mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 212 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12162 Commits
17 Branches
Tree: 62a6717701
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '62a6717701'
${ noResults }
gitea/modules/context/csrf.go

csrf.go 8.3KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301 
  1. // Copyright 2013 Martini Authors

  2. // Copyright 2014 The Macaron Authors

  3. // Copyright 2021 The Gitea Authors

  4. //

  5. // Licensed under the Apache License, Version 2.0 (the "License"): you may

  6. // not use this file except in compliance with the License. You may obtain

  7. // a copy of the License at

  8. //

  9. //     http://www.apache.org/licenses/LICENSE-2.0

  10. //

  11. // Unless required by applicable law or agreed to in writing, software

  12. // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

  13. // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the

  14. // License for the specific language governing permissions and limitations

  15. // under the License.

  16. 

  17. // a middleware that generates and validates CSRF tokens.

  18. 

  19. package context

  20. 

  21. import (

  22. 	"net/http"

  23. 	"time"

  24. 

  25. 	"code.gitea.io/gitea/modules/setting"

  26. 	"code.gitea.io/gitea/modules/web/middleware"

  27. 

  28. 	"github.com/unknwon/com"

  29. )

  30. 

  31. // CSRF represents a CSRF service and is used to get the current token and validate a suspect token.

  32. type CSRF interface {

  33. 	// Return HTTP header to search for token.

  34. 	GetHeaderName() string

  35. 	// Return form value to search for token.

  36. 	GetFormName() string

  37. 	// Return cookie name to search for token.

  38. 	GetCookieName() string

  39. 	// Return cookie path

  40. 	GetCookiePath() string

  41. 	// Return the flag value used for the csrf token.

  42. 	GetCookieHTTPOnly() bool

  43. 	// Return cookie domain

  44. 	GetCookieDomain() string

  45. 	// Return the token.

  46. 	GetToken() string

  47. 	// Validate by token.

  48. 	ValidToken(t string) bool

  49. 	// Error replies to the request with a custom function when ValidToken fails.

  50. 	Error(w http.ResponseWriter)

  51. }

  52. 

  53. type csrf struct {

  54. 	// Header name value for setting and getting csrf token.

  55. 	Header string

  56. 	// Form name value for setting and getting csrf token.

  57. 	Form string

  58. 	// Cookie name value for setting and getting csrf token.

  59. 	Cookie string

  60. 	//Cookie domain

  61. 	CookieDomain string

  62. 	//Cookie path

  63. 	CookiePath string

  64. 	// Cookie HttpOnly flag value used for the csrf token.

  65. 	CookieHTTPOnly bool

  66. 	// Token generated to pass via header, cookie, or hidden form value.

  67. 	Token string

  68. 	// This value must be unique per user.

  69. 	ID string

  70. 	// Secret used along with the unique id above to generate the Token.

  71. 	Secret string

  72. 	// ErrorFunc is the custom function that replies to the request when ValidToken fails.

  73. 	ErrorFunc func(w http.ResponseWriter)

  74. }

  75. 

  76. // GetHeaderName returns the name of the HTTP header for csrf token.

  77. func (c *csrf) GetHeaderName() string {

  78. 	return c.Header

  79. }

  80. 

  81. // GetFormName returns the name of the form value for csrf token.

  82. func (c *csrf) GetFormName() string {

  83. 	return c.Form

  84. }

  85. 

  86. // GetCookieName returns the name of the cookie for csrf token.

  87. func (c *csrf) GetCookieName() string {

  88. 	return c.Cookie

  89. }

  90. 

  91. // GetCookiePath returns the path of the cookie for csrf token.

  92. func (c *csrf) GetCookiePath() string {

  93. 	return c.CookiePath

  94. }

  95. 

  96. // GetCookieHTTPOnly returns the flag value used for the csrf token.

  97. func (c *csrf) GetCookieHTTPOnly() bool {

  98. 	return c.CookieHTTPOnly

  99. }

  100. 

  101. // GetCookieDomain returns the flag value used for the csrf token.

  102. func (c *csrf) GetCookieDomain() string {

  103. 	return c.CookieDomain

  104. }

  105. 

