mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316
							// Copyright 2013 Martini Authors
// Copyright 2014 The Macaron Authors
// Copyright 2021 The Gitea Authors
//
// Licensed under the Apache License, Version 2.0 (the "License"): you may
// not use this file except in compliance with the License. You may obtain
// a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
// License for the specific language governing permissions and limitations
// under the License.

// a middleware that generates and validates CSRF tokens.

package context

import (
	"encoding/base32"
	"fmt"
	"net/http"
	"strconv"
	"time"

	"code.gitea.io/gitea/modules/log"
	"code.gitea.io/gitea/modules/setting"
	"code.gitea.io/gitea/modules/util"
	"code.gitea.io/gitea/modules/web/middleware"
)

// CSRF represents a CSRF service and is used to get the current token and validate a suspect token.
type CSRF interface {
	// Return HTTP header to search for token.
	GetHeaderName() string
	// Return form value to search for token.
	GetFormName() string
	// Return cookie name to search for token.
	GetCookieName() string
	// Return cookie path
	GetCookiePath() string
	// Return the flag value used for the csrf token.
	GetCookieHTTPOnly() bool
	// Return cookie domain
	GetCookieDomain() string
	// Return the token.
	GetToken() string
	// Validate by token.
	ValidToken(t string) bool
	// Error replies to the request with a custom function when ValidToken fails.
	Error(w http.ResponseWriter)
}

type csrf struct {
	// Header name value for setting and getting csrf token.
	Header string
	// Form name value for setting and getting csrf token.
	Form string
	// Cookie name value for setting and getting csrf token.
	Cookie string
	// Cookie domain
	CookieDomain string
	// Cookie path
	CookiePath string
	// Cookie HttpOnly flag value used for the csrf token.
	CookieHTTPOnly bool
	// Token generated to pass via header, cookie, or hidden form value.
	Token string
	// This value must be unique per user.
	ID string
	// Secret used along with the unique id above to generate the Token.
	Secret string
	// ErrorFunc is the custom function that replies to the request when ValidToken fails.
	ErrorFunc func(w http.ResponseWriter)
}

// GetHeaderName returns the name of the HTTP header for csrf token.
func (c *csrf) GetHeaderName() string {
	return c.Header
}

// GetFormName returns the name of the form value for csrf token.
func (c *csrf) GetFormName() string {
	return c.Form
}

// GetCookieName returns the name of the cookie for csrf token.
func (c *csrf) GetCookieName() string {
	return c.Cookie
}

// GetCookiePath returns the path of the cookie for csrf token.
func (c *csrf) GetCookiePath() string {
	return c.CookiePath
}

// GetCookieHTTPOnly returns the flag value used for the csrf token.
func (c *csrf) GetCookieHTTPOnly() bool {
	return c.CookieHTTPOnly
}

// GetCookieDomain returns the flag value used for the csrf token.
func (c *csrf) GetCookieDomain() string {
	return c.CookieDomain
}

// GetToken returns the current token. This is typically used
// to populate a hidden form in an HTML template.
func (c *csrf) GetToken() string {
	return c.Token
}

// ValidToken validates the passed token against the existing Secret and ID.
func (c *csrf) ValidToken(t string) bool {
	return ValidToken(t, c.Secret, c.ID, "POST")
}

// Error replies to the request when ValidToken fails.
func (c *csrf) Error(w http.ResponseWriter) {
	c.ErrorFunc(w)
}

// CsrfOptions maintains options to manage behavior of Generate.
type CsrfOptions struct {
	// The global secret value used to generate Tokens.
	Secret string
	// HTTP header used to set and get token.
	Header string
	// Form value used to set and get token.
	Form string
	// Cookie value used to set and get token.
	Cookie string
	// Cookie domain.
	CookieDomain string
	// Cookie path.
	CookiePath     string
	CookieHTTPOnly bool
	// SameSite set the cookie SameSite type
	SameSite http.SameSite
	// Key used for getting the unique ID per user.
	SessionKey string
	// oldSessionKey saves old value corresponding to SessionKey.
	oldSessionKey string
	// If true, send token via X-CSRFToken header.
	SetHeader bool
	// If true, send token via _csrf cookie.
	SetCookie bool
	// Set the Secure flag to true on the cookie.
	Secure bool
	// Disallow Origin appear in request header.
	Origin bool
	// The function called when Validate fails.
	ErrorFunc func(w http.ResponseWriter)
	// Cookie life time. Default is 0
	CookieLifeTime int
}

func prepareOptions(options []CsrfOptions) CsrfOptions {
	var opt CsrfOptions
	if len(options) > 0 {
		opt = options[0]
	}

