123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301 |
- // Copyright 2013 Martini Authors
- // Copyright 2014 The Macaron Authors
- // Copyright 2021 The Gitea Authors
- //
- // Licensed under the Apache License, Version 2.0 (the "License"): you may
- // not use this file except in compliance with the License. You may obtain
- // a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- // License for the specific language governing permissions and limitations
- // under the License.
-
- // a middleware that generates and validates CSRF tokens.
-
- package context
-
- import (
- "net/http"
- "time"
-
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/web/middleware"
-
- "github.com/unknwon/com"
- )
-
- // CSRF represents a CSRF service and is used to get the current token and validate a suspect token.
- type CSRF interface {
- // Return HTTP header to search for token.
- GetHeaderName() string
- // Return form value to search for token.
- GetFormName() string
- // Return cookie name to search for token.
- GetCookieName() string
- // Return cookie path
- GetCookiePath() string
- // Return the flag value used for the csrf token.
- GetCookieHTTPOnly() bool
- // Return cookie domain
- GetCookieDomain() string
- // Return the token.
- GetToken() string
- // Validate by token.
- ValidToken(t string) bool
- // Error replies to the request with a custom function when ValidToken fails.
- Error(w http.ResponseWriter)
- }
-
- type csrf struct {
- // Header name value for setting and getting csrf token.
- Header string
- // Form name value for setting and getting csrf token.
- Form string
- // Cookie name value for setting and getting csrf token.
- Cookie string
- //Cookie domain
- CookieDomain string
- //Cookie path
- CookiePath string
- // Cookie HttpOnly flag value used for the csrf token.
- CookieHTTPOnly bool
- // Token generated to pass via header, cookie, or hidden form value.
- Token string
- // This value must be unique per user.
- ID string
- // Secret used along with the unique id above to generate the Token.
- Secret string
- // ErrorFunc is the custom function that replies to the request when ValidToken fails.
- ErrorFunc func(w http.ResponseWriter)
- }
-
- // GetHeaderName returns the name of the HTTP header for csrf token.
- func (c *csrf) GetHeaderName() string {
- return c.Header
- }
-
- // GetFormName returns the name of the form value for csrf token.
- func (c *csrf) GetFormName() string {
- return c.Form
- }
-
- // GetCookieName returns the name of the cookie for csrf token.
- func (c *csrf) GetCookieName() string {
- return c.Cookie
- }
-
- // GetCookiePath returns the path of the cookie for csrf token.
- func (c *csrf) GetCookiePath() string {
- return c.CookiePath
- }
-
- // GetCookieHTTPOnly returns the flag value used for the csrf token.
- func (c *csrf) GetCookieHTTPOnly() bool {
- return c.CookieHTTPOnly
- }
-
- // GetCookieDomain returns the flag value used for the csrf token.
- func (c *csrf) GetCookieDomain() string {
- return c.CookieDomain
- }
-
- // GetToken returns the current token. This is typically used
- // to populate a hidden form in an HTML template.
- func (c *csrf) GetToken() string {
- return c.Token
- }
-
- // ValidToken validates the passed token against the existing Secret and ID.
- func (c *csrf) ValidToken(t string) bool {
- return ValidToken(t, c.Secret, c.ID, "POST")
- }
-
- // Error replies to the request when ValidToken fails.
- func (c *csrf) Error(w http.ResponseWriter) {
- c.ErrorFunc(w)
- }
-
- // CsrfOptions maintains options to manage behavior of Generate.
- type CsrfOptions struct {
- // The global secret value used to generate Tokens.
- Secret string
- // HTTP header used to set and get token.
- Header string
- // Form value used to set and get token.
- Form string
- // Cookie value used to set and get token.
- Cookie string
- // Cookie domain.
- CookieDomain string
- // Cookie path.
- CookiePath string
- CookieHTTPOnly bool
- // SameSite set the cookie SameSite type
- SameSite http.SameSite
- // Key used for getting the unique ID per user.
- SessionKey string
- // oldSessionKey saves old value corresponding to SessionKey.
- oldSessionKey string
- // If true, send token via X-CSRFToken header.
- SetHeader bool
- // If true, send token via _csrf cookie.
- SetCookie bool
- // Set the Secure flag to true on the cookie.
- Secure bool
- // Disallow Origin appear in request header.
- Origin bool
- // The function called when Validate fails.
- ErrorFunc func(w http.ResponseWriter)
- // Cookie life time. Default is 0
- CookieLifeTime int
- }
-
- func prepareOptions(options []CsrfOptions) CsrfOptions {
- var opt CsrfOptions
- if len(options) > 0 {
- opt = options[0]
- }
-
- // Defaults.