  106. // GetToken returns the current token. This is typically used

  107. // to populate a hidden form in an HTML template.

  108. func (c *csrf) GetToken() string {

  109. 	return c.Token

  110. }

  111. 

  112. // ValidToken validates the passed token against the existing Secret and ID.

  113. func (c *csrf) ValidToken(t string) bool {

  114. 	return ValidToken(t, c.Secret, c.ID, "POST")

  115. }

  116. 

  117. // Error replies to the request when ValidToken fails.

  118. func (c *csrf) Error(w http.ResponseWriter) {

  119. 	c.ErrorFunc(w)

  120. }

  121. 

  122. // CsrfOptions maintains options to manage behavior of Generate.

  123. type CsrfOptions struct {

  124. 	// The global secret value used to generate Tokens.

  125. 	Secret string

  126. 	// HTTP header used to set and get token.

  127. 	Header string

  128. 	// Form value used to set and get token.

  129. 	Form string

  130. 	// Cookie value used to set and get token.

  131. 	Cookie string

  132. 	// Cookie domain.

  133. 	CookieDomain string

  134. 	// Cookie path.

  135. 	CookiePath     string

  136. 	CookieHTTPOnly bool

  137. 	// SameSite set the cookie SameSite type

  138. 	SameSite http.SameSite

  139. 	// Key used for getting the unique ID per user.

  140. 	SessionKey string

  141. 	// oldSessionKey saves old value corresponding to SessionKey.

  142. 	oldSessionKey string

  143. 	// If true, send token via X-CSRFToken header.

  144. 	SetHeader bool

  145. 	// If true, send token via _csrf cookie.

  146. 	SetCookie bool

  147. 	// Set the Secure flag to true on the cookie.

  148. 	Secure bool

  149. 	// Disallow Origin appear in request header.

  150. 	Origin bool

  151. 	// The function called when Validate fails.

  152. 	ErrorFunc func(w http.ResponseWriter)

  153. 	// Cookie life time. Default is 0

  154. 	CookieLifeTime int

  155. }

  156. 

  157. func prepareOptions(options []CsrfOptions) CsrfOptions {

  158. 	var opt CsrfOptions

  159. 	if len(options) > 0 {

  160. 		opt = options[0]

  161. 	}

  162. 

  163. 	// Defaults.

  164. 	if len(opt.Secret) == 0 {

  165. 		opt.Secret = string(com.RandomCreateBytes(10))

  166. 	}

  167. 	if len(opt.Header) == 0 {

  168. 		opt.Header = "X-CSRFToken"

  169. 	}

  170. 	if len(opt.Form) == 0 {

  171. 		opt.Form = "_csrf"

  172. 	}

  173. 	if len(opt.Cookie) == 0 {

  174. 		opt.Cookie = "_csrf"

  175. 	}

  176. 	if len(opt.CookiePath) == 0 {

  177. 		opt.CookiePath = "/"

  178. 	}

  179. 	if len(opt.SessionKey) == 0 {

  180. 		opt.SessionKey = "uid"

  181. 	}

  182. 	opt.oldSessionKey = "_old_" + opt.SessionKey

  183. 	if opt.ErrorFunc == nil {

  184. 		opt.ErrorFunc = func(w http.ResponseWriter) {

  185. 			http.Error(w, "Invalid csrf token.", http.StatusBadRequest)

  186. 		}

  187. 	}

  188. 

  189. 	return opt

  190. }

  191. 

  192. // Csrfer maps CSRF to each request. If this request is a Get request, it will generate a new token.

  193. // Additionally, depending on options set, generated tokens will be sent via Header and/or Cookie.

  194. func Csrfer(opt CsrfOptions, ctx *Context) CSRF {

  195. 	opt = prepareOptions([]CsrfOptions{opt})

  196. 	x := &csrf{

  197. 		Secret:         opt.Secret,

  198. 		Header:         opt.Header,

  199. 		Form:           opt.Form,

  200. 		Cookie:         opt.Cookie,

  201. 		CookieDomain:   opt.CookieDomain,

  202. 		CookiePath:     opt.CookiePath,

  203. 		CookieHTTPOnly: opt.CookieHTTPOnly,

  204. 		ErrorFunc:      opt.ErrorFunc,

  205. 	}

  206. 

