Browse Source

add csrf check

pull/33/head
slene 11 years ago
parent
commit
076fc98d98
  1. 8
      modules/base/tool.go
  2. 44
      modules/middleware/auth.go
  3. 107
      modules/middleware/context.go
  4. 5
      modules/middleware/render.go
  5. 33
      public/js/app.js
  6. 1
      templates/admin/users/edit.tmpl
  7. 1
      templates/admin/users/new.tmpl
  8. 1
      templates/base/head.tmpl
  9. 1
      templates/repo/create.tmpl
  10. 1
      templates/repo/setting.tmpl
  11. 3
      templates/user/active.tmpl
  12. 1
      templates/user/delete.tmpl
  13. 4
      templates/user/password.tmpl
  14. 1
      templates/user/publickey.tmpl
  15. 1
      templates/user/setting.tmpl
  16. 1
      templates/user/signin.tmpl
  17. 1
      templates/user/signup.tmpl
  18. 24
      web.go

8
modules/base/tool.go

@ -25,13 +25,17 @@ func EncodeMd5(str string) string {
return hex.EncodeToString(m.Sum(nil))
}
// Random generate string
func GetRandomString(n int) string {
// GetRandomString generate random string by specify chars.
func GetRandomString(n int, alphabets ...byte) string {
const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
var bytes = make([]byte, n)
rand.Read(bytes)
for i, b := range bytes {
if len(alphabets) == 0 {
bytes[i] = alphanum[b%byte(len(alphanum))]
} else {
bytes[i] = alphabets[b%byte(len(alphabets))]
}
}
return string(bytes)
}

44
modules/middleware/auth.go

@ -10,13 +10,32 @@ import (
"github.com/gogits/gogs/modules/base"
)
// SignInRequire requires user to sign in.
func SignInRequire(redirect bool) martini.Handler {
type ToggleOptions struct {
SignInRequire bool
SignOutRequire bool
AdminRequire bool
DisableCsrf bool
}
func Toggle(options *ToggleOptions) martini.Handler {
return func(ctx *Context) {
if options.SignOutRequire && ctx.IsSigned {
ctx.Redirect("/")
return
}
if !options.DisableCsrf {
if ctx.Req.Method == "POST" {
if !ctx.CsrfTokenValid() {
ctx.Error(403, "CSRF token does not match")
return
}
}
}
if options.SignInRequire {
if !ctx.IsSigned {
if redirect {
ctx.Redirect("/user/login")
}
return
} else if !ctx.User.IsActive && base.Service.RegisterEmailConfirm {
ctx.Data["Title"] = "Activate Your Account"
@ -24,25 +43,12 @@ func SignInRequire(redirect bool) martini.Handler {
return
}
}
}
// SignOutRequire requires user to sign out.
func SignOutRequire() martini.Handler {
return func(ctx *Context) {
if ctx.IsSigned {
ctx.Redirect("/")
return
}
}
}
// AdminRequire requires user signed in as administor.
func AdminRequire() martini.Handler {
return func(ctx *Context) {
if options.AdminRequire {
if !ctx.User.IsAdmin {
ctx.Error(403)
return
}
ctx.Data["PageIsAdmin"] = true
}
}
}

