
- // HTTP header and then a "_csrf" form value. If one of these is found, the token will be validated.
- // If this validation fails, custom Error is sent in the reply.
- // If neither a header nor form value is found, http.StatusBadRequest is sent.
- func (c *csrfProtector) Validate(ctx *Context) {
- if token := ctx.Req.Header.Get(c.GetHeaderName()); token != "" {
- c.validateToken(ctx, token)
- return
- }
- if token := ctx.Req.FormValue(c.GetFormName()); token != "" {
- c.validateToken(ctx, token)
- return
- }
- c.validateToken(ctx, "") // no csrf token, use an empty token to respond error
- }
-
- func (c *csrfProtector) DeleteCookie(ctx *Context) {
- if c.opt.SetCookie {
- cookie := newCsrfCookie(c, "")
- cookie.MaxAge = -1
- ctx.Resp.Header().Add("Set-Cookie", cookie.String())
- }
- }
|