add csrf check

This commit is contained in:
slene 2014-03-23 01:44:02 +08:00
parent 01e781dedb
commit 076fc98d98
18 changed files with 208 additions and 46 deletions

View file

@ -25,13 +25,17 @@ func EncodeMd5(str string) string {
return hex.EncodeToString(m.Sum(nil)) return hex.EncodeToString(m.Sum(nil))
} }
// Random generate string // GetRandomString generate random string by specify chars.
func GetRandomString(n int) string { func GetRandomString(n int, alphabets ...byte) string {
const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
var bytes = make([]byte, n) var bytes = make([]byte, n)
rand.Read(bytes) rand.Read(bytes)
for i, b := range bytes { for i, b := range bytes {
bytes[i] = alphanum[b%byte(len(alphanum))] if len(alphabets) == 0 {
bytes[i] = alphanum[b%byte(len(alphanum))]
} else {
bytes[i] = alphabets[b%byte(len(alphabets))]
}
} }
return string(bytes) return string(bytes)
} }

View file

@ -10,39 +10,45 @@ import (
"github.com/gogits/gogs/modules/base" "github.com/gogits/gogs/modules/base"
) )
// SignInRequire requires user to sign in. type ToggleOptions struct {
func SignInRequire(redirect bool) martini.Handler { SignInRequire bool
return func(ctx *Context) { SignOutRequire bool
if !ctx.IsSigned { AdminRequire bool
if redirect { DisableCsrf bool
ctx.Redirect("/user/login")
}
return
} else if !ctx.User.IsActive && base.Service.RegisterEmailConfirm {
ctx.Data["Title"] = "Activate Your Account"
ctx.HTML(200, "user/active")
return
}
}
} }
// SignOutRequire requires user to sign out. func Toggle(options *ToggleOptions) martini.Handler {
func SignOutRequire() martini.Handler {
return func(ctx *Context) { return func(ctx *Context) {
if ctx.IsSigned { if options.SignOutRequire && ctx.IsSigned {
ctx.Redirect("/") ctx.Redirect("/")
return return
} }
}
}
// AdminRequire requires user signed in as administor. if !options.DisableCsrf {
func AdminRequire() martini.Handler { if ctx.Req.Method == "POST" {
return func(ctx *Context) { if !ctx.CsrfTokenValid() {
if !ctx.User.IsAdmin { ctx.Error(403, "CSRF token does not match")
ctx.Error(403) return
return }
}
}
if options.SignInRequire {
if !ctx.IsSigned {
ctx.Redirect("/user/login")
return
} else if !ctx.User.IsActive && base.Service.RegisterEmailConfirm {
ctx.Data["Title"] = "Activate Your Account"
ctx.HTML(200, "user/active")
return
}
}
if options.AdminRequire {
if !ctx.User.IsAdmin {
ctx.Error(403)
return
}
} }
ctx.Data["PageIsAdmin"] = true
} }
} }

