CSRF Support + better key for context
* Added new dep: gorilla/csrf * CSRF field in forms * CSRF variable in commontemplatevariables * New key for messages and user context Please change EnableSecureCSRF to false when testing locally and don't merge config/env.go with the changes
Cette révision appartient à :
Parent
c570557477
révision
3ec367a759
|
@ -173,6 +173,11 @@
|
|||
"Comment": "v1.1-7-g08b5f42",
|
||||
"Rev": "08b5f424b9271eedf6f9f0ce86cb9396ed337a42"
|
||||
},
|
||||
{
|
||||
"ImportPath": "github.com/gorilla/csrf",
|
||||
"Comment": "v1.5-4-ge6dca67",
|
||||
"Rev": "e6dca6753d92320b18aaf5d4682691b96f7b4564"
|
||||
},
|
||||
{
|
||||
"ImportPath": "github.com/gorilla/handlers",
|
||||
"Comment": "v1.2-4-g13d7309",
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
package config
|
||||
|
||||
// /!\ PLEASE DONT PULL THIS FILE UNLESS NEEDED CHANGES /!\
|
||||
|
||||
// TODO: Perform environment configuration at runtime
|
||||
// Future hosts shouldn't have to rebuild the binary to update a setting
|
||||
|
||||
|
@ -10,4 +12,6 @@ const (
|
|||
WebAddress = "nyaa.pantsu.cat"
|
||||
// AuthTokenExpirationDay : Number of Days for token expiration when logged in
|
||||
AuthTokenExpirationDay = 1000
|
||||
// EnableSecureCSRF : Enable CSRF https mode : True if website support https, false otherwise (eg. testing locally: false)
|
||||
EnableSecureCSRF = true
|
||||
)
|
||||
|
|
10
main.go
10
main.go
|
@ -17,10 +17,11 @@ import (
|
|||
"github.com/NyaaPantsu/nyaa/service/scraper"
|
||||
"github.com/NyaaPantsu/nyaa/service/torrent/metainfoFetcher"
|
||||
"github.com/NyaaPantsu/nyaa/service/user"
|
||||
"github.com/NyaaPantsu/nyaa/util/publicSettings"
|
||||
"github.com/NyaaPantsu/nyaa/util/log"
|
||||
"github.com/NyaaPantsu/nyaa/util/publicSettings"
|
||||
"github.com/NyaaPantsu/nyaa/util/search"
|
||||
"github.com/NyaaPantsu/nyaa/util/signals"
|
||||
"github.com/gorilla/csrf"
|
||||
)
|
||||
|
||||
// RunServer runs webapp mainloop
|
||||
|
@ -29,8 +30,13 @@ func RunServer(conf *config.Config) {
|
|||
os.Mkdir(router.DatabaseDumpPath, 700)
|
||||
// TODO Use config from cli
|
||||
os.Mkdir(router.GPGPublicKeyPath, 700)
|
||||
http.Handle("/", router.Router)
|
||||
|
||||
// Please make EnableSecureCSRF to false when testing locally
|
||||
if config.EnableSecureCSRF {
|
||||
http.Handle("/", csrf.Protect([]byte("q8satbudwexfzh2j3m5n6p8r9satcvsd"))(router.Router))
|
||||
} else {
|
||||
http.Handle("/", csrf.Protect([]byte("q8satbudwexfzh2j3m5n6p8r9satcvsd"), csrf.Secure(false))(router.Router))
|
||||
}
|
||||
// Set up server,
|
||||
srv := &http.Server{
|
||||
WriteTimeout: 30 * time.Second,
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package router
|
||||
|
||||
import (
|
||||
"html/template"
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
||||
|
@ -10,6 +11,7 @@ import (
|
|||
userForms "github.com/NyaaPantsu/nyaa/service/user/form"
|
||||
"github.com/NyaaPantsu/nyaa/util/filelist"
|
||||
"github.com/NyaaPantsu/nyaa/util/publicSettings"
|
||||
"github.com/gorilla/csrf"
|
||||
"github.com/gorilla/mux"
|
||||
)
|
||||
|
||||
|
@ -102,6 +104,7 @@ type commonTemplateVariables struct {
|
|||
User *model.User
|
||||
URL *url.URL // for parsing URL in templates
|
||||
Route *mux.Route // for getting current route in templates
|
||||
CsrfField template.HTML
|
||||
}
|
||||
|
||||
type navigation struct {
|
||||
|
@ -152,5 +155,6 @@ func newCommonVariables(r *http.Request) commonTemplateVariables {
|
|||
User: getUser(r),
|
||||
URL: r.URL,
|
||||
Route: mux.CurrentRoute(r),
|
||||
CsrfField: csrf.TemplateField(r),
|
||||
}
|
||||
}
|
||||
|
|
|
@ -84,7 +84,7 @@ func ViewHeadHandler(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
// PostCommentHandler : Controller for posting a comment
|
||||
func PostCommentHandler(w http.ResponseWriter, r *http.Request) {
|
||||
defer r.Body.Close()
|
||||
//defer r.Body.Close()
|
||||
vars := mux.Vars(r)
|
||||
id := vars["id"]
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@ const (
|
|||
// CookieName : Name of cookie
|
||||
CookieName = "session"
|
||||
// UserContextKey : key for user context
|
||||
UserContextKey = "user"
|
||||
UserContextKey = "nyaapantsu.user"
|
||||
)
|
||||
|
||||
// If you want to keep login cookies between restarts you need to make these permanent
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
{{ define "csrf_field"}}
|
||||
{{$.CsrfField}}
|
||||
{{end}}
|
|
@ -9,6 +9,7 @@
|
|||
<h3>{{ call $.T "personal_info"}}</h3>
|
||||
<div class="user-edit">
|
||||
<form role="form" method="POST">
|
||||
{{ block "csrf_field" $ }}{{end}}
|
||||
<label class="input-label">{{call $.T "api_token" }}:</label>
|
||||
<p style="font-family: monospace;">{{.APIToken}}</p>
|
||||
<a class="form-input up-input" href="{{ genRoute "user_profile_apireset" "id" (print .ID) "username" .Username }}">Reset Api key</a> <br> <br>
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
{{define "content"}}
|
||||
{{with .Form}}
|
||||
<form enctype="multipart/form-data" role="upload" method="POST">
|
||||
{{ block "csrf_field" $ }}{{end}}
|
||||
{{ range (index $.FormInfos "infos")}}
|
||||
<div class="alert alert-info"><a class="panel-close close" data-dismiss="alert">×</a><i class="glyphicon glyphicon-info-sign"></i> {{ . }}</div>
|
||||
{{end}}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{{define "title"}}Torrent Reassign{{end}}
|
||||
{{define "content"}}
|
||||
<form enctype="multipart/form-data" method="POST">
|
||||
{{ block "csrf_field" $ }}{{end}}
|
||||
{{ range (index $.FormInfos "infos")}}
|
||||
<div class="alert alert-info"><a class="panel-close close" data-dismiss="alert">×</a><i class="glyphicon glyphicon-info-sign"></i> {{ . }}</div>
|
||||
{{end}}
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
{{define "content"}}
|
||||
<div class="blockBody">
|
||||
<form method="post" action="">
|
||||
{{ block "csrf_field" $ }}{{end}}
|
||||
{{ range (index $.Infos "infos")}}
|
||||
<div class="alert alert-info"><a class="panel-close close" data-dismiss="alert">×</a><i class="glyphicon glyphicon-info-sign"></i> {{ . }}</div>
|
||||
{{end}}
|
||||
|
|
|
@ -64,7 +64,8 @@
|
|||
|
||||
<div class="container" id="container">
|
||||
<form class="navbar-form navbar-right" role="search" action="{{ genRoute "mod_tlist" }}" method="get">
|
||||
<div class="form-group">
|
||||
