third_party
/
gitea
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refactor CSRF protection modules, make sure CSRF tokens can be up-to-date. (#19337)

Browse Source 
Do a refactoring to the CSRF related code, remove most unnecessary functions.
Parse the generated token's issue time, regenerate the token every a few minutes.
tokarchuk/v1.17
wxiaoguang 3 years ago committed by GitHub
parent 3c3d49899f
commit 84ceaa98bd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 166 additions and 192 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 52
      integrations/csrf_test.go
  2. 1
      integrations/repo_topic_test.go
  3. 2
      modules/context/auth.go
  4. 10
      modules/context/context.go
  5. 182
      modules/context/csrf.go
  6. 68
      modules/context/xsrf.go
  7. 20
      modules/context/xsrf_test.go
  8. 13
      modules/web/middleware/cookie.go
  9. 2
      routers/web/auth/auth.go
  10. 2
      routers/web/auth/oauth.go

52
integrations/csrf_test.go
Unescape View File

@ -0,0 +1,52 @@
// Copyright 2017 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package integrations
import (
"net/http"
"strings"
"testing"
"code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/setting"
"github.com/stretchr/testify/assert"
)
func TestCsrfProtection(t *testing.T) {
defer prepareTestEnv(t)()
// test web form csrf via form
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).(*user_model.User)
session := loginUser(t, user.Name)
req := NewRequestWithValues(t, "POST", "/user/settings", map[string]string{
"_csrf": "fake_csrf",
})
session.MakeRequest(t, req, http.StatusSeeOther)
resp := session.MakeRequest(t, req, http.StatusSeeOther)
loc := resp.Header().Get("Location")
assert.Equal(t, setting.AppSubURL+"/", loc)
resp = session.MakeRequest(t, NewRequest(t, "GET", loc), http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
assert.Equal(t, "Bad Request: invalid CSRF token",
strings.TrimSpace(htmlDoc.doc.Find(".ui.message").Text()),
)
// test web form csrf via header. TODO: should use an UI api to test
req = NewRequest(t, "POST", "/user/settings")
req.Header.Add("X-Csrf-Token", "fake_csrf")
session.MakeRequest(t, req, http.StatusSeeOther)
resp = session.MakeRequest(t, req, http.StatusSeeOther)
loc = resp.Header().Get("Location")
assert.Equal(t, setting.AppSubURL+"/", loc)
resp = session.MakeRequest(t, NewRequest(t, "GET", loc), http.StatusOK)
htmlDoc = NewHTMLParser(t, resp.Body)
assert.Equal(t, "Bad Request: invalid CSRF token",
strings.TrimSpace(htmlDoc.doc.Find(".ui.message").Text()),
)
}

1
integrations/repo_topic_test.go
Unescape View File

@ -10,6 +10,7 @@ import (
"testing" "testing"
api "code.gitea.io/gitea/modules/structs" api "code.gitea.io/gitea/modules/structs"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
) )

2
modules/context/auth.go
Unescape View File

@ -63,7 +63,7 @@ func Toggle(options *ToggleOptions) func(ctx *Context) {
} }
if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == "POST" { if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == "POST" {
Validate(ctx, ctx.csrf) ctx.csrf.Validate(ctx)
if ctx.Written() { if ctx.Written() {
return return
} }