107
modules/middleware/context.go

@ -6,6 +6,7 @@ package middleware
import (
"fmt"
"html/template"
"net/http"
"time"
@ -32,6 +33,8 @@ type Context struct {
User *models.User
IsSigned bool
csrfToken string
Repo struct {
IsValid bool
IsOwner bool
@ -90,6 +93,95 @@ func (ctx *Context) Handle(status int, title string, err error) {
ctx.HTML(status, fmt.Sprintf("status/%d", status))
}
func (ctx *Context) GetCookie(name string) string {
cookie, err := ctx.Req.Cookie(name)
if err != nil {
return ""
}
return cookie.Value
}
func (ctx *Context) SetCookie(name string, value string, others ...interface{}) {
cookie := http.Cookie{}
cookie.Name = name
cookie.Value = value
if len(others) > 0 {
switch v := others[0].(type) {
case int:
cookie.MaxAge = v
case int64:
cookie.MaxAge = int(v)
case int32:
cookie.MaxAge = int(v)
}
}
// default "/"
if len(others) > 1 {
if v, ok := others[1].(string); ok && len(v) > 0 {
cookie.Path = v
}
} else {
cookie.Path = "/"
}
// default empty
if len(others) > 2 {
if v, ok := others[2].(string); ok && len(v) > 0 {
cookie.Domain = v
}
}
// default empty
if len(others) > 3 {
switch v := others[3].(type) {
case bool:
cookie.Secure = v
default:
if others[3] != nil {
cookie.Secure = true
}
}
}
// default false. for session cookie default true
if len(others) > 4 {
if v, ok := others[4].(bool); ok && v {
cookie.HttpOnly = true
}
}
ctx.Res.Header().Add("Set-Cookie", cookie.String())
}
func (ctx *Context) CsrfToken() string {
if len(ctx.csrfToken) > 0 {
return ctx.csrfToken
}
token := ctx.GetCookie("_csrf")
if len(token) == 0 {
token = base.GetRandomString(30)
ctx.SetCookie("_csrf", token)
}
ctx.csrfToken = token
return token
}
func (ctx *Context) CsrfTokenValid() bool {
token := ctx.Query("_csrf")
if token == "" {
token = ctx.Req.Header.Get("X-Csrf-Token")
}
if token == "" {
return false
} else if ctx.csrfToken != token {
return false
}
return true
}
// InitContext initializes a classic context for a request.
func InitContext() martini.Handler {
return func(res http.ResponseWriter, r *http.Request, c martini.Context, rd *Render) {
@ -103,11 +195,14 @@ func InitContext() martini.Handler {
Render: rd,
}
ctx.Data["PageStartTime"] = time.Now()
// start session
ctx.Session = base.SessionManager.SessionStart(res, r)
defer func() {
rw := res.(martini.ResponseWriter)
rw.Before(func(martini.ResponseWriter) {
ctx.Session.SessionRelease(res)
}()
})
// Get user from session if logined.
user := auth.SignedInUser(ctx.Session)
@ -121,9 +216,15 @@ func InitContext() martini.Handler {
ctx.Data["SignedUserId"] = user.Id
ctx.Data["SignedUserName"] = user.LowerName
ctx.Data["IsAdmin"] = ctx.User.IsAdmin
if ctx.User.IsAdmin {
ctx.Data["PageIsAdmin"] = true
}
}
ctx.Data["PageStartTime"] = time.Now()
// get or create csrf token
ctx.Data["CsrfToken"] = ctx.CsrfToken()
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.csrfToken + `">`)
c.Map(ctx)

5
modules/middleware/render.go

@ -242,8 +242,11 @@ func (r *Render) HTMLString(name string, binding interface{}, htmlOpt ...HTMLOpt
}
}
func (r *Render) Error(status int) {
func (r *Render) Error(status int, message ...string) {
r.WriteHeader(status)
if len(message) > 0 {
r.Write([]byte(message[0]))
}
}
func (r *Render) Redirect(location string, status ...int) {

33
public/js/app.js

@ -2,6 +2,39 @@ var Gogits = {
"PageIsSignup": false
};
(function($){
// extend jQuery ajax, set csrf token value
var ajax = $.ajax;
$.extend({
ajax: function(url, options) {
if (typeof url === 'object') {
options = url;
url = undefined;
}
options = options || {};
url = options.url;
var csrftoken = $('meta[name=_csrf]').attr('content');
var headers = options.headers || {};
var domain = document.domain.replace(/\./ig, '\\.');
if (!/^(http:|https:).*/.test(url) || eval('/^(http:|https:)\\/\\/(.+\\.)*' + domain + '.*/').test(url)) {
headers = $.extend(headers, {'X-Csrf-Token':csrftoken});
}
options.headers = headers;
var callback = options.success;
options.success = function(data){
if(data.once){
// change all _once value if ajax data.once exist
$('[name=_once]').val(data.once);
}
if(callback){
callback.apply(this, arguments);
}
};
return ajax(url, options);
}
});
}(jQuery));
(function ($) {
Gogits.showTab = function (selector, index) {