{{ block "csrf_field" $ }}{{end}}
|
||||
<div class="form-group">
|
||||
{{block "search_common" .}}{{end}}
|
||||
</div>
|
||||
<div class="form-group">
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
<div class="blockBody">
|
||||
<hr>
|
||||
<form role="form" method="POST">
|
||||
{{ block "csrf_field" $ }}{{end}}
|
||||
<div class="form-group">
|
||||
<h3>{{call $.T "language"}}</h3>
|
||||
<select id="language" name="language" class="form-input">
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
{{with .Form}}
|
||||
<div style="text-align: left;" class="box">
|
||||
<form enctype="multipart/form-data" role="upload" method="POST">
|
||||
{{ block "csrf_field" $ }}{{end}}
|
||||
{{ range (index $.FormErrors "errors")}}
|
||||
<div class="alert alert-danger"><a class="panel-close close" data-dismiss="alert">×</a><i class="glyphicon glyphicon-exclamation-sign"></i> {{ . }}</div>
|
||||
{{end}}
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
<div class="box">
|
||||
<div class="user-form">
|
||||
<form role="form" method="POST">
|
||||
{{ block "csrf_field" $ }}{{end}}
|
||||
<h2>{{call $.T "sign_in_box_title"}}</h2>
|
||||
{{ range (index $.FormErrors "errors")}}
|
||||
<div class="alert alert-danger">{{ . }}</div>
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
<div class="box">
|
||||
<div class="user-form">
|
||||
<form role="form" method="POST">
|
||||
{{ block "csrf_field" $ }}{{end}}
|
||||
<h2>{{call $.T "signup_box_title" }}</h2>
|
||||
{{ range (index $.FormErrors "errors")}}
|
||||
<div class="alert alert-danger">{{ . }}</div>
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
<div class="blockBody">
|
||||
{{with .Form}}
|
||||
<form enctype="multipart/form-data" role="upload" method="POST">
|
||||
{{ block "csrf_field" $ }}{{end}}
|
||||
{{ range (index $.FormInfos "infos")}}
|
||||
<div class="alert alert-info"><a class="panel-close close" data-dismiss="alert">×</a><i class="glyphicon glyphicon-info-sign"></i> {{ . }}</div>
|
||||
{{end}}
|
||||
|
|
|
@ -74,6 +74,7 @@
|
|||
<h4>{{ call $.T "report_torrent_number" (print $.Torrent.ID) }}</h4>
|
||||
<b>{{ call $.T "report_type" }}:</b>
|
||||
<form method="post" action="/report/{{$.Torrent.ID}}">
|
||||
{{ block "csrf_field" $ }}{{end}}
|
||||
<input type="radio" name="report_type" value="illegal" id="illegal" required> <label for="illegal">{{ call $.T "illegal_content" }}</label><br />
|
||||
<input type="radio" name="report_type" value="spam" id="spam" required> <label for="spam">{{ call $.T "spam_garbage" }}</label><br />
|
||||
<input type="radio" name="report_type" value="wrongcat" id="wrongcat" required> <label for="wrongcat">{{ call $.T "wrong_category" }}</label><br />
|
||||
|
@ -124,6 +125,7 @@
|
|||
{{end}}
|
||||
<div style="margin-top: 10px" class="torrent-info-box">
|
||||
<form method="post">
|
||||
{{ block "csrf_field" $ }}{{end}}
|
||||
<div class="comment-form">
|
||||
<div class="comment-text">
|
||||
<h3>{{ if gt .User.ID 0}} {{call $.T "submit_a_comment_as_username" .User.Username}} {{else}} {{call $.T "submit_a_comment_as_anonymous"}} {{end}}</h3>
|
||||
|
|
|
@ -10,7 +10,7 @@ import (
|
|||
)
|
||||
|
||||
// MessagesKey : use for context
|
||||
const MessagesKey = "messages"
|
||||
const MessagesKey = "nyaapantsu.messages"
|
||||
|
||||
// Messages struct
|
||||
type Messages struct {
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
language: go
|
||||
sudo: false
|
||||
|
||||
matrix:
|
||||
include:
|
||||
- go: 1.2
|
||||
- go: 1.3
|
||||
- go: 1.4
|
||||
- go: 1.5
|
||||
- go: 1.6
|
||||
- go: tip
|
||||
allow_failures:
|
||||
- go: tip
|
||||
|
||||
install:
|
||||
- # skip
|
||||
|
||||
script:
|
||||
- go get -t -v ./...
|
||||
- diff -u <(echo -n) <(gofmt -d .)
|
||||
- go vet $(go list ./... | grep -v /vendor/)
|
||||
- go test -v -race ./...
|
|
@ -0,0 +1,27 @@
|
|||
Copyright (c) 2015, Matt Silverlock (matt@eatsleeprepeat.net) All rights
|
||||
reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification,
|
||||
are permitted provided that the following conditions are met:
|
||||
|
||||
1. Redistributions of source code must retain the above copyright notice, this
|
||||
list of conditions and the following disclaimer.
|
||||
|
||||
2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
this list of conditions and the following disclaimer in the documentation and/or
|
||||
other materials provided with the distribution.
|
||||
|
||||
3. Neither the name of the copyright holder nor the names of its contributors
|
||||
may be used to endorse or promote products derived from this software without
|
||||
specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
|
||||
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
|
||||
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
@ -0,0 +1,232 @@
|
|||
# gorilla/csrf
|
||||
[![GoDoc](https://godoc.org/github.com/gorilla/csrf?status.svg)](https://godoc.org/github.com/gorilla/csrf) [![Build Status](https://travis-ci.org/gorilla/csrf.svg?branch=master)](https://travis-ci.org/gorilla/csrf) [![Sourcegraph](https://sourcegraph.com/github.com/gorilla/csrf/-/badge.svg)](https://sourcegraph.com/github.com/gorilla/csrf?badge)
|
||||
|
||||
gorilla/csrf is a HTTP middleware library that provides [cross-site request
|
||||
forgery](http://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/) (CSRF)
|
||||
protection. It includes:
|
||||
|
||||
* The `csrf.Protect` middleware/handler provides CSRF protection on routes
|
||||
attached to a router or a sub-router.
|
||||
* A `csrf.Token` function that provides the token to pass into your response,
|
||||
whether that be a HTML form or a JSON response body.
|
||||
* ... and a `csrf.TemplateField` helper that you can pass into your `html/template`
|
||||
templates to replace a `{{ .csrfField }}` template tag with a hidden input
|
||||
field.
|
||||
|
||||
gorilla/csrf is designed to work with any Go web framework, including:
|
||||
|
||||
* The [Gorilla](http://www.gorillatoolkit.org/) toolkit
|
||||
* Go's built-in [net/http](http://golang.org/pkg/net/http/) package
|
||||
* [Goji](https://goji.io) - see the [tailored fork](https://github.com/goji/csrf)
|
||||
* [Gin](https://github.com/gin-gonic/gin)
|
||||
* [Echo](https://github.com/labstack/echo)
|
||||
* ... and any other router/framework that rallies around Go's `http.Handler` interface.