- if len(opt.Secret) == 0 {
- opt.Secret = string(com.RandomCreateBytes(10))
- }
- if len(opt.Header) == 0 {
- opt.Header = "X-CSRFToken"
- }
- if len(opt.Form) == 0 {
- opt.Form = "_csrf"
- }
- if len(opt.Cookie) == 0 {
- opt.Cookie = "_csrf"
- }
- if len(opt.CookiePath) == 0 {
- opt.CookiePath = "/"
- }
- if len(opt.SessionKey) == 0 {
- opt.SessionKey = "uid"
- }
- opt.oldSessionKey = "_old_" + opt.SessionKey
- if opt.ErrorFunc == nil {
- opt.ErrorFunc = func(w http.ResponseWriter) {
- http.Error(w, "Invalid csrf token.", http.StatusBadRequest)
- }
- }
-
- return opt
- }
-
- // Csrfer maps CSRF to each request. If this request is a Get request, it will generate a new token.
- // Additionally, depending on options set, generated tokens will be sent via Header and/or Cookie.
- func Csrfer(opt CsrfOptions, ctx *Context) CSRF {
- opt = prepareOptions([]CsrfOptions{opt})
- x := &csrf{
- Secret: opt.Secret,
- Header: opt.Header,
- Form: opt.Form,
- Cookie: opt.Cookie,
- CookieDomain: opt.CookieDomain,
- CookiePath: opt.CookiePath,
- CookieHTTPOnly: opt.CookieHTTPOnly,
- ErrorFunc: opt.ErrorFunc,
- }
-
- if opt.Origin && len(ctx.Req.Header.Get("Origin")) > 0 {
- return x
- }
-
- x.ID = "0"
- uid := ctx.Session.Get(opt.SessionKey)
- if uid != nil {
- x.ID = com.ToStr(uid)
- }
-
- needsNew := false
- oldUID := ctx.Session.Get(opt.oldSessionKey)
- if oldUID == nil || oldUID.(string) != x.ID {
- needsNew = true
- _ = ctx.Session.Set(opt.oldSessionKey, x.ID)
- } else {
- // If cookie present, map existing token, else generate a new one.
- if val := ctx.GetCookie(opt.Cookie); len(val) > 0 {
- // FIXME: test coverage.
- x.Token = val
- } else {
- needsNew = true
- }
- }
-
- if needsNew {
- // FIXME: actionId.
- x.Token = GenerateToken(x.Secret, x.ID, "POST")
- if opt.SetCookie {
- var expires interface{}
- if opt.CookieLifeTime == 0 {
- expires = time.Now().AddDate(0, 0, 1)
- }
- middleware.SetCookie(ctx.Resp, opt.Cookie, x.Token,
- opt.CookieLifeTime,
- opt.CookiePath,
- opt.CookieDomain,
- opt.Secure,
- opt.CookieHTTPOnly,
- expires,
- middleware.SameSite(opt.SameSite),
- )
- }
- }
-
- if opt.SetHeader {
- ctx.Resp.Header().Add(opt.Header, x.Token)
- }
- return x
- }
-
- // Validate should be used as a per route middleware. It attempts to get a token from a "X-CSRFToken"
- // HTTP header and then a "_csrf" form value. If one of these is found, the token will be validated
- // using ValidToken. If this validation fails, custom Error is sent in the reply.
- // If neither a header or form value is found, http.StatusBadRequest is sent.
- func Validate(ctx *Context, x CSRF) {
- if token := ctx.Req.Header.Get(x.GetHeaderName()); len(token) > 0 {
- if !x.ValidToken(token) {
- // Delete the cookie
- middleware.SetCookie(ctx.Resp, x.GetCookieName(), "",
- -1,
- x.GetCookiePath(),
- x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
- if middleware.IsAPIPath(ctx.Req) {
- x.Error(ctx.Resp)
- return
- }
- ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))
- ctx.Redirect(setting.AppSubURL + "/")
- }
- return
- }
- if token := ctx.Req.FormValue(x.GetFormName()); len(token) > 0 {
- if !x.ValidToken(token) {
- // Delete the cookie
- middleware.SetCookie(ctx.Resp, x.GetCookieName(), "",
- -1,
- x.GetCookiePath(),
- x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
- if middleware.IsAPIPath(ctx.Req) {
- x.Error(ctx.Resp)
- return
- }
- ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))
- ctx.Redirect(setting.AppSubURL + "/")
- }
- return
- }
- if middleware.IsAPIPath(ctx.Req) {
- http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest)
- return
- }
- ctx.Flash.Error(ctx.Tr("error.missing_csrf"))
- ctx.Redirect(setting.AppSubURL + "/")
- }
|