10
modules/context/context.go
Unescape View File

@ -59,7 +59,7 @@ type Context struct {
Render Render Render Render
translation.Locale translation.Locale
Cache cache.Cache Cache cache.Cache
csrf CSRF csrf CSRFProtector
Flash *middleware.Flash Flash *middleware.Flash
Session session.Store Session session.Store
@ -666,7 +666,9 @@ func Auth(authMethod auth.Method) func(*Context) {
func Contexter() func(next http.Handler) http.Handler { func Contexter() func(next http.Handler) http.Handler {
rnd := templates.HTMLRenderer() rnd := templates.HTMLRenderer()
csrfOpts := getCsrfOpts() csrfOpts := getCsrfOpts()
if !setting.IsProd {
CsrfTokenRegenerationInterval = 5 * time.Second // in dev, re-generate the tokens more aggressively for debug purpose
}
return func(next http.Handler) http.Handler { return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) { return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
locale := middleware.Locale(resp, req) locale := middleware.Locale(resp, req)
@ -697,7 +699,7 @@ func Contexter() func(next http.Handler) http.Handler {
ctx.Data["Context"] = &ctx ctx.Data["Context"] = &ctx
ctx.Req = WithContext(req, &ctx) ctx.Req = WithContext(req, &ctx)
ctx.csrf = Csrfer(csrfOpts, &ctx) ctx.csrf = PrepareCSRFProtector(csrfOpts, &ctx)
// Get flash. // Get flash.
flashCookie := ctx.GetCookie("macaron_flash") flashCookie := ctx.GetCookie("macaron_flash")
@ -755,7 +757,7 @@ func Contexter() func(next http.Handler) http.Handler {
ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions) ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken()) ctx.Data["CsrfToken"] = ctx.csrf.GetToken()
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`) ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
// FIXME: do we really always need these setting? There should be someway to have to avoid having to always set these // FIXME: do we really always need these setting? There should be someway to have to avoid having to always set these