View file

@ -6,6 +6,7 @@ package middleware
import ( import (
"fmt" "fmt"
"html/template"
"net/http" "net/http"
"time" "time"
@ -32,6 +33,8 @@ type Context struct {
User *models.User User *models.User
IsSigned bool IsSigned bool
csrfToken string
Repo struct { Repo struct {
IsValid bool IsValid bool
IsOwner bool IsOwner bool
@ -90,6 +93,95 @@ func (ctx *Context) Handle(status int, title string, err error) {
ctx.HTML(status, fmt.Sprintf("status/%d", status)) ctx.HTML(status, fmt.Sprintf("status/%d", status))
} }
func (ctx *Context) GetCookie(name string) string {
cookie, err := ctx.Req.Cookie(name)
if err != nil {
return ""
}
return cookie.Value
}
func (ctx *Context) SetCookie(name string, value string, others ...interface{}) {
cookie := http.Cookie{}
cookie.Name = name
cookie.Value = value
if len(others) > 0 {
switch v := others[0].(type) {
case int:
cookie.MaxAge = v
case int64:
cookie.MaxAge = int(v)
case int32:
cookie.MaxAge = int(v)
}
}
// default "/"
if len(others) > 1 {
if v, ok := others[1].(string); ok && len(v) > 0 {
cookie.Path = v
}
} else {
cookie.Path = "/"
}
// default empty
if len(others) > 2 {
if v, ok := others[2].(string); ok && len(v) > 0 {
cookie.Domain = v
}
}
// default empty
if len(others) > 3 {
switch v := others[3].(type) {
case bool:
cookie.Secure = v
default:
if others[3] != nil {
cookie.Secure = true
}
}
}
// default false. for session cookie default true
if len(others) > 4 {
if v, ok := others[4].(bool); ok && v {
cookie.HttpOnly = true
}
}
ctx.Res.Header().Add("Set-Cookie", cookie.String())
}
func (ctx *Context) CsrfToken() string {
if len(ctx.csrfToken) > 0 {
return ctx.csrfToken
}
token := ctx.GetCookie("_csrf")
if len(token) == 0 {
token = base.GetRandomString(30)
ctx.SetCookie("_csrf", token)
}
ctx.csrfToken = token
return token
}
func (ctx *Context) CsrfTokenValid() bool {
token := ctx.Query("_csrf")
if token == "" {
token = ctx.Req.Header.Get("X-Csrf-Token")
}
if token == "" {
return false
} else if ctx.csrfToken != token {
return false
}
return true
}
// InitContext initializes a classic context for a request. // InitContext initializes a classic context for a request.
func InitContext() martini.Handler { func InitContext() martini.Handler {
return func(res http.ResponseWriter, r *http.Request, c martini.Context, rd *Render) { return func(res http.ResponseWriter, r *http.Request, c martini.Context, rd *Render) {
@ -103,11 +195,14 @@ func InitContext() martini.Handler {
Render: rd, Render: rd,
} }
ctx.Data["PageStartTime"] = time.Now()
// start session // start session
ctx.Session = base.SessionManager.SessionStart(res, r) ctx.Session = base.SessionManager.SessionStart(res, r)
defer func() { rw := res.(martini.ResponseWriter)
rw.Before(func(martini.ResponseWriter) {
ctx.Session.SessionRelease(res) ctx.Session.SessionRelease(res)
}() })
// Get user from session if logined. // Get user from session if logined.
user := auth.SignedInUser(ctx.Session) user := auth.SignedInUser(ctx.Session)
@ -121,9 +216,15 @@ func InitContext() martini.Handler {
ctx.Data["SignedUserId"] = user.Id ctx.Data["SignedUserId"] = user.Id
ctx.Data["SignedUserName"] = user.LowerName ctx.Data["SignedUserName"] = user.LowerName
ctx.Data["IsAdmin"] = ctx.User.IsAdmin ctx.Data["IsAdmin"] = ctx.User.IsAdmin
if ctx.User.IsAdmin {
ctx.Data["PageIsAdmin"] = true
}
} }
ctx.Data["PageStartTime"] = time.Now() // get or create csrf token
ctx.Data["CsrfToken"] = ctx.CsrfToken()
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.csrfToken + `">`)
c.Map(ctx) c.Map(ctx)

View file

@ -242,8 +242,11 @@ func (r *Render) HTMLString(name string, binding interface{}, htmlOpt ...HTMLOpt
} }
} }
func (r *Render) Error(status int) { func (r *Render) Error(status int, message ...string) {
r.WriteHeader(status) r.WriteHeader(status)
if len(message) > 0 {
r.Write([]byte(message[0]))
}
} }
func (r *Render) Redirect(location string, status ...int) { func (r *Render) Redirect(location string, status ...int) {

View file

@ -2,6 +2,39 @@ var Gogits = {
"PageIsSignup": false "PageIsSignup": false
}; };
(function($){
// extend jQuery ajax, set csrf token value
var ajax = $.ajax;
$.extend({
ajax: function(url, options) {
if (typeof url === 'object') {
options = url;
url = undefined;
}
options = options || {};
url = options.url;
var csrftoken = $('meta[name=_csrf]').attr('content');
var headers = options.headers || {};
var domain = document.domain.replace(/\./ig, '\\.');
if (!/^(http:|https:).*/.test(url) || eval('/^(http:|https:)\\/\\/(.+\\.)*' + domain + '.*/').test(url)) {
headers = $.extend(headers, {'X-Csrf-Token':csrftoken});
}
options.headers = headers;
var callback = options.success;
options.success = function(data){
if(data.once){
// change all _once value if ajax data.once exist
$('[name=_once]').val(data.once);
}
if(callback){
callback.apply(this, arguments);
}
};
return ajax(url, options);
}
});
}(jQuery));
(function ($) { (function ($) {
Gogits.showTab = function (selector, index) { Gogits.showTab = function (selector, index) {