1
templates/admin/users/edit.tmpl

@ -12,6 +12,7 @@
<br/>
<form action="/admin/users/{{.User.Id}}" method="post" class="form-horizontal">
{{if .IsSuccess}}<p class="alert alert-success">Account profile has been successfully updated.</p>{{else if .HasError}}<p class="alert alert-danger form-error">{{.ErrorMsg}}</p>{{end}}
{{.CsrfTokenHtml}}
<input type="hidden" value="{{.User.Id}}" name="userId"/>
<div class="form-group">
<label class="col-md-3 control-label">Username: </label>

1
templates/admin/users/new.tmpl

@ -11,6 +11,7 @@
<div class="panel-body">
<br/>
<form action="/admin/users/new" method="post" class="form-horizontal">
{{.CsrfTokenHtml}}
<div class="alert alert-danger form-error{{if .HasError}}{{else}} hidden{{end}}">{{.ErrorMsg}}</div>
<div class="form-group {{if .Err_UserName}}has-error has-feedback{{end}}">
<label class="col-md-3 control-label">Username: </label>

1
templates/base/head.tmpl

@ -8,6 +8,7 @@
<meta name="author" content="Gogs - Go Git Service" />
<meta name="description" content="Gogs(Go Git Service) is a GitHub-like clone in the Go Programming Language" />
<meta name="keywords" content="go, git">
<meta name="_csrf" content="{{.CsrfToken}}" />
<!-- Stylesheets -->
<link href="/css/bootstrap.min.css" rel="stylesheet" />

1
templates/repo/create.tmpl

@ -2,6 +2,7 @@
{{template "base/navbar" .}}
<div class="container" id="gogs-body">
<form action="/repo/create" method="post" class="form-horizontal gogs-card" id="gogs-repo-create">
{{.CsrfTokenHtml}}
<h3>Create New Repository</h3>
<div class="alert alert-danger form-error{{if .HasError}}{{else}} hidden{{end}}">{{.ErrorMsg}}</div>
<div class="form-group">

1
templates/repo/setting.tmpl

@ -40,6 +40,7 @@
<div class="modal fade" id="delete-repository-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
<div class="modal-dialog">
<form action="/{{.Owner.Name}}/{{.Repository.Name}}/settings" method="post" class="modal-content">
{{.CsrfTokenHtml}}
<input type="hidden" name="action" value="delete">
<div class="modal-header">

3
templates/user/active.tmpl

@ -1,7 +1,8 @@
{{template "base/head" .}}
{{template "base/navbar" .}}
<div id="gogs-body" class="container">
<form action="/user/activate" method="get" class="form-horizontal gogs-card" id="gogs-login-card">
<form action="/user/activate" method="post" class="form-horizontal gogs-card" id="gogs-login-card">
{{.CsrfTokenHtml}}
<h3>Activate Your Account</h3>
{{if .IsActivatePage}}
{{if .ServiceNotEnabled}}

1
templates/user/delete.tmpl

@ -22,6 +22,7 @@
<div class="modal fade" id="delete-account-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
<div class="modal-dialog">
<form action="/user/delete" method="post" class="modal-content" id="gogs-user-delete">
{{.CsrfTokenHtml}}
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
<h4 class="modal-title" id="myModalLabel">Delete Account</h4>

4
templates/user/password.tmpl

@ -5,7 +5,9 @@
<div id="gogs-user-setting-container" class="col-md-9">
<div id="gogs-setting-pwd">
<h4>Password</h4>
<form class="form-horizontal" id="gogs-password-form" method="post" action="/user/setting/password">{{if .IsSuccess}}
<form class="form-horizontal" id="gogs-password-form" method="post" action="/user/setting/password">
{{.CsrfTokenHtml}}
{{if .IsSuccess}}
<p class="alert alert-success">Password is changed successfully. You can now sign in via new password.</p>{{else if .HasError}}<p class="alert alert-danger form-error">{{.ErrorMsg}}</p>{{end}}
<div class="form-group">
<label class="col-md-3 control-label">Old Password<strong class="text-danger">*</strong></label>

1
templates/user/publickey.tmpl

@ -22,6 +22,7 @@
<div class="modal fade" id="ssh-add-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
<div class="modal-dialog">
<form class="modal-content form-horizontal" id="gogs-ssh-form" method="post" action="/user/setting/ssh/">
{{.CsrfTokenHtml}}
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
<h4 class="modal-title" id="myModalLabel">Add SSH Key</h4>