|
||||
|
||||
gorilla/csrf is also compatible with middleware 'helper' libraries like
|
||||
[Alice](https://github.com/justinas/alice) and [Negroni](https://github.com/codegangsta/negroni).
|
||||
|
||||
## Install
|
||||
|
||||
With a properly configured Go toolchain:
|
||||
```sh
|
||||
go get github.com/gorilla/csrf
|
||||
```
|
||||
|
||||
## Examples
|
||||
|
||||
* [HTML Forms](#html-forms)
|
||||
* [JavaScript Apps](#javascript-applications)
|
||||
* [Google App Engine](#google-app-engine)
|
||||
* [Setting Options](#setting-options)
|
||||
|
||||
gorilla/csrf is easy to use: add the middleware to your router with
|
||||
the below:
|
||||
|
||||
```go
|
||||
CSRF := csrf.Protect([]byte("32-byte-long-auth-key"))
|
||||
http.ListenAndServe(":8000", CSRF(r))
|
||||
```
|
||||
|
||||
...and then collect the token with `csrf.Token(r)` in your handlers before
|
||||
passing it to the template, JSON body or HTTP header (see below).
|
||||
|
||||
Note that the authentication key passed to `csrf.Protect([]byte(key))` should be
|
||||
32-bytes long and persist across application restarts. Generating a random key
|
||||
won't allow you to authenticate existing cookies and will break your CSRF
|
||||
validation.
|
||||
|
||||
gorilla/csrf inspects the HTTP headers (first) and form body (second) on
|
||||
subsequent POST/PUT/PATCH/DELETE/etc. requests for the token.
|
||||
|
||||
### HTML Forms
|
||||
|
||||
Here's the common use-case: HTML forms you want to provide CSRF protection for,
|
||||
in order to protect malicious POST requests being made:
|
||||
|
||||
```go
|
||||
package main
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
"github.com/gorilla/csrf"
|
||||
"github.com/gorilla/mux"
|
||||
)
|
||||
|
||||
func main() {
|
||||
r := mux.NewRouter()
|
||||
r.HandleFunc("/signup", ShowSignupForm)
|
||||
// All POST requests without a valid token will return HTTP 403 Forbidden.
|
||||
r.HandleFunc("/signup/post", SubmitSignupForm)
|
||||
|
||||
// Add the middleware to your router by wrapping it.
|
||||
http.ListenAndServe(":8000",
|
||||
csrf.Protect([]byte("32-byte-long-auth-key"))(r))
|
||||
// PS: Don't forget to pass csrf.Secure(false) if you're developing locally
|
||||
// over plain HTTP (just don't leave it on in production).
|
||||
}
|
||||
|
||||
func ShowSignupForm(w http.ResponseWriter, r *http.Request) {
|
||||
// signup_form.tmpl just needs a {{ .csrfField }} template tag for
|
||||
// csrf.TemplateField to inject the CSRF token into. Easy!
|
||||
t.ExecuteTemplate(w, "signup_form.tmpl", map[string]interface{}{
|
||||
csrf.TemplateTag: csrf.TemplateField(r),
|
||||
})
|
||||
// We could also retrieve the token directly from csrf.Token(r) and
|
||||
// set it in the request header - w.Header.Set("X-CSRF-Token", token)
|
||||
// This is useful if you're sending JSON to clients or a front-end JavaScript
|
||||
// framework.
|
||||
}
|
||||
|
||||
func SubmitSignupForm(w http.ResponseWriter, r *http.Request) {
|
||||
// We can trust that requests making it this far have satisfied
|
||||
// our CSRF protection requirements.
|
||||
}
|
||||
```
|
||||
|
||||
Note that the CSRF middleware will (by necessity) consume the request body if the
|
||||
token is passed via POST form values. If you need to consume this in your
|
||||
handler, insert your own middleware earlier in the chain to capture the request
|
||||
body.
|
||||
|
||||
### JavaScript Applications
|
||||
|
||||
This approach is useful if you're using a front-end JavaScript framework like
|
||||
React, Ember or Angular, or are providing a JSON API.
|
||||
|
||||
We'll also look at applying selective CSRF protection using
|
||||
[gorilla/mux's](http://www.gorillatoolkit.org/pkg/mux) sub-routers,
|
||||
as we don't handle any POST/PUT/DELETE requests with our top-level router.
|
||||
|
||||
```go
|
||||
package main
|
||||
|
||||
import (
|
||||
"github.com/gorilla/csrf"
|
||||
"github.com/gorilla/mux"
|
||||
)
|
||||
|
||||
func main() {
|
||||
r := mux.NewRouter()
|
||||
|
||||
api := r.PathPrefix("/api").Subrouter()
|
||||
api.HandleFunc("/user/{id}", GetUser).Methods("GET")
|
||||
|
||||
http.ListenAndServe(":8000",
|
||||
csrf.Protect([]byte("32-byte-long-auth-key"))(r))
|
||||
}
|
||||
|
||||
func GetUser(w http.ResponseWriter, r *http.Request) {
|
||||
// Authenticate the request, get the id from the route params,
|
||||
// and fetch the user from the DB, etc.
|
||||
|
||||
// Get the token and pass it in the CSRF header. Our JSON-speaking client
|
||||
// or JavaScript framework can now read the header and return the token in
|
||||
// in its own "X-CSRF-Token" request header on the subsequent POST.
|
||||
w.Header().Set("X-CSRF-Token", csrf.Token(r))
|
||||
b, err := json.Marshal(user)
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), 500)
|
||||
return
|
||||
}
|
||||
|
||||
w.Write(b)
|
||||
}
|
||||
```
|
||||
|
||||
### Google App Engine
|
||||
|
||||
If you're using [Google App
|
||||
Engine](https://cloud.google.com/appengine/docs/go/how-requests-are-handled#Go_Requests_and_HTTP),
|
||||
which doesn't allow you to hook into the default `http.ServeMux` directly,
|
||||
you can still use gorilla/csrf (and gorilla/mux):
|
||||
|
||||
```go
|
||||
package app
|
||||
|
||||
// Remember: appengine has its own package main
|
||||
func init() {
|
||||
r := mux.NewRouter()
|
||||
r.HandleFunc("/", IndexHandler)
|
||||
// ...
|
||||
|
||||
// We pass our CSRF-protected router to the DefaultServeMux
|
||||
http.Handle("/", csrf.Protect([]byte(your-key))(r))
|
||||
}
|
||||
```
|
||||
|
||||
### Setting Options
|
||||
|
||||
What about providing your own error handler and changing the HTTP header the
|
||||
package inspects on requests? (i.e. an existing API you're porting to Go). Well,
|
||||
gorilla/csrf provides options for changing these as you see fit:
|
||||
|
||||
```go
|
||||
func main() {
|
||||
CSRF := csrf.Protect(
|
||||
[]byte("a-32-byte-long-key-goes-here"),
|
||||
csrf.RequestHeader("Authenticity-Token"),
|
||||
csrf.FieldName("authenticity_token"),
|
||||
csrf.ErrorHandler(http.HandlerFunc(serverError(403))),
|
||||
)
|
||||
|
||||
r := mux.NewRouter()
|
||||
r.HandleFunc("/signup", GetSignupForm)
|
||||
r.HandleFunc("/signup/post", PostSignupForm)
|
||||
|
||||
http.ListenAndServe(":8000", CSRF(r))
|
||||
}
|
||||
```
|
||||
|
||||
Not too bad, right?
|
||||
|
||||
If there's something you're confused about or a feature you would like to see
|
||||
added, open an issue.