	// Defaults.
	if len(opt.Secret) == 0 {
		randBytes, err := util.CryptoRandomBytes(8)
		if err != nil {
			// this panic can be handled by the recover() in http handlers
			panic(fmt.Errorf("failed to generate random bytes: %w", err))
		}
		opt.Secret = base32.StdEncoding.EncodeToString(randBytes)
	}
	if len(opt.Header) == 0 {
		opt.Header = "X-CSRFToken"
	}
	if len(opt.Form) == 0 {
		opt.Form = "_csrf"
	}
	if len(opt.Cookie) == 0 {
		opt.Cookie = "_csrf"
	}
	if len(opt.CookiePath) == 0 {
		opt.CookiePath = "/"
	}
	if len(opt.SessionKey) == 0 {
		opt.SessionKey = "uid"
	}
	opt.oldSessionKey = "_old_" + opt.SessionKey
	if opt.ErrorFunc == nil {
		opt.ErrorFunc = func(w http.ResponseWriter) {
			http.Error(w, "Invalid csrf token.", http.StatusBadRequest)
		}
	}

	return opt
}

// Csrfer maps CSRF to each request. If this request is a Get request, it will generate a new token.
// Additionally, depending on options set, generated tokens will be sent via Header and/or Cookie.
func Csrfer(opt CsrfOptions, ctx *Context) CSRF {
	opt = prepareOptions([]CsrfOptions{opt})
	x := &csrf{
		Secret:         opt.Secret,
		Header:         opt.Header,
		Form:           opt.Form,
		Cookie:         opt.Cookie,
		CookieDomain:   opt.CookieDomain,
		CookiePath:     opt.CookiePath,
		CookieHTTPOnly: opt.CookieHTTPOnly,
		ErrorFunc:      opt.ErrorFunc,
	}

	if opt.Origin && len(ctx.Req.Header.Get("Origin")) > 0 {
		return x
	}

	x.ID = "0"
	uidAny := ctx.Session.Get(opt.SessionKey)
	if uidAny != nil {
		switch uidVal := uidAny.(type) {
		case string:
			x.ID = uidVal
		case int64:
			x.ID = strconv.FormatInt(uidVal, 10)
		default:
			log.Error("invalid uid type in session: %T", uidAny)
		}
	}

	needsNew := false
	oldUID := ctx.Session.Get(opt.oldSessionKey)
	if oldUID == nil || oldUID.(string) != x.ID {
		needsNew = true
		_ = ctx.Session.Set(opt.oldSessionKey, x.ID)
	} else {
		// If cookie present, map existing token, else generate a new one.
		if val := ctx.GetCookie(opt.Cookie); len(val) > 0 {
			// FIXME: test coverage.
			x.Token = val
		} else {
			needsNew = true
		}
	}

	if needsNew {
		// FIXME: actionId.
		x.Token = GenerateToken(x.Secret, x.ID, "POST")
		if opt.SetCookie {
			var expires interface{}
			if opt.CookieLifeTime == 0 {
				expires = time.Now().AddDate(0, 0, 1)
			}
			middleware.SetCookie(ctx.Resp, opt.Cookie, x.Token,
				opt.CookieLifeTime,
				opt.CookiePath,
				opt.CookieDomain,
				opt.Secure,
				opt.CookieHTTPOnly,
				expires,
				middleware.SameSite(opt.SameSite),
			)
		}
	}

	if opt.SetHeader {
		ctx.Resp.Header().Add(opt.Header, x.Token)
	}
	return x
}

// Validate should be used as a per route middleware. It attempts to get a token from a "X-CSRFToken"
// HTTP header and then a "_csrf" form value. If one of these is found, the token will be validated
// using ValidToken. If this validation fails, custom Error is sent in the reply.
// If neither a header or form value is found, http.StatusBadRequest is sent.
func Validate(ctx *Context, x CSRF) {
	if token := ctx.Req.Header.Get(x.GetHeaderName()); len(token) > 0 {
		if !x.ValidToken(token) {
			// Delete the cookie
			middleware.SetCookie(ctx.Resp, x.GetCookieName(), "",
				-1,
				x.GetCookiePath(),
				x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
			if middleware.IsAPIPath(ctx.Req) {
				x.Error(ctx.Resp)
				return
			}
			ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))
			ctx.Redirect(setting.AppSubURL + "/")
		}
		return
	}
	if token := ctx.Req.FormValue(x.GetFormName()); len(token) > 0 {
		if !x.ValidToken(token) {
			// Delete the cookie
			middleware.SetCookie(ctx.Resp, x.GetCookieName(), "",
				-1,
				x.GetCookiePath(),
				x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
			if middleware.IsAPIPath(ctx.Req) {
				x.Error(ctx.Resp)
				return
			}
			ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))
			ctx.Redirect(setting.AppSubURL + "/")
		}
		return
	}
	if middleware.IsAPIPath(ctx.Req) {
		http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest)
		return
	}
	ctx.Flash.Error(ctx.Tr("error.missing_csrf"))
	ctx.Redirect(setting.AppSubURL + "/")
}