1
templates/user/setting.tmpl

@ -6,6 +6,7 @@
<div id="gogs-setting-pwd">
<h4>Account Profile</h4>
<form class="form-horizontal" id="gogs-password-form" method="post" action="/user/setting">
{{.CsrfTokenHtml}}
{{if .IsSuccess}}<p class="alert alert-success">Your profile has been successfully updated.</p>{{else if .HasError}}<p class="alert alert-danger form-error">{{.ErrorMsg}}</p>{{end}}
<p>Your Email will be public and used for Account related notifications and any web based operations made via the web.</p>
<div class="form-group">

1
templates/user/signin.tmpl

@ -2,6 +2,7 @@
{{template "base/navbar" .}}
<div class="container" id="gogs-body" data-page="user-signin">
<form action="/user/login" method="post" class="form-horizontal gogs-card" id="gogs-login-card">
{{.CsrfTokenHtml}}
<h3>Log in</h3>
<div class="alert alert-danger form-error{{if .HasError}}{{else}} hidden{{end}}">{{.ErrorMsg}}</div>
<div class="form-group {{if .Err_UserName}}has-error has-feedback{{end}}">

1
templates/user/signup.tmpl

@ -2,6 +2,7 @@
{{template "base/navbar" .}}
<div class="container" id="gogs-body" data-page="user-signup">
<form action="/user/sign_up" method="post" class="form-horizontal gogs-card" id="gogs-login-card">
{{.CsrfTokenHtml}}
{{if .DisenableRegisteration}}
Sorry, registeration has been disenabled, you can only get account from administrator.
{{else}}

24
web.go

@ -82,9 +82,10 @@ func runWeb(*cli.Context) {
m.Use(middleware.InitContext())
reqSignIn := middleware.SignInRequire(true)
ignSignIn := middleware.SignInRequire(base.Service.RequireSignInView)
reqSignOut := middleware.SignOutRequire()
reqSignIn := middleware.Toggle(&middleware.ToggleOptions{SignInRequire: true})
ignSignIn := middleware.Toggle(&middleware.ToggleOptions{SignInRequire: base.Service.RequireSignInView})
reqSignOut := middleware.Toggle(&middleware.ToggleOptions{SignOutRequire: true})
// Routers.
m.Get("/", ignSignIn, routers.Home)
m.Get("/issues", reqSignIn, user.Issues)
@ -109,14 +110,15 @@ func runWeb(*cli.Context) {
m.Get("/help", routers.Help)
adminReq := middleware.AdminRequire()
m.Get("/admin", reqSignIn, adminReq, admin.Dashboard)
m.Get("/admin/users", reqSignIn, adminReq, admin.Users)
m.Any("/admin/users/new", reqSignIn, adminReq, binding.BindIgnErr(auth.RegisterForm{}), admin.NewUser)
m.Any("/admin/users/:userid", reqSignIn, adminReq, binding.BindIgnErr(auth.AdminEditUserForm{}), admin.EditUser)
m.Any("/admin/users/:userid/delete", reqSignIn, adminReq, admin.DeleteUser)
m.Get("/admin/repos", reqSignIn, adminReq, admin.Repositories)
m.Get("/admin/config", reqSignIn, adminReq, admin.Config)
adminReq := middleware.Toggle(&middleware.ToggleOptions{SignInRequire: true, AdminRequire: true})
m.Get("/admin", adminReq, admin.Dashboard)
m.Get("/admin/users", adminReq, admin.Users)
m.Any("/admin/users/new", adminReq, binding.BindIgnErr(auth.RegisterForm{}), admin.NewUser)
m.Any("/admin/users/:userid", adminReq, binding.BindIgnErr(auth.AdminEditUserForm{}), admin.EditUser)
m.Any("/admin/users/:userid/delete", adminReq, admin.DeleteUser)
m.Get("/admin/repos", adminReq, admin.Repositories)
m.Get("/admin/config", adminReq, admin.Config)
m.Post("/:username/:reponame/settings", reqSignIn, middleware.RepoAssignment(true), repo.SettingPost)
m.Get("/:username/:reponame/settings", reqSignIn, middleware.RepoAssignment(true), repo.Setting)

Loading…
Cancel
Save