|
||||
|
||||
## Design Notes
|
||||
|
||||
Getting CSRF protection right is important, so here's some background:
|
||||
|
||||
* This library generates unique-per-request (masked) tokens as a mitigation
|
||||
against the [BREACH attack](http://breachattack.com/).
|
||||
* The 'base' (unmasked) token is stored in the session, which means that
|
||||
multiple browser tabs won't cause a user problems as their per-request token
|
||||
is compared with the base token.
|
||||
* Operates on a "whitelist only" approach where safe (non-mutating) HTTP methods
|
||||
(GET, HEAD, OPTIONS, TRACE) are the *only* methods where token validation is not
|
||||
enforced.
|
||||
* The design is based on the battle-tested
|
||||
[Django](https://docs.djangoproject.com/en/1.8/ref/csrf/) and [Ruby on
|
||||
Rails](http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html)
|
||||
approaches.
|
||||
* Cookies are authenticated and based on the [securecookie](https://github.com/gorilla/securecookie)
|
||||
library. They're also Secure (issued over HTTPS only) and are HttpOnly
|
||||
by default, because sane defaults are important.
|
||||
* Go's `crypto/rand` library is used to generate the 32 byte (256 bit) tokens
|
||||
and the one-time-pad used for masking them.
|
||||
|
||||
This library does not seek to be adventurous.
|
||||
|
||||
## License
|
||||
|
||||
BSD licensed. See the LICENSE file for details.
|
|
@ -0,0 +1,29 @@
|
|||
// +build go1.7
|
||||
|
||||
package csrf
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func contextGet(r *http.Request, key string) (interface{}, error) {
|
||||
val := r.Context().Value(key)
|
||||
if val == nil {
|
||||
return nil, errors.Errorf("no value exists in the context for key %q", key)
|
||||
}
|
||||
|
||||
return val, nil
|
||||
}
|
||||
|
||||
func contextSave(r *http.Request, key string, val interface{}) *http.Request {
|
||||
ctx := r.Context()
|
||||
ctx = context.WithValue(ctx, key, val)
|
||||
return r.WithContext(ctx)
|
||||
}
|
||||
|
||||
func contextClear(r *http.Request) {
|
||||
// no-op for go1.7+
|
||||
}
|
|
@ -0,0 +1,28 @@
|
|||
// +build !go1.7
|
||||
|
||||
package csrf
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
"github.com/gorilla/context"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
func contextGet(r *http.Request, key string) (interface{}, error) {
|
||||
if val, ok := context.GetOk(r, key); ok {
|
||||
return val, nil
|
||||
}
|
||||
|
||||
return nil, errors.Errorf("no value exists in the context for key %q", key)
|
||||
}
|
||||
|
||||
func contextSave(r *http.Request, key string, val interface{}) *http.Request {
|
||||
context.Set(r, key, val)
|
||||
return r
|
||||
}
|
||||
|
||||
func contextClear(r *http.Request) {
|
||||
context.Clear(r)
|
||||
}
|
|
@ -0,0 +1,279 @@
|
|||
package csrf
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
|
||||
"github.com/gorilla/securecookie"
|
||||
)
|
||||
|
||||
// CSRF token length in bytes.
|
||||
const tokenLength = 32
|
||||
|
||||
// Context/session keys & prefixes
|
||||
const (
|
||||
tokenKey string = "gorilla.csrf.Token"
|
||||
formKey string = "gorilla.csrf.Form"
|
||||
errorKey string = "gorilla.csrf.Error"
|
||||
skipCheckKey string = "gorilla.csrf.Skip"
|
||||
cookieName string = "_gorilla_csrf"
|
||||
errorPrefix string = "gorilla/csrf: "
|
||||
)
|
||||
|
||||
var (
|
||||
// The name value used in form fields.
|
||||
fieldName = tokenKey
|
||||
// defaultAge sets the default MaxAge for cookies.
|
||||
defaultAge = 3600 * 12
|
||||
// The default HTTP request header to inspect
|
||||
headerName = "X-CSRF-Token"
|
||||
// Idempotent (safe) methods as defined by RFC7231 section 4.2.2.
|
||||
safeMethods = []string{"GET", "HEAD", "OPTIONS", "TRACE"}
|
||||
)
|
||||
|
||||
// TemplateTag provides a default template tag - e.g. {{ .csrfField }} - for use
|
||||
// with the TemplateField function.
|
||||
var TemplateTag = "csrfField"
|
||||
|
||||
var (
|
||||
// ErrNoReferer is returned when a HTTPS request provides an empty Referer
|
||||
// header.
|
||||
ErrNoReferer = errors.New("referer not supplied")
|
||||
// ErrBadReferer is returned when the scheme & host in the URL do not match
|
||||
// the supplied Referer header.
|
||||
ErrBadReferer = errors.New("referer invalid")
|
||||
// ErrNoToken is returned if no CSRF token is supplied in the request.
|
||||
ErrNoToken = errors.New("CSRF token not found in request")
|
||||
// ErrBadToken is returned if the CSRF token in the request does not match
|
||||
// the token in the session, or is otherwise malformed.
|
||||
ErrBadToken = errors.New("CSRF token invalid")
|
||||
)
|
||||
|
||||
type csrf struct {
|
||||
h http.Handler
|
||||
sc *securecookie.SecureCookie
|
||||
st store
|
||||
opts options
|
||||
}
|
||||
|
||||
// options contains the optional settings for the CSRF middleware.
|
||||
type options struct {
|
||||
MaxAge int
|
||||
Domain string
|
||||
Path string
|
||||
// Note that the function and field names match the case of the associated
|
||||
// http.Cookie field instead of the "correct" HTTPOnly name that golint suggests.
|
||||
HttpOnly bool
|
||||
Secure bool
|
||||
RequestHeader string
|
||||
FieldName string
|
||||
ErrorHandler http.Handler
|
||||
CookieName string
|
||||
}
|
||||
|
||||
// Protect is HTTP middleware that provides Cross-Site Request Forgery
|
||||
// protection.
|
||||
//
|
||||
// It securely generates a masked (unique-per-request) token that
|
||||
// can be embedded in the HTTP response (e.g. form field or HTTP header).
|
||||
// The original (unmasked) token is stored in the session, which is inaccessible
|
||||
// by an attacker (provided you are using HTTPS). Subsequent requests are
|
||||
// expected to include this token, which is compared against the session token.
|
||||
// Requests that do not provide a matching token are served with a HTTP 403
|
||||
// 'Forbidden' error response.
|
||||
//
|
||||
// Example:
|
||||
// package main
|
||||
//
|
||||
// import (
|
||||
// "html/template"
|
||||
//
|
||||
// "github.com/gorilla/csrf"
|
||||
// "github.com/gorilla/mux"
|
||||
// )
|
||||
//
|
||||
// var t = template.Must(template.New("signup_form.tmpl").Parse(form))
|
||||
//
|
||||
// func main() {
|
||||
// r := mux.NewRouter()
|
||||
//
|
||||
// r.HandleFunc("/signup", GetSignupForm)
|
||||
// // POST requests without a valid token will return a HTTP 403 Forbidden.
|
||||
// r.HandleFunc("/signup/post", PostSignupForm)
|
||||
//
|
||||
// // Add the middleware to your router.
|
||||
// http.ListenAndServe(":8000",
|
||||
// // Note that the authentication key provided should be 32 bytes
|
||||
// // long and persist across application restarts.