View file

@ -12,6 +12,7 @@
<br/> <br/>
<form action="/admin/users/{{.User.Id}}" method="post" class="form-horizontal"> <form action="/admin/users/{{.User.Id}}" method="post" class="form-horizontal">
{{if .IsSuccess}}<p class="alert alert-success">Account profile has been successfully updated.</p>{{else if .HasError}}<p class="alert alert-danger form-error">{{.ErrorMsg}}</p>{{end}} {{if .IsSuccess}}<p class="alert alert-success">Account profile has been successfully updated.</p>{{else if .HasError}}<p class="alert alert-danger form-error">{{.ErrorMsg}}</p>{{end}}
{{.CsrfTokenHtml}}
<input type="hidden" value="{{.User.Id}}" name="userId"/> <input type="hidden" value="{{.User.Id}}" name="userId"/>
<div class="form-group"> <div class="form-group">
<label class="col-md-3 control-label">Username: </label> <label class="col-md-3 control-label">Username: </label>

View file

@ -11,6 +11,7 @@
<div class="panel-body"> <div class="panel-body">
<br/> <br/>
<form action="/admin/users/new" method="post" class="form-horizontal"> <form action="/admin/users/new" method="post" class="form-horizontal">
{{.CsrfTokenHtml}}
<div class="alert alert-danger form-error{{if .HasError}}{{else}} hidden{{end}}">{{.ErrorMsg}}</div> <div class="alert alert-danger form-error{{if .HasError}}{{else}} hidden{{end}}">{{.ErrorMsg}}</div>
<div class="form-group {{if .Err_UserName}}has-error has-feedback{{end}}"> <div class="form-group {{if .Err_UserName}}has-error has-feedback{{end}}">
<label class="col-md-3 control-label">Username: </label> <label class="col-md-3 control-label">Username: </label>

View file

@ -8,6 +8,7 @@
<meta name="author" content="Gogs - Go Git Service" /> <meta name="author" content="Gogs - Go Git Service" />
<meta name="description" content="Gogs(Go Git Service) is a GitHub-like clone in the Go Programming Language" /> <meta name="description" content="Gogs(Go Git Service) is a GitHub-like clone in the Go Programming Language" />
<meta name="keywords" content="go, git"> <meta name="keywords" content="go, git">
<meta name="_csrf" content="{{.CsrfToken}}" />
<!-- Stylesheets --> <!-- Stylesheets -->
<link href="/css/bootstrap.min.css" rel="stylesheet" /> <link href="/css/bootstrap.min.css" rel="stylesheet" />

View file

@ -2,6 +2,7 @@
{{template "base/navbar" .}} {{template "base/navbar" .}}
<div class="container" id="gogs-body"> <div class="container" id="gogs-body">
<form action="/repo/create" method="post" class="form-horizontal gogs-card" id="gogs-repo-create"> <form action="/repo/create" method="post" class="form-horizontal gogs-card" id="gogs-repo-create">
{{.CsrfTokenHtml}}
<h3>Create New Repository</h3> <h3>Create New Repository</h3>
<div class="alert alert-danger form-error{{if .HasError}}{{else}} hidden{{end}}">{{.ErrorMsg}}</div> <div class="alert alert-danger form-error{{if .HasError}}{{else}} hidden{{end}}">{{.ErrorMsg}}</div>
<div class="form-group"> <div class="form-group">

View file

@ -40,6 +40,7 @@
<div class="modal fade" id="delete-repository-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true"> <div class="modal fade" id="delete-repository-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
<div class="modal-dialog"> <div class="modal-dialog">
<form action="/{{.Owner.Name}}/{{.Repository.Name}}/settings" method="post" class="modal-content"> <form action="/{{.Owner.Name}}/{{.Repository.Name}}/settings" method="post" class="modal-content">
{{.CsrfTokenHtml}}
<input type="hidden" name="action" value="delete"> <input type="hidden" name="action" value="delete">
<div class="modal-header"> <div class="modal-header">