182
modules/context/csrf.go
Unescape View File

@ -31,29 +31,19 @@ import (
"code.gitea.io/gitea/modules/web/middleware" "code.gitea.io/gitea/modules/web/middleware"
) )
// CSRF represents a CSRF service and is used to get the current token and validate a suspect token. // CSRFProtector represents a CSRF protector and is used to get the current token and validate the token.
type CSRF interface { type CSRFProtector interface {
// Return HTTP header to search for token. // GetHeaderName returns HTTP header to search for token.
GetHeaderName() string GetHeaderName() string
// Return form value to search for token. // GetFormName returns form value to search for token.
GetFormName() string GetFormName() string
// Return cookie name to search for token. // GetToken returns the token.
GetCookieName() string
// Return cookie path
GetCookiePath() string
// Return the flag value used for the csrf token.
GetCookieHTTPOnly() bool
// Return cookie domain
GetCookieDomain() string
// Return the token.
GetToken() string GetToken() string
// Validate by token. // Validate validates the token in http context.
ValidToken(t string) bool Validate(ctx *Context)
// Error replies to the request with a custom function when ValidToken fails.
Error(w http.ResponseWriter)
} }
type csrf struct { type csrfProtector struct {
// Header name value for setting and getting csrf token. // Header name value for setting and getting csrf token.
Header string Header string
// Form name value for setting and getting csrf token. // Form name value for setting and getting csrf token.
@ -72,56 +62,24 @@ type csrf struct {
ID string ID string
// Secret used along with the unique id above to generate the Token. // Secret used along with the unique id above to generate the Token.
Secret string Secret string
// ErrorFunc is the custom function that replies to the request when ValidToken fails.
ErrorFunc func(w http.ResponseWriter)
} }
// GetHeaderName returns the name of the HTTP header for csrf token. // GetHeaderName returns the name of the HTTP header for csrf token.
func (c *csrf) GetHeaderName() string { func (c *csrfProtector) GetHeaderName() string {
return c.Header return c.Header
} }
// GetFormName returns the name of the form value for csrf token. // GetFormName returns the name of the form value for csrf token.
func (c *csrf) GetFormName() string { func (c *csrfProtector) GetFormName() string {
return c.Form return c.Form
} }
// GetCookieName returns the name of the cookie for csrf token.
func (c *csrf) GetCookieName() string {
return c.Cookie
}
// GetCookiePath returns the path of the cookie for csrf token.
func (c *csrf) GetCookiePath() string {
return c.CookiePath
}
// GetCookieHTTPOnly returns the flag value used for the csrf token.
func (c *csrf) GetCookieHTTPOnly() bool {
return c.CookieHTTPOnly
}
// GetCookieDomain returns the flag value used for the csrf token.
func (c *csrf) GetCookieDomain() string {
return c.CookieDomain
}
// GetToken returns the current token. This is typically used // GetToken returns the current token. This is typically used
// to populate a hidden form in an HTML template. // to populate a hidden form in an HTML template.
func (c *csrf) GetToken() string { func (c *csrfProtector) GetToken() string {
return c.Token return c.Token
} }
// ValidToken validates the passed token against the existing Secret and ID.
func (c *csrf) ValidToken(t string) bool {
return ValidToken(t, c.Secret, c.ID, "POST")
}
// Error replies to the request when ValidToken fails.
func (c *csrf) Error(w http.ResponseWriter) {
c.ErrorFunc(w)
}
// CsrfOptions maintains options to manage behavior of Generate. // CsrfOptions maintains options to manage behavior of Generate.
type CsrfOptions struct { type CsrfOptions struct {
// The global secret value used to generate Tokens. // The global secret value used to generate Tokens.
@ -143,7 +101,7 @@ type CsrfOptions struct {
SessionKey string SessionKey string
// oldSessionKey saves old value corresponding to SessionKey. // oldSessionKey saves old value corresponding to SessionKey.
oldSessionKey string oldSessionKey string
// If true, send token via X-CSRFToken header. // If true, send token via X-Csrf-Token header.
SetHeader bool SetHeader bool
// If true, send token via _csrf cookie. // If true, send token via _csrf cookie.
SetCookie bool SetCookie bool
@ -151,20 +109,12 @@ type CsrfOptions struct {
Secure bool Secure bool
// Disallow Origin appear in request header. // Disallow Origin appear in request header.
Origin bool Origin bool
// The function called when Validate fails.
ErrorFunc func(w http.ResponseWriter)
// Cookie lifetime. Default is 0 // Cookie lifetime. Default is 0
CookieLifeTime int CookieLifeTime int
} }
func prepareOptions(options []CsrfOptions) CsrfOptions { func prepareDefaultCsrfOptions(opt CsrfOptions) CsrfOptions {
var opt CsrfOptions if opt.Secret == "" {
if len(options) > 0 {
opt = options[0]
}
// Defaults.
if len(opt.Secret) == 0 {
randBytes, err := util.CryptoRandomBytes(8) randBytes, err := util.CryptoRandomBytes(8)
if err != nil { if err != nil {
// this panic can be handled by the recover() in http handlers // this panic can be handled by the recover() in http handlers
@ -172,36 +122,30 @@ func prepareOptions(options []CsrfOptions) CsrfOptions {
} }
opt.Secret = base32.StdEncoding.EncodeToString(randBytes) opt.Secret = base32.StdEncoding.EncodeToString(randBytes)
} }
if len(opt.Header) == 0 { if opt.Header == "" {
opt.Header = "X-CSRFToken" opt.Header = "X-Csrf-Token"
} }
if len(opt.Form) == 0 { if opt.Form == "" {
opt.Form = "_csrf" opt.Form = "_csrf"
} }
if len(opt.Cookie) == 0 { if opt.Cookie == "" {
opt.Cookie = "_csrf" opt.Cookie = "_csrf"
} }
if len(opt.CookiePath) == 0 { if opt.CookiePath == "" {
opt.CookiePath = "/" opt.CookiePath = "/"
} }