  207. 	if opt.Origin && len(ctx.Req.Header.Get("Origin")) > 0 {

  208. 		return x

  209. 	}

  210. 

  211. 	x.ID = "0"

  212. 	uid := ctx.Session.Get(opt.SessionKey)

  213. 	if uid != nil {

  214. 		x.ID = com.ToStr(uid)

  215. 	}

  216. 

  217. 	needsNew := false

  218. 	oldUID := ctx.Session.Get(opt.oldSessionKey)

  219. 	if oldUID == nil || oldUID.(string) != x.ID {

  220. 		needsNew = true

  221. 		_ = ctx.Session.Set(opt.oldSessionKey, x.ID)

  222. 	} else {

  223. 		// If cookie present, map existing token, else generate a new one.

  224. 		if val := ctx.GetCookie(opt.Cookie); len(val) > 0 {

  225. 			// FIXME: test coverage.

  226. 			x.Token = val

  227. 		} else {

  228. 			needsNew = true

  229. 		}

  230. 	}

  231. 

  232. 	if needsNew {

  233. 		// FIXME: actionId.

  234. 		x.Token = GenerateToken(x.Secret, x.ID, "POST")

  235. 		if opt.SetCookie {

  236. 			var expires interface{}

  237. 			if opt.CookieLifeTime == 0 {

  238. 				expires = time.Now().AddDate(0, 0, 1)

  239. 			}

  240. 			middleware.SetCookie(ctx.Resp, opt.Cookie, x.Token,

  241. 				opt.CookieLifeTime,

  242. 				opt.CookiePath,

  243. 				opt.CookieDomain,

  244. 				opt.Secure,

  245. 				opt.CookieHTTPOnly,

  246. 				expires,

  247. 				middleware.SameSite(opt.SameSite),

  248. 			)

  249. 		}

  250. 	}

  251. 

  252. 	if opt.SetHeader {

  253. 		ctx.Resp.Header().Add(opt.Header, x.Token)

  254. 	}

  255. 	return x

  256. }

  257. 

  258. // Validate should be used as a per route middleware. It attempts to get a token from a "X-CSRFToken"

  259. // HTTP header and then a "_csrf" form value. If one of these is found, the token will be validated

  260. // using ValidToken. If this validation fails, custom Error is sent in the reply.

  261. // If neither a header or form value is found, http.StatusBadRequest is sent.

  262. func Validate(ctx *Context, x CSRF) {

  263. 	if token := ctx.Req.Header.Get(x.GetHeaderName()); len(token) > 0 {

  264. 		if !x.ValidToken(token) {

  265. 			// Delete the cookie

  266. 			middleware.SetCookie(ctx.Resp, x.GetCookieName(), "",

  267. 				-1,

  268. 				x.GetCookiePath(),

  269. 				x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?

  270. 			if middleware.IsAPIPath(ctx.Req) {

  271. 				x.Error(ctx.Resp)

  272. 				return

  273. 			}

  274. 			ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))

  275. 			ctx.Redirect(setting.AppSubURL + "/")

  276. 		}

  277. 		return

  278. 	}

  279. 	if token := ctx.Req.FormValue(x.GetFormName()); len(token) > 0 {

  280. 		if !x.ValidToken(token) {

  281. 			// Delete the cookie

  282. 			middleware.SetCookie(ctx.Resp, x.GetCookieName(), "",

  283. 				-1,

  284. 				x.GetCookiePath(),

  285. 				x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?

  286. 			if middleware.IsAPIPath(ctx.Req) {

  287. 				x.Error(ctx.Resp)

  288. 				return

  289. 			}

  290. 			ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))

  291. 			ctx.Redirect(setting.AppSubURL + "/")

  292. 		}

  293. 		return

  294. 	}

  295. 	if middleware.IsAPIPath(ctx.Req) {

  296. 		http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest)

  297. 		return

  298. 	}

  299. 	ctx.Flash.Error(ctx.Tr("error.missing_csrf"))

  300. 	ctx.Redirect(setting.AppSubURL + "/")

  301. }