View file

@ -1,7 +1,8 @@
{{template "base/head" .}} {{template "base/head" .}}
{{template "base/navbar" .}} {{template "base/navbar" .}}
<div id="gogs-body" class="container"> <div id="gogs-body" class="container">
<form action="/user/activate" method="get" class="form-horizontal gogs-card" id="gogs-login-card"> <form action="/user/activate" method="post" class="form-horizontal gogs-card" id="gogs-login-card">
{{.CsrfTokenHtml}}
<h3>Activate Your Account</h3> <h3>Activate Your Account</h3>
{{if .IsActivatePage}} {{if .IsActivatePage}}
{{if .ServiceNotEnabled}} {{if .ServiceNotEnabled}}

View file

@ -22,6 +22,7 @@
<div class="modal fade" id="delete-account-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true"> <div class="modal fade" id="delete-account-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
<div class="modal-dialog"> <div class="modal-dialog">
<form action="/user/delete" method="post" class="modal-content" id="gogs-user-delete"> <form action="/user/delete" method="post" class="modal-content" id="gogs-user-delete">
{{.CsrfTokenHtml}}
<div class="modal-header"> <div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button> <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
<h4 class="modal-title" id="myModalLabel">Delete Account</h4> <h4 class="modal-title" id="myModalLabel">Delete Account</h4>

View file

@ -5,7 +5,9 @@
<div id="gogs-user-setting-container" class="col-md-9"> <div id="gogs-user-setting-container" class="col-md-9">
<div id="gogs-setting-pwd"> <div id="gogs-setting-pwd">
<h4>Password</h4> <h4>Password</h4>
<form class="form-horizontal" id="gogs-password-form" method="post" action="/user/setting/password">{{if .IsSuccess}} <form class="form-horizontal" id="gogs-password-form" method="post" action="/user/setting/password">
{{.CsrfTokenHtml}}
{{if .IsSuccess}}
<p class="alert alert-success">Password is changed successfully. You can now sign in via new password.</p>{{else if .HasError}}<p class="alert alert-danger form-error">{{.ErrorMsg}}</p>{{end}} <p class="alert alert-success">Password is changed successfully. You can now sign in via new password.</p>{{else if .HasError}}<p class="alert alert-danger form-error">{{.ErrorMsg}}</p>{{end}}
<div class="form-group"> <div class="form-group">
<label class="col-md-3 control-label">Old Password<strong class="text-danger">*</strong></label> <label class="col-md-3 control-label">Old Password<strong class="text-danger">*</strong></label>

View file

@ -22,6 +22,7 @@
<div class="modal fade" id="ssh-add-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true"> <div class="modal fade" id="ssh-add-modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
<div class="modal-dialog"> <div class="modal-dialog">
<form class="modal-content form-horizontal" id="gogs-ssh-form" method="post" action="/user/setting/ssh/"> <form class="modal-content form-horizontal" id="gogs-ssh-form" method="post" action="/user/setting/ssh/">
{{.CsrfTokenHtml}}
<div class="modal-header"> <div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button> <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
<h4 class="modal-title" id="myModalLabel">Add SSH Key</h4> <h4 class="modal-title" id="myModalLabel">Add SSH Key</h4>

View file

@ -6,6 +6,7 @@
<div id="gogs-setting-pwd"> <div id="gogs-setting-pwd">
<h4>Account Profile</h4> <h4>Account Profile</h4>
<form class="form-horizontal" id="gogs-password-form" method="post" action="/user/setting"> <form class="form-horizontal" id="gogs-password-form" method="post" action="/user/setting">
{{.CsrfTokenHtml}}
{{if .IsSuccess}}<p class="alert alert-success">Your profile has been successfully updated.</p>{{else if .HasError}}<p class="alert alert-danger form-error">{{.ErrorMsg}}</p>{{end}} {{if .IsSuccess}}<p class="alert alert-success">Your profile has been successfully updated.</p>{{else if .HasError}}<p class="alert alert-danger form-error">{{.ErrorMsg}}</p>{{end}}
<p>Your Email will be public and used for Account related notifications and any web based operations made via the web.</p> <p>Your Email will be public and used for Account related notifications and any web based operations made via the web.</p>
<div class="form-group"> <div class="form-group">