if len(opt.SessionKey) == 0 { if opt.SessionKey == "" {
opt.SessionKey = "uid" opt.SessionKey = "uid"
} }
opt.oldSessionKey = "_old_" + opt.SessionKey opt.oldSessionKey = "_old_" + opt.SessionKey
if opt.ErrorFunc == nil {
opt.ErrorFunc = func(w http.ResponseWriter) {
http.Error(w, "Invalid csrf token.", http.StatusBadRequest)
}
}
return opt return opt
} }
// Csrfer maps CSRF to each request. If this request is a Get request, it will generate a new token. // PrepareCSRFProtector returns a CSRFProtector to be used for every request.
// Additionally, depending on options set, generated tokens will be sent via Header and/or Cookie. // Additionally, depending on options set, generated tokens will be sent via Header and/or Cookie.
func Csrfer(opt CsrfOptions, ctx *Context) CSRF { func PrepareCSRFProtector(opt CsrfOptions, ctx *Context) CSRFProtector {
opt = prepareOptions([]CsrfOptions{opt}) opt = prepareDefaultCsrfOptions(opt)
x := &csrf{ x := &csrfProtector{
Secret: opt.Secret, Secret: opt.Secret,
Header: opt.Header, Header: opt.Header,
Form: opt.Form, Form: opt.Form,
@ -209,7 +153,6 @@ func Csrfer(opt CsrfOptions, ctx *Context) CSRF {
CookieDomain: opt.CookieDomain, CookieDomain: opt.CookieDomain,
CookiePath: opt.CookiePath, CookiePath: opt.CookiePath,
CookieHTTPOnly: opt.CookieHTTPOnly, CookieHTTPOnly: opt.CookieHTTPOnly,
ErrorFunc: opt.ErrorFunc,
} }
if opt.Origin && len(ctx.Req.Header.Get("Origin")) > 0 { if opt.Origin && len(ctx.Req.Header.Get("Origin")) > 0 {
@ -229,28 +172,31 @@ func Csrfer(opt CsrfOptions, ctx *Context) CSRF {
} }
} }
needsNew := false
oldUID := ctx.Session.Get(opt.oldSessionKey) oldUID := ctx.Session.Get(opt.oldSessionKey)
if oldUID == nil || oldUID.(string) != x.ID { uidChanged := oldUID == nil || oldUID.(string) != x.ID
needsNew = true cookieToken := ctx.GetCookie(opt.Cookie)
needsNew := true
if uidChanged {
_ = ctx.Session.Set(opt.oldSessionKey, x.ID) _ = ctx.Session.Set(opt.oldSessionKey, x.ID)
} else { } else if cookieToken != "" {
// If cookie present, map existing token, else generate a new one. // If cookie token presents, re-use existing unexpired token, else generate a new one.
if val := ctx.GetCookie(opt.Cookie); len(val) > 0 { if issueTime, ok := ParseCsrfToken(cookieToken); ok {
// FIXME: test coverage. dur := time.Since(issueTime) // issueTime is not a monotonic-clock, the server time may change a lot to an early time.
x.Token = val if dur >= -CsrfTokenRegenerationInterval && dur <= CsrfTokenRegenerationInterval {
} else { x.Token = cookieToken
needsNew = true needsNew = false
}
} }
} }
if needsNew { if needsNew {
// FIXME: actionId. // FIXME: actionId.
x.Token = GenerateToken(x.Secret, x.ID, "POST") x.Token = GenerateCsrfToken(x.Secret, x.ID, "POST", time.Now())
if opt.SetCookie { if opt.SetCookie {
var expires interface{} var expires interface{}
if opt.CookieLifeTime == 0 { if opt.CookieLifeTime == 0 {
expires = time.Now().AddDate(0, 0, 1) expires = time.Now().Add(CsrfTokenTimeout)
} }
middleware.SetCookie(ctx.Resp, opt.Cookie, x.Token, middleware.SetCookie(ctx.Resp, opt.Cookie, x.Token,
opt.CookieLifeTime, opt.CookieLifeTime,
@ -270,47 +216,31 @@ func Csrfer(opt CsrfOptions, ctx *Context) CSRF {
return x return x
} }
// Validate should be used as a per route middleware. It attempts to get a token from a "X-CSRFToken" func (c *csrfProtector) validateToken(ctx *Context, token string) {
// HTTP header and then a "_csrf" form value. If one of these is found, the token will be validated if !ValidCsrfToken(token, c.Secret, c.ID, "POST", time.Now()) {
// using ValidToken. If this validation fails, custom Error is sent in the reply. middleware.DeleteCSRFCookie(ctx.Resp)
// If neither a header or form value is found, http.StatusBadRequest is sent.
func Validate(ctx *Context, x CSRF) {
if token := ctx.Req.Header.Get(x.GetHeaderName()); len(token) > 0 {
if !x.ValidToken(token) {
// Delete the cookie
middleware.SetCookie(ctx.Resp, x.GetCookieName(), "",
-1,
x.GetCookiePath(),
x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
if middleware.IsAPIPath(ctx.Req) { if middleware.IsAPIPath(ctx.Req) {
x.Error(ctx.Resp) // currently, there should be no access to the APIPath with CSRF token. because templates shouldn't use the `/api/` endpoints.
return http.Error(ctx.Resp, "Invalid CSRF token.", http.StatusBadRequest)
} } else {
ctx.Flash.Error(ctx.Tr("error.invalid_csrf")) ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))
ctx.Redirect(setting.AppSubURL + "/") ctx.Redirect(setting.AppSubURL + "/")
} }
return
}
if token := ctx.Req.FormValue(x.GetFormName()); len(token) > 0 {
if !x.ValidToken(token) {
// Delete the cookie
middleware.SetCookie(ctx.Resp, x.GetCookieName(), "",
-1,
x.GetCookiePath(),
x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
if middleware.IsAPIPath(ctx.Req) {
x.Error(ctx.Resp)
return
} }
ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))
ctx.Redirect(setting.AppSubURL + "/")
} }
// Validate should be used as a per route middleware. It attempts to get a token from an "X-Csrf-Token"
// HTTP header and then a "_csrf" form value. If one of these is found, the token will be validated.
// If this validation fails, custom Error is sent in the reply.
// If neither a header nor form value is found, http.StatusBadRequest is sent.
func (c *csrfProtector) Validate(ctx *Context) {
if token := ctx.Req.Header.Get(c.GetHeaderName()); token != "" {
c.validateToken(ctx, token)
return return
} }
if middleware.IsAPIPath(ctx.Req) { if token := ctx.Req.FormValue(c.GetFormName()); token != "" {
http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest) c.validateToken(ctx, token)
return return
} }
ctx.Flash.Error(ctx.Tr("error.missing_csrf")) c.validateToken(ctx, "") // no csrf token, use an empty token to respond error
ctx.Redirect(setting.AppSubURL + "/")
} }