|
||||
// csrf.Protect([]byte("32-byte-long-auth-key"))(r))
|
||||
// }
|
||||
//
|
||||
// func GetSignupForm(w http.ResponseWriter, r *http.Request) {
|
||||
// // signup_form.tmpl just needs a {{ .csrfField }} template tag for
|
||||
// // csrf.TemplateField to inject the CSRF token into. Easy!
|
||||
// t.ExecuteTemplate(w, "signup_form.tmpl", map[string]interface{}{
|
||||
// csrf.TemplateTag: csrf.TemplateField(r),
|
||||
// })
|
||||
// // We could also retrieve the token directly from csrf.Token(r) and
|
||||
// // set it in the request header - w.Header.Set("X-CSRF-Token", token)
|
||||
// // This is useful if you're sending JSON to clients or a front-end JavaScript
|
||||
// // framework.
|
||||
// }
|
||||
//
|
||||
func Protect(authKey []byte, opts ...Option) func(http.Handler) http.Handler {
|
||||
return func(h http.Handler) http.Handler {
|
||||
cs := parseOptions(h, opts...)
|
||||
|
||||
// Set the defaults if no options have been specified
|
||||
if cs.opts.ErrorHandler == nil {
|
||||
cs.opts.ErrorHandler = http.HandlerFunc(unauthorizedHandler)
|
||||
}
|
||||
|
||||
if cs.opts.MaxAge < 0 {
|
||||
// Default of 12 hours
|
||||
cs.opts.MaxAge = defaultAge
|
||||
}
|
||||
|
||||
if cs.opts.FieldName == "" {
|
||||
cs.opts.FieldName = fieldName
|
||||
}
|
||||
|
||||
if cs.opts.CookieName == "" {
|
||||
cs.opts.CookieName = cookieName
|
||||
}
|
||||
|
||||
if cs.opts.RequestHeader == "" {
|
||||
cs.opts.RequestHeader = headerName
|
||||
}
|
||||
|
||||
// Create an authenticated securecookie instance.
|
||||
if cs.sc == nil {
|
||||
cs.sc = securecookie.New(authKey, nil)
|
||||
// Use JSON serialization (faster than one-off gob encoding)
|
||||
cs.sc.SetSerializer(securecookie.JSONEncoder{})
|
||||
// Set the MaxAge of the underlying securecookie.
|
||||
cs.sc.MaxAge(cs.opts.MaxAge)
|
||||
}
|
||||
|
||||
if cs.st == nil {
|
||||
// Default to the cookieStore
|
||||
cs.st = &cookieStore{
|
||||
name: cs.opts.CookieName,
|
||||
maxAge: cs.opts.MaxAge,
|
||||
secure: cs.opts.Secure,
|
||||
httpOnly: cs.opts.HttpOnly,
|
||||
path: cs.opts.Path,
|
||||
domain: cs.opts.Domain,
|
||||
sc: cs.sc,
|
||||
}
|
||||
}
|
||||
|
||||
return cs
|
||||
}
|
||||
}
|
||||
|
||||
// Implements http.Handler for the csrf type.
|
||||
func (cs *csrf) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
// Skip the check if directed to. This should always be a bool.
|
||||
if val, err := contextGet(r, skipCheckKey); err == nil {
|
||||
if skip, ok := val.(bool); ok {
|
||||
if skip {
|
||||
cs.h.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Retrieve the token from the session.
|
||||
// An error represents either a cookie that failed HMAC validation
|
||||
// or that doesn't exist.
|
||||
realToken, err := cs.st.Get(r)
|
||||
if err != nil || len(realToken) != tokenLength {
|
||||
// If there was an error retrieving the token, the token doesn't exist
|
||||
// yet, or it's the wrong length, generate a new token.
|
||||
// Note that the new token will (correctly) fail validation downstream
|
||||
// as it will no longer match the request token.
|
||||
realToken, err = generateRandomBytes(tokenLength)
|
||||
if err != nil {
|
||||
r = envError(r, err)
|
||||
cs.opts.ErrorHandler.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
// Save the new (real) token in the session store.
|
||||
err = cs.st.Save(realToken, w)
|
||||
if err != nil {
|
||||
r = envError(r, err)
|
||||
cs.opts.ErrorHandler.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// Save the masked token to the request context
|
||||
r = contextSave(r, tokenKey, mask(realToken, r))
|
||||
// Save the field name to the request context
|
||||
r = contextSave(r, formKey, cs.opts.FieldName)
|
||||
|
||||
// HTTP methods not defined as idempotent ("safe") under RFC7231 require
|
||||
// inspection.
|
||||
if !contains(safeMethods, r.Method) {
|
||||
// Enforce an origin check for HTTPS connections. As per the Django CSRF
|
||||
// implementation (https://goo.gl/vKA7GE) the Referer header is almost
|
||||
// always present for same-domain HTTP requests.
|
||||
if r.URL.Scheme == "https" {
|
||||
// Fetch the Referer value. Call the error handler if it's empty or
|
||||
// otherwise fails to parse.
|
||||
referer, err := url.Parse(r.Referer())
|
||||
if err != nil || referer.String() == "" {
|
||||
r = envError(r, ErrNoReferer)
|
||||
cs.opts.ErrorHandler.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
if sameOrigin(r.URL, referer) == false {
|
||||
r = envError(r, ErrBadReferer)
|
||||
cs.opts.ErrorHandler.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// If the token returned from the session store is nil for non-idempotent
|
||||
// ("unsafe") methods, call the error handler.
|
||||
if realToken == nil {
|
||||
r = envError(r, ErrNoToken)
|
||||
cs.opts.ErrorHandler.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
// Retrieve the combined token (pad + masked) token and unmask it.
|
||||
requestToken := unmask(cs.requestToken(r))
|
||||
|
||||
// Compare the request token against the real token
|
||||
if !compareTokens(requestToken, realToken) {
|
||||
r = envError(r, ErrBadToken)
|
||||
cs.opts.ErrorHandler.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// Set the Vary: Cookie header to protect clients from caching the response.
|
||||
w.Header().Add("Vary", "Cookie")
|
||||
|
||||
// Call the wrapped handler/router on success.
|
||||
cs.h.ServeHTTP(w, r)
|
||||
// Clear the request context after the handler has completed.
|
||||
contextClear(r)
|
||||
}
|
||||
|
||||
// unauthorizedhandler sets a HTTP 403 Forbidden status and writes the
|
||||
// CSRF failure reason to the response.
|
||||
func unauthorizedHandler(w http.ResponseWriter, r *http.Request) {
|
||||
http.Error(w, fmt.Sprintf("%s - %s",
|
||||
http.StatusText(http.StatusForbidden), FailureReason(r)),
|
||||
http.StatusForbidden)
|
||||
return
|
||||
}
|
|
@ -0,0 +1,165 @@
|
|||
/*
|
||||
Package csrf (gorilla/csrf) provides Cross Site Request Forgery (CSRF)
|
||||
prevention middleware for Go web applications & services.
|
||||
|
||||
It includes:
|
||||
|
||||
* The `csrf.Protect` middleware/handler provides CSRF protection on routes
|
||||
attached to a router or a sub-router.
|
||||
* A `csrf.Token` function that provides the token to pass into your response,
|
||||
whether that be a HTML form or a JSON response body.
|
||||
* ... and a `csrf.TemplateField` helper that you can pass into your `html/template`
|
||||
templates to replace a `{{ .csrfField }}` template tag with a hidden input
|
||||
field.