View file

@ -2,6 +2,7 @@
{{template "base/navbar" .}} {{template "base/navbar" .}}
<div class="container" id="gogs-body" data-page="user-signin"> <div class="container" id="gogs-body" data-page="user-signin">
<form action="/user/login" method="post" class="form-horizontal gogs-card" id="gogs-login-card"> <form action="/user/login" method="post" class="form-horizontal gogs-card" id="gogs-login-card">
{{.CsrfTokenHtml}}
<h3>Log in</h3> <h3>Log in</h3>
<div class="alert alert-danger form-error{{if .HasError}}{{else}} hidden{{end}}">{{.ErrorMsg}}</div> <div class="alert alert-danger form-error{{if .HasError}}{{else}} hidden{{end}}">{{.ErrorMsg}}</div>
<div class="form-group {{if .Err_UserName}}has-error has-feedback{{end}}"> <div class="form-group {{if .Err_UserName}}has-error has-feedback{{end}}">

View file

@ -2,6 +2,7 @@
{{template "base/navbar" .}} {{template "base/navbar" .}}
<div class="container" id="gogs-body" data-page="user-signup"> <div class="container" id="gogs-body" data-page="user-signup">
<form action="/user/sign_up" method="post" class="form-horizontal gogs-card" id="gogs-login-card"> <form action="/user/sign_up" method="post" class="form-horizontal gogs-card" id="gogs-login-card">
{{.CsrfTokenHtml}}
{{if .DisenableRegisteration}} {{if .DisenableRegisteration}}
Sorry, registeration has been disenabled, you can only get account from administrator. Sorry, registeration has been disenabled, you can only get account from administrator.
{{else}} {{else}}

24
web.go
View file

@ -82,9 +82,10 @@ func runWeb(*cli.Context) {
m.Use(middleware.InitContext()) m.Use(middleware.InitContext())
reqSignIn := middleware.SignInRequire(true) reqSignIn := middleware.Toggle(&middleware.ToggleOptions{SignInRequire: true})
ignSignIn := middleware.SignInRequire(base.Service.RequireSignInView) ignSignIn := middleware.Toggle(&middleware.ToggleOptions{SignInRequire: base.Service.RequireSignInView})
reqSignOut := middleware.SignOutRequire() reqSignOut := middleware.Toggle(&middleware.ToggleOptions{SignOutRequire: true})
// Routers. // Routers.
m.Get("/", ignSignIn, routers.Home) m.Get("/", ignSignIn, routers.Home)
m.Get("/issues", reqSignIn, user.Issues) m.Get("/issues", reqSignIn, user.Issues)
@ -109,14 +110,15 @@ func runWeb(*cli.Context) {
m.Get("/help", routers.Help) m.Get("/help", routers.Help)
adminReq := middleware.AdminRequire() adminReq := middleware.Toggle(&middleware.ToggleOptions{SignInRequire: true, AdminRequire: true})
m.Get("/admin", reqSignIn, adminReq, admin.Dashboard)
m.Get("/admin/users", reqSignIn, adminReq, admin.Users) m.Get("/admin", adminReq, admin.Dashboard)
m.Any("/admin/users/new", reqSignIn, adminReq, binding.BindIgnErr(auth.RegisterForm{}), admin.NewUser) m.Get("/admin/users", adminReq, admin.Users)
m.Any("/admin/users/:userid", reqSignIn, adminReq, binding.BindIgnErr(auth.AdminEditUserForm{}), admin.EditUser) m.Any("/admin/users/new", adminReq, binding.BindIgnErr(auth.RegisterForm{}), admin.NewUser)
m.Any("/admin/users/:userid/delete", reqSignIn, adminReq, admin.DeleteUser) m.Any("/admin/users/:userid", adminReq, binding.BindIgnErr(auth.AdminEditUserForm{}), admin.EditUser)
m.Get("/admin/repos", reqSignIn, adminReq, admin.Repositories) m.Any("/admin/users/:userid/delete", adminReq, admin.DeleteUser)
m.Get("/admin/config", reqSignIn, adminReq, admin.Config) m.Get("/admin/repos", adminReq, admin.Repositories)
m.Get("/admin/config", adminReq, admin.Config)
m.Post("/:username/:reponame/settings", reqSignIn, middleware.RepoAssignment(true), repo.SettingPost) m.Post("/:username/:reponame/settings", reqSignIn, middleware.RepoAssignment(true), repo.SettingPost)
m.Get("/:username/:reponame/settings", reqSignIn, middleware.RepoAssignment(true), repo.Setting) m.Get("/:username/:reponame/settings", reqSignIn, middleware.RepoAssignment(true), repo.Setting)