68
modules/context/xsrf.go
Unescape View File

@ -28,69 +28,69 @@ import (
"time" "time"
) )
// Timeout represents the duration that XSRF tokens are valid. // CsrfTokenTimeout represents the duration that XSRF tokens are valid.
// It is exported so clients may set cookie timeouts that match generated tokens. // It is exported so clients may set cookie timeouts that match generated tokens.
const Timeout = 24 * time.Hour const CsrfTokenTimeout = 24 * time.Hour
// clean sanitizes a string for inclusion in a token by replacing all ":"s. // CsrfTokenRegenerationInterval is the interval between token generations, old tokens are still valid before CsrfTokenTimeout
func clean(s string) string { var CsrfTokenRegenerationInterval = 10 * time.Minute
return strings.ReplaceAll(s, ":", "_")
}
// GenerateToken returns a URL-safe secure XSRF token that expires in 24 hours. var csrfTokenSep = []byte(":")
//
// GenerateCsrfToken returns a URL-safe secure XSRF token that expires in CsrfTokenTimeout hours.
// key is a secret key for your application. // key is a secret key for your application.
// userID is a unique identifier for the user. // userID is a unique identifier for the user.
// actionID is the action the user is taking (e.g. POSTing to a particular path). // actionID is the action the user is taking (e.g. POSTing to a particular path).
func GenerateToken(key, userID, actionID string) string { func GenerateCsrfToken(key, userID, actionID string, now time.Time) string {
return generateTokenAtTime(key, userID, actionID, time.Now()) nowUnixNano := now.UnixNano()
} nowUnixNanoStr := strconv.FormatInt(nowUnixNano, 10)
// generateTokenAtTime is like Generate, but returns a token that expires 24 hours from now.
func generateTokenAtTime(key, userID, actionID string, now time.Time) string {
h := hmac.New(sha1.New, []byte(key)) h := hmac.New(sha1.New, []byte(key))
fmt.Fprintf(h, "%s:%s:%d", clean(userID), clean(actionID), now.UnixNano()) h.Write([]byte(strings.ReplaceAll(userID, ":", "_")))
tok := fmt.Sprintf("%s:%d", h.Sum(nil), now.UnixNano()) h.Write(csrfTokenSep)
h.Write([]byte(strings.ReplaceAll(actionID, ":", "_")))
h.Write(csrfTokenSep)
h.Write([]byte(nowUnixNanoStr))
tok := fmt.Sprintf("%s:%s", h.Sum(nil), nowUnixNanoStr)
return base64.RawURLEncoding.EncodeToString([]byte(tok)) return base64.RawURLEncoding.EncodeToString([]byte(tok))
} }
// ValidToken returns true if token is a valid, unexpired token returned by Generate. func ParseCsrfToken(token string) (issueTime time.Time, ok bool) {
func ValidToken(token, key, userID, actionID string) bool {
return validTokenAtTime(token, key, userID, actionID, time.Now())
}
// validTokenAtTime is like Valid, but it uses now to check if the token is expired.
func validTokenAtTime(token, key, userID, actionID string, now time.Time) bool {
// Decode the token.
data, err := base64.RawURLEncoding.DecodeString(token) data, err := base64.RawURLEncoding.DecodeString(token)
if err != nil { if err != nil {
return false return time.Time{}, false
} }
// Extract the issue time of the token. pos := bytes.LastIndex(data, csrfTokenSep)
sep := bytes.LastIndex(data, []byte{':'}) if pos == -1 {
if sep < 0 { return time.Time{}, false
return false
} }
nanos, err := strconv.ParseInt(string(data[sep+1:]), 10, 64) nanos, err := strconv.ParseInt(string(data[pos+1:]), 10, 64)
if err != nil { if err != nil {
return time.Time{}, false
}
return time.Unix(0, nanos), true
}
// ValidCsrfToken returns true if token is a valid and unexpired token returned by Generate.
func ValidCsrfToken(token, key, userID, actionID string, now time.Time) bool {
issueTime, ok := ParseCsrfToken(token)
if !ok {
return false return false
} }
issueTime := time.Unix(0, nanos)
// Check that the token is not expired. // Check that the token is not expired.
if now.Sub(issueTime) >= Timeout { if now.Sub(issueTime) >= CsrfTokenTimeout {
return false return false
} }
// Check that the token is not from the future. // Check that the token is not from the future.
// Allow 1 minute grace period in case the token is being verified on a // Allow 1-minute grace period in case the token is being verified on a
// machine whose clock is behind the machine that issued the token. // machine whose clock is behind the machine that issued the token.
if issueTime.After(now.Add(1 * time.Minute)) { if issueTime.After(now.Add(1 * time.Minute)) {
return false return false
} }
expected := generateTokenAtTime(key, userID, actionID, issueTime) expected := GenerateCsrfToken(key, userID, actionID, issueTime)
// Check that the token matches the expected value. // Check that the token matches the expected value.
// Use constant time comparison to avoid timing attacks. // Use constant time comparison to avoid timing attacks.