|
||||
|
||||
gorilla/csrf is easy to use: add the middleware to individual handlers with
|
||||
the below:
|
||||
|
||||
CSRF := csrf.Protect([]byte("32-byte-long-auth-key"))
|
||||
http.HandlerFunc("/route", CSRF(YourHandler))
|
||||
|
||||
... and then collect the token with `csrf.Token(r)` before passing it to the
|
||||
template, JSON body or HTTP header (you pick!). gorilla/csrf inspects the form body
|
||||
(first) and HTTP headers (second) on subsequent POST/PUT/PATCH/DELETE/etc. requests
|
||||
for the token.
|
||||
|
||||
Note that the authentication key passed to `csrf.Protect([]byte(key))` should be
|
||||
32-bytes long and persist across application restarts. Generating a random key
|
||||
won't allow you to authenticate existing cookies and will break your CSRF
|
||||
validation.
|
||||
|
||||
Here's the common use-case: HTML forms you want to provide CSRF protection for,
|
||||
in order to protect malicious POST requests being made:
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"html/template"
|
||||
"net/http"
|
||||
|
||||
"github.com/gorilla/csrf"
|
||||
"github.com/gorilla/mux"
|
||||
)
|
||||
|
||||
var form = `
|
||||
<html>
|
||||
<head>
|
||||
<title>Sign Up!</title>
|
||||
</head>
|
||||
<body>
|
||||
<form method="POST" action="/signup/post" accept-charset="UTF-8">
|
||||
<input type="text" name="name">
|
||||
<input type="text" name="email">
|
||||
<!--
|
||||
The default template tag used by the CSRF middleware .
|
||||
This will be replaced with a hidden <input> field containing the
|
||||
masked CSRF token.
|
||||
-->
|
||||
{{ .csrfField }}
|
||||
<input type="submit" value="Sign up!">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
`
|
||||
|
||||
var t = template.Must(template.New("signup_form.tmpl").Parse(form))
|
||||
|
||||
func main() {
|
||||
r := mux.NewRouter()
|
||||
r.HandleFunc("/signup", ShowSignupForm)
|
||||
// All POST requests without a valid token will return HTTP 403 Forbidden.
|
||||
r.HandleFunc("/signup/post", SubmitSignupForm)
|
||||
|
||||
// Add the middleware to your router by wrapping it.
|
||||
http.ListenAndServe(":8000",
|
||||
csrf.Protect([]byte("32-byte-long-auth-key"))(r))
|
||||
// PS: Don't forget to pass csrf.Secure(false) if you're developing locally
|
||||
// over plain HTTP (just don't leave it on in production).
|
||||
}
|
||||
|
||||
func ShowSignupForm(w http.ResponseWriter, r *http.Request) {
|
||||
// signup_form.tmpl just needs a {{ .csrfField }} template tag for
|
||||
// csrf.TemplateField to inject the CSRF token into. Easy!
|
||||
t.ExecuteTemplate(w, "signup_form.tmpl", map[string]interface{}{
|
||||
csrf.TemplateTag: csrf.TemplateField(r),
|
||||
})
|
||||
}
|
||||
|
||||
func SubmitSignupForm(w http.ResponseWriter, r *http.Request) {
|
||||
// We can trust that requests making it this far have satisfied
|
||||
// our CSRF protection requirements.
|
||||
fmt.Fprintf(w, "%v\n", r.PostForm)
|
||||
}
|
||||
|
||||
Note that the CSRF middleware will (by necessity) consume the request body if the
|
||||
token is passed via POST form values. If you need to consume this in your
|
||||
handler, insert your own middleware earlier in the chain to capture the request
|
||||
body.
|
||||
|
||||
You can also send the CSRF token in the response header. This approach is useful
|
||||
if you're using a front-end JavaScript framework like Ember or Angular, or are
|
||||
providing a JSON API:
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"github.com/gorilla/csrf"
|
||||
"github.com/gorilla/mux"
|
||||
)
|
||||
|
||||
func main() {
|
||||
r := mux.NewRouter()
|
||||
|
||||
api := r.PathPrefix("/api").Subrouter()
|
||||
api.HandleFunc("/user/:id", GetUser).Methods("GET")
|
||||
|
||||
http.ListenAndServe(":8000",
|
||||
csrf.Protect([]byte("32-byte-long-auth-key"))(r))
|
||||
}
|
||||
|
||||
func GetUser(w http.ResponseWriter, r *http.Request) {
|
||||
// Authenticate the request, get the id from the route params,
|
||||
// and fetch the user from the DB, etc.
|
||||
|
||||
// Get the token and pass it in the CSRF header. Our JSON-speaking client
|
||||
// or JavaScript framework can now read the header and return the token in
|
||||
// in its own "X-CSRF-Token" request header on the subsequent POST.
|
||||
w.Header().Set("X-CSRF-Token", csrf.Token(r))
|
||||
b, err := json.Marshal(user)
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), 500)
|
||||
return
|
||||
}
|
||||
|
||||
w.Write(b)
|
||||
}
|
||||
|
||||
If you're writing a client that's supposed to mimic browser behavior, make sure to
|
||||
send back the CSRF cookie (the default name is _gorilla_csrf, but this can be changed
|
||||
with the CookieName Option) along with either the X-CSRF-Token header or the gorilla.csrf.Token form field.
|
||||
|
||||
In addition: getting CSRF protection right is important, so here's some background:
|
||||
|
||||
* This library generates unique-per-request (masked) tokens as a mitigation
|
||||
against the [BREACH attack](http://breachattack.com/).
|
||||
* The 'base' (unmasked) token is stored in the session, which means that
|
||||
multiple browser tabs won't cause a user problems as their per-request token
|
||||
is compared with the base token.
|
||||
* Operates on a "whitelist only" approach where safe (non-mutating) HTTP methods
|
||||
(GET, HEAD, OPTIONS, TRACE) are the *only* methods where token validation is not
|
||||
enforced.
|
||||
* The design is based on the battle-tested
|
||||
[Django](https://docs.djangoproject.com/en/1.8/ref/csrf/) and [Ruby on
|
||||
Rails](http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html)
|
||||
approaches.
|
||||
* Cookies are authenticated and based on the [securecookie](https://github.com/gorilla/securecookie)
|
||||
library. They're also Secure (issued over HTTPS only) and are HttpOnly
|
||||
by default, because sane defaults are important.
|
||||
* Go's `crypto/rand` library is used to generate the 32 byte (256 bit) tokens
|
||||
and the one-time-pad used for masking them.
|
||||
|
||||
This library does not seek to be adventurous.
|
||||
|
||||
*/
|
||||
package csrf
|
|
@ -0,0 +1,203 @@
|
|||
package csrf
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"crypto/subtle"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"html/template"
|
||||
"net/http"
|
||||
"net/url"
|
||||
)
|
||||
|
||||
// Token returns a masked CSRF token ready for passing into HTML template or
|
||||
// a JSON response body. An empty token will be returned if the middleware
|
||||
// has not been applied (which will fail subsequent validation).
|
||||
func Token(r *http.Request) string {
|
||||
if val, err := contextGet(r, tokenKey); err == nil {
|
||||
if maskedToken, ok := val.(string); ok {
|
||||
return maskedToken
|
||||
}
|
||||
}
|
||||
|
||||
return ""
|
||||
}
|
||||
|
||||
// FailureReason makes CSRF validation errors available in the request context.
|
||||
// This is useful when you want to log the cause of the error or report it to
|
||||
// client.