20
modules/context/xsrf_test.go
Unescape View File

@ -37,18 +37,18 @@ var (
func Test_ValidToken(t *testing.T) { func Test_ValidToken(t *testing.T) {
t.Run("Validate token", func(t *testing.T) { t.Run("Validate token", func(t *testing.T) {
tok := generateTokenAtTime(key, userID, actionID, now) tok := GenerateCsrfToken(key, userID, actionID, now)
assert.True(t, validTokenAtTime(tok, key, userID, actionID, oneMinuteFromNow)) assert.True(t, ValidCsrfToken(tok, key, userID, actionID, oneMinuteFromNow))
assert.True(t, validTokenAtTime(tok, key, userID, actionID, now.Add(Timeout-1*time.Nanosecond))) assert.True(t, ValidCsrfToken(tok, key, userID, actionID, now.Add(CsrfTokenTimeout-1*time.Nanosecond)))
assert.True(t, validTokenAtTime(tok, key, userID, actionID, now.Add(-1*time.Minute))) assert.True(t, ValidCsrfToken(tok, key, userID, actionID, now.Add(-1*time.Minute)))
}) })
} }
// Test_SeparatorReplacement tests that separators are being correctly substituted // Test_SeparatorReplacement tests that separators are being correctly substituted
func Test_SeparatorReplacement(t *testing.T) { func Test_SeparatorReplacement(t *testing.T) {
t.Run("Test two separator replacements", func(t *testing.T) { t.Run("Test two separator replacements", func(t *testing.T) {
assert.NotEqual(t, generateTokenAtTime("foo:bar", "baz", "wah", now), assert.NotEqual(t, GenerateCsrfToken("foo:bar", "baz", "wah", now),
generateTokenAtTime("foo", "bar:baz", "wah", now)) GenerateCsrfToken("foo", "bar:baz", "wah", now))
}) })
} }
@ -61,13 +61,13 @@ func Test_InvalidToken(t *testing.T) {
{"Bad key", "foobar", userID, actionID, oneMinuteFromNow}, {"Bad key", "foobar", userID, actionID, oneMinuteFromNow},
{"Bad userID", key, "foobar", actionID, oneMinuteFromNow}, {"Bad userID", key, "foobar", actionID, oneMinuteFromNow},
{"Bad actionID", key, userID, "foobar", oneMinuteFromNow}, {"Bad actionID", key, userID, "foobar", oneMinuteFromNow},
{"Expired", key, userID, actionID, now.Add(Timeout)}, {"Expired", key, userID, actionID, now.Add(CsrfTokenTimeout)},
{"More than 1 minute from the future", key, userID, actionID, now.Add(-1*time.Nanosecond - 1*time.Minute)}, {"More than 1 minute from the future", key, userID, actionID, now.Add(-1*time.Nanosecond - 1*time.Minute)},
} }
tok := generateTokenAtTime(key, userID, actionID, now) tok := GenerateCsrfToken(key, userID, actionID, now)
for _, itt := range invalidTokenTests { for _, itt := range invalidTokenTests {
assert.False(t, validTokenAtTime(tok, itt.key, itt.userID, itt.actionID, itt.t)) assert.False(t, ValidCsrfToken(tok, itt.key, itt.userID, itt.actionID, itt.t))
} }
}) })
} }
@ -84,7 +84,7 @@ func Test_ValidateBadData(t *testing.T) {
} }
for _, bdt := range badDataTests { for _, bdt := range badDataTests {
assert.False(t, validTokenAtTime(bdt.tok, key, userID, actionID, oneMinuteFromNow)) assert.False(t, ValidCsrfToken(bdt.tok, key, userID, actionID, oneMinuteFromNow))
} }
}) })
} }