|
||||
func FailureReason(r *http.Request) error {
|
||||
if val, err := contextGet(r, errorKey); err == nil {
|
||||
if err, ok := val.(error); ok {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// UnsafeSkipCheck will skip the CSRF check for any requests. This must be
|
||||
// called before the CSRF middleware.
|
||||
//
|
||||
// Note: You should not set this without otherwise securing the request from
|
||||
// CSRF attacks. The primary use-case for this function is to turn off CSRF
|
||||
// checks for non-browser clients using authorization tokens against your API.
|
||||
func UnsafeSkipCheck(r *http.Request) *http.Request {
|
||||
return contextSave(r, skipCheckKey, true)
|
||||
}
|
||||
|
||||
// TemplateField is a template helper for html/template that provides an <input> field
|
||||
// populated with a CSRF token.
|
||||
//
|
||||
// Example:
|
||||
//
|
||||
// // The following tag in our form.tmpl template:
|
||||
// {{ .csrfField }}
|
||||
//
|
||||
// // ... becomes:
|
||||
// <input type="hidden" name="gorilla.csrf.Token" value="<token>">
|
||||
//
|
||||
func TemplateField(r *http.Request) template.HTML {
|
||||
if name, err := contextGet(r, formKey); err == nil {
|
||||
fragment := fmt.Sprintf(`<input type="hidden" name="%s" value="%s">`,
|
||||
name, Token(r))
|
||||
|
||||
return template.HTML(fragment)
|
||||
}
|
||||
|
||||
return template.HTML("")
|
||||
}
|
||||
|
||||
// mask returns a unique-per-request token to mitigate the BREACH attack
|
||||
// as per http://breachattack.com/#mitigations
|
||||
//
|
||||
// The token is generated by XOR'ing a one-time-pad and the base (session) CSRF
|
||||
// token and returning them together as a 64-byte slice. This effectively
|
||||
// randomises the token on a per-request basis without breaking multiple browser
|
||||
// tabs/windows.
|
||||
func mask(realToken []byte, r *http.Request) string {
|
||||
otp, err := generateRandomBytes(tokenLength)
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
|
||||
// XOR the OTP with the real token to generate a masked token. Append the
|
||||
// OTP to the front of the masked token to allow unmasking in the subsequent
|
||||
// request.
|
||||
return base64.StdEncoding.EncodeToString(append(otp, xorToken(otp, realToken)...))
|
||||
}
|
||||
|
||||
// unmask splits the issued token (one-time-pad + masked token) and returns the
|
||||
// unmasked request token for comparison.
|
||||
func unmask(issued []byte) []byte {
|
||||
// Issued tokens are always masked and combined with the pad.
|
||||
if len(issued) != tokenLength*2 {
|
||||
return nil
|
||||
}
|
||||
|
||||
// We now know the length of the byte slice.
|
||||
otp := issued[tokenLength:]
|
||||
masked := issued[:tokenLength]
|
||||
|
||||
// Unmask the token by XOR'ing it against the OTP used to mask it.
|
||||
return xorToken(otp, masked)
|
||||
}
|
||||
|
||||
// requestToken returns the issued token (pad + masked token) from the HTTP POST
|
||||
// body or HTTP header. It will return nil if the token fails to decode.
|
||||
func (cs *csrf) requestToken(r *http.Request) []byte {
|
||||
// 1. Check the HTTP header first.
|
||||
issued := r.Header.Get(cs.opts.RequestHeader)
|
||||
|
||||
// 2. Fall back to the POST (form) value.
|
||||
if issued == "" {
|
||||
issued = r.PostFormValue(cs.opts.FieldName)
|
||||
}
|
||||
|
||||
// 3. Finally, fall back to the multipart form (if set).
|
||||
if issued == "" && r.MultipartForm != nil {
|
||||
vals := r.MultipartForm.Value[cs.opts.FieldName]
|
||||
|
||||
if len(vals) > 0 {
|
||||
issued = vals[0]
|
||||
}
|
||||
}
|
||||
|
||||
// Decode the "issued" (pad + masked) token sent in the request. Return a
|
||||
// nil byte slice on a decoding error (this will fail upstream).
|
||||
decoded, err := base64.StdEncoding.DecodeString(issued)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
return decoded
|
||||
}
|
||||
|
||||
// generateRandomBytes returns securely generated random bytes.
|
||||
// It will return an error if the system's secure random number generator
|
||||
// fails to function correctly.
|
||||
func generateRandomBytes(n int) ([]byte, error) {
|
||||
b := make([]byte, n)
|
||||
_, err := rand.Read(b)
|
||||
// err == nil only if len(b) == n
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return b, nil
|
||||
|
||||
}
|
||||
|
||||
// sameOrigin returns true if URLs a and b share the same origin. The same
|
||||
// origin is defined as host (which includes the port) and scheme.
|
||||
func sameOrigin(a, b *url.URL) bool {
|
||||
return (a.Scheme == b.Scheme && a.Host == b.Host)
|
||||
}
|
||||
|
||||
// compare securely (constant-time) compares the unmasked token from the request
|
||||
// against the real token from the session.
|
||||
func compareTokens(a, b []byte) bool {
|
||||
// This is required as subtle.ConstantTimeCompare does not check for equal
|
||||
// lengths in Go versions prior to 1.3.
|
||||
if len(a) != len(b) {
|
||||
return false
|
||||
}
|
||||
|
||||
return subtle.ConstantTimeCompare(a, b) == 1
|
||||
}
|
||||
|
||||
// xorToken XORs tokens ([]byte) to provide unique-per-request CSRF tokens. It
|
||||
// will return a masked token if the base token is XOR'ed with a one-time-pad.
|
||||
// An unmasked token will be returned if a masked token is XOR'ed with the
|
||||
// one-time-pad used to mask it.
|
||||
func xorToken(a, b []byte) []byte {
|
||||
n := len(a)
|
||||
if len(b) < n {
|
||||
n = len(b)
|
||||
}
|
||||
|
||||
res := make([]byte, n)
|
||||
|
||||
for i := 0; i < n; i++ {
|
||||
res[i] = a[i] ^ b[i]
|
||||
}
|
||||
|
||||
return res
|
||||
}
|
||||
|
||||
// contains is a helper function to check if a string exists in a slice - e.g.
|
||||
// whether a HTTP method exists in a list of safe methods.
|
||||
func contains(vals []string, s string) bool {
|
||||
for _, v := range vals {
|
||||
if v == s {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
// envError stores a CSRF error in the request context.
|
||||
func envError(r *http.Request, err error) *http.Request {
|
||||
return contextSave(r, errorKey, err)
|
||||
}
|
|
@ -0,0 +1,130 @@
|
|||
package csrf
|
||||
|
||||
import "net/http"
|
||||
|
||||
// Option describes a functional option for configuring the CSRF handler.
|
||||
type Option func(*csrf)
|
||||
|
||||
// MaxAge sets the maximum age (in seconds) of a CSRF token's underlying cookie.
|
||||
// Defaults to 12 hours.
|
||||
func MaxAge(age int) Option {
|
||||
return func(cs *csrf) {
|
||||
cs.opts.MaxAge = age
|
||||
}
|
||||
}
|
||||
|
||||
// Domain sets the cookie domain. Defaults to the current domain of the request
|
||||
// only (recommended).
|
||||
//
|
||||
// This should be a hostname and not a URL. If set, the domain is treated as
|
||||
// being prefixed with a '.' - e.g. "example.com" becomes ".example.com" and
|
||||
// matches "www.example.com" and "secure.example.com".
|
||||
func Domain(domain string) Option {
|
||||
return func(cs *csrf) {
|
||||
cs.opts.Domain = domain
|
||||
}
|
||||
}
|
||||
|
||||
// Path sets the cookie path. Defaults to the path the cookie was issued from
|
||||
// (recommended).
|
||||
//
|
||||
// This instructs clients to only respond with cookie for that path and its
|
||||
// subpaths - i.e. a cookie issued from "/register" would be included in requests
|
||||
// to "/register/step2" and "/register/submit".
|
||||
func Path(p string) Option {
|
||||
return func(cs *csrf) {
|
||||
cs.opts.Path = p
|
||||
}
|
||||
}
|
||||
|
||||
// Secure sets the 'Secure' flag on the cookie. Defaults to true (recommended).
|
||||
// Set this to 'false' in your development environment otherwise the cookie won't
|
||||
// be sent over an insecure channel. Setting this via the presence of a 'DEV'
|
||||
// environmental variable is a good way of making sure this won't make it to a
|
||||
// production environment.
|
||||
func Secure(s bool) Option {
|
||||
return func(cs *csrf) {
|
||||
cs.opts.Secure = s
|
||||
}
|
||||
}
|
||||
|
||||
// HttpOnly sets the 'HttpOnly' flag on the cookie. Defaults to true (recommended).
|
||||
func HttpOnly(h bool) Option {
|
||||
return func(cs *csrf) {
|
||||
// Note that the function and field names match the case of the
|
||||
// related http.Cookie field instead of the "correct" HTTPOnly name
|
||||
// that golint suggests.
|
||||
cs.opts.HttpOnly = h
|
||||
}
|
||||
}
|
||||
|
||||
// ErrorHandler allows you to change the handler called when CSRF request
|
||||
// processing encounters an invalid token or request. A typical use would be to
|
||||
// provide a handler that returns a static HTML file with a HTTP 403 status. By
|
||||
// default a HTTP 403 status and a plain text CSRF failure reason are served.
|
||||
//
|
||||
// Note that a custom error handler can also access the csrf.FailureReason(r)
|
||||
// function to retrieve the CSRF validation reason from the request context.
|
||||
func ErrorHandler(h http.Handler) Option {
|
||||
return func(cs *csrf) {
|
||||
cs.opts.ErrorHandler = h
|
||||
}
|
||||
}
|
||||
|
||||
// RequestHeader allows you to change the request header the CSRF middleware
|
||||
// inspects. The default is X-CSRF-Token.
|
||||
func RequestHeader(header string) Option {
|
||||
return func(cs *csrf) {
|
||||
cs.opts.RequestHeader = header
|
||||
}
|
||||
}
|
||||
|
||||
// FieldName allows you to change the name attribute of the hidden <input> field
|
||||
// inspected by this package. The default is 'gorilla.csrf.Token'.
|
||||
func FieldName(name string) Option {
|
||||
return func(cs *csrf) {
|
||||
cs.opts.FieldName = name
|
||||
}
|
||||
}
|
||||
|
||||
// CookieName changes the name of the CSRF cookie issued to clients.
|
||||
//
|
||||
// Note that cookie names should not contain whitespace, commas, semicolons,
|
||||
// backslashes or control characters as per RFC6265.
|
||||
func CookieName(name string) Option {
|
||||
return func(cs *csrf) {
|
||||
cs.opts.CookieName = name
|
||||
}
|
||||
}
|
||||
|
||||
// setStore sets the store used by the CSRF middleware.
|
||||
// Note: this is private (for now) to allow for internal API changes.
|
||||
func setStore(s store) Option {
|
||||
return func(cs *csrf) {
|
||||
cs.st = s
|
||||
}
|
||||
}
|
||||
|
||||
// parseOptions parses the supplied options functions and returns a configured
|
||||
// csrf handler.
|
||||
func parseOptions(h http.Handler, opts ...Option) *csrf {
|
||||
// Set the handler to call after processing.
|
||||
cs := &csrf{
|
||||
h: h,
|
||||
}
|
||||
|
||||
// Default to true. See Secure & HttpOnly function comments for rationale.
|
||||
// Set here to allow package users to override the default.
|
||||
cs.opts.Secure = true
|
||||
cs.opts.HttpOnly = true
|
||||
|
||||
// Range over each options function and apply it
|
||||
// to our csrf type to configure it. Options functions are
|
||||
// applied in order, with any conflicting options overriding
|
||||
// earlier calls.
|
||||
for _, option := range opts {
|
||||
option(cs)
|
||||
}
|
||||
|
||||
return cs
|
||||
}
|
|
@ -0,0 +1,82 @@
|
|||
package csrf
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/gorilla/securecookie"
|
||||
)
|
||||
|
||||
// store represents the session storage used for CSRF tokens.
|
||||
type store interface {
|
||||
// Get returns the real CSRF token from the store.
|
||||
Get(*http.Request) ([]byte, error)
|
||||
// Save stores the real CSRF token in the store and writes a
|
||||
// cookie to the http.ResponseWriter.
|
||||
// For non-cookie stores, the cookie should contain a unique (256 bit) ID
|
||||
// or key that references the token in the backend store.
|
||||
// csrf.GenerateRandomBytes is a helper function for generating secure IDs.
|
||||
Save(token []byte, w http.ResponseWriter) error
|
||||
}
|
||||
|
||||
// cookieStore is a signed cookie session store for CSRF tokens.
|
||||
type cookieStore struct {
|
||||
name string
|
||||
maxAge int
|
||||
secure bool
|
||||
httpOnly bool
|
||||
path string
|
||||
domain string
|
||||
sc *securecookie.SecureCookie
|
||||
}
|
||||
|
||||
// Get retrieves a CSRF token from the session cookie. It returns an empty token
|
||||
// if decoding fails (e.g. HMAC validation fails or the named cookie doesn't exist).
|
||||
func (cs *cookieStore) Get(r *http.Request) ([]byte, error) {
|
||||
// Retrieve the cookie from the request
|
||||
cookie, err := r.Cookie(cs.name)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
token := make([]byte, tokenLength)
|
||||
// Decode the HMAC authenticated cookie.
|
||||
err = cs.sc.Decode(cs.name, cookie.Value, &token)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return token, nil
|
||||
}
|
||||
|
||||
// Save stores the CSRF token in the session cookie.
|
||||
func (cs *cookieStore) Save(token []byte, w http.ResponseWriter) error {
|
||||
// Generate an encoded cookie value with the CSRF token.
|
||||
encoded, err := cs.sc.Encode(cs.name, token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
cookie := &http.Cookie{
|
||||
Name: cs.name,
|
||||
Value: encoded,
|
||||
MaxAge: cs.maxAge,
|
||||
HttpOnly: cs.httpOnly,
|
||||
Secure: cs.secure,
|
||||
Path: cs.path,
|
||||
Domain: cs.domain,
|
||||
}
|
||||
|
||||
// Set the Expires field on the cookie based on the MaxAge
|
||||
// If MaxAge <= 0, we don't set the Expires attribute, making the cookie
|
||||
// session-only.
|
||||
if cs.maxAge > 0 {
|
||||
cookie.Expires = time.Now().Add(
|
||||
time.Duration(cs.maxAge) * time.Second)
|
||||
}
|
||||
|
||||
// Write the authenticated cookie to the response.
|
||||
http.SetCookie(w, cookie)
|
||||
|
||||
return nil
|
||||
}
|
Référencer dans un nouveau ticket