13
modules/web/middleware/cookie.go
Unescape View File

@ -98,17 +98,6 @@ func DeleteRedirectToCookie(resp http.ResponseWriter) {
SameSite(setting.SessionConfig.SameSite)) SameSite(setting.SessionConfig.SameSite))
} }
// DeleteSesionConfigPathCookie convenience function to delete SessionConfigPath cookies consistently
func DeleteSesionConfigPathCookie(resp http.ResponseWriter, name string) {
SetCookie(resp, name, "",
-1,
setting.SessionConfig.CookiePath,
setting.SessionConfig.Domain,
setting.SessionConfig.Secure,
true,
SameSite(setting.SessionConfig.SameSite))
}
// DeleteCSRFCookie convenience function to delete SessionConfigPath cookies consistently // DeleteCSRFCookie convenience function to delete SessionConfigPath cookies consistently
func DeleteCSRFCookie(resp http.ResponseWriter) { func DeleteCSRFCookie(resp http.ResponseWriter) {
SetCookie(resp, setting.CSRFCookieName, "", SetCookie(resp, setting.CSRFCookieName, "",
@ -117,7 +106,7 @@ func DeleteCSRFCookie(resp http.ResponseWriter) {
setting.SessionConfig.Domain) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too? setting.SessionConfig.Domain) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
} }
// SetCookie set the cookies // SetCookie set the cookies. (name, value, lifetime, path, domain, secure, httponly, expires, {sameSite, ...})
// TODO: Copied from gitea.com/macaron/macaron and should be improved after macaron removed. // TODO: Copied from gitea.com/macaron/macaron and should be improved after macaron removed.
func SetCookie(resp http.ResponseWriter, name, value string, others ...interface{}) { func SetCookie(resp http.ResponseWriter, name, value string, others ...interface{}) {
cookie := http.Cookie{} cookie := http.Cookie{}

2
routers/web/auth/auth.go
Unescape View File

@ -345,7 +345,7 @@ func handleSignInFull(ctx *context.Context, u *user_model.User, remember, obeyRe
ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req) ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
} }
// Clear whatever CSRF has right now, force to generate a new one // Clear whatever CSRF cookie has right now, force to generate a new one
middleware.DeleteCSRFCookie(ctx.Resp) middleware.DeleteCSRFCookie(ctx.Resp)
// Register last login // Register last login

2
routers/web/auth/oauth.go
Unescape View File

@ -1007,7 +1007,7 @@ func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model
log.Error("Error storing session: %v", err) log.Error("Error storing session: %v", err)
} }
// Clear whatever CSRF has right now, force to generate a new one // Clear whatever CSRF cookie has right now, force to generate a new one
middleware.DeleteCSRFCookie(ctx.Resp) middleware.DeleteCSRFCookie(ctx.Resp)
// Register last login // Register last login

Write Preview
Loading…
Cancel
Save