visus
/
rex
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
31 Commits
1 Branch
Tree: 07369cd9ab
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '07369cd9ab'
${ noResults }
rex/middleware/xsrf.go

165 lines
4.0KB
Raw Blame History 

  1. package middleware

  2. 

  3. import (

  4. 	"bytes"

  5. 	"crypto/hmac"

  6. 	"crypto/sha1"

  7. 	"crypto/subtle"

  8. 	"encoding/base64"

  9. 	"encoding/hex"

  10. 	"fmt"

  11. 	"net/http"

  12. 	"net/url"

  13. 	"regexp"

  14. 	"strconv"

  15. 	"time"

  16. 

  17. 	"github.com/goanywhere/x/crypto"

  18. )

  19. 

  20. const (

  21. 	xsrfCookieName = "xsrf"

  22. 	xsrfHeaderName = "X-XSRF-Token"

  23. 	xsrfFieldName  = "xsrftoken"

  24. 

  25. 	xsrfMaxAge  = 3600 * 24 * 365

  26. 	xsrfTimeout = time.Hour * 24 * 365

  27. )

  28. 

  29. var (

  30. 	errXSRFReferer = "Referer URL is missing from the request or the value was malformed."

  31. 	errXSRFToken   = "Invalid XSRF tokens"

  32. 

  33. 	xsrfPattern   = regexp.MustCompile("[^0-9a-zA-Z-_]")

  34. 	unsafeMethods = regexp.MustCompile("^(DELETE|POST|PUT)$")

  35. )

  36. 

  37. type xsrf struct {

  38. 	*http.Request

  39. 	http.ResponseWriter

  40. 	token string

  41. }

  42. 

  43. // See http://en.wikipedia.org/wiki/Same-origin_policy

  44. func (self *xsrf) checkOrigin() bool {

  45. 	if self.Request.URL.Scheme == "https" {

  46. 		// See [OWASP]; Checking the Referer Header.

  47. 		referer, err := url.Parse(self.Request.Header.Get("Referer"))

  48. 

  49. 		if err != nil || referer.String() == "" ||

  50. 			referer.Scheme != self.Request.URL.Scheme ||

  51. 			referer.Host != self.Request.URL.Host {

  52. 

  53. 			return false

  54. 		}

  55. 	}

  56. 	return true

  57. }

  58. 

  59. func (self *xsrf) checkToken(token string) bool {

  60. 	// Header always takes precedance of form field since some popular

  61. 	// JavaScript frameworks allow global custom headers for all AJAX requests.

  62. 	query := self.Request.Header.Get(xsrfFieldName)

  63. 	if query == "" {

  64. 		query = self.Request.FormValue(xsrfFieldName)

  65. 	}

  66. 

  67. 	// 1) basic length comparison.

  68. 	if query == "" || len(query) != len(token) {

  69. 		return false

  70. 	}

  71. 	// *sanitize* incoming masked token.

  72. 	query = xsrfPattern.ReplaceAllString(query, "")

  73. 

  74. 	// 2) byte-based comparison.

  75. 	a, _ := base64.URLEncoding.DecodeString(token)

  76. 	b, _ := base64.URLEncoding.DecodeString(query)

  77. 	if subtle.ConstantTimeCompare(a, b) != 1 {

  78. 		return false

  79. 	}

  80. 

  81. 	// 3) issued time checking.

  82. 	index := bytes.LastIndex(b, []byte{'|'})

  83. 	if index != 40 {

  84. 		return false

  85. 	}

  86. 

  87. 	nanos, err := strconv.ParseInt(string(b[index+1:]), 10, 64)

  88. 	if err != nil {

  89. 		return false

  90. 	}

  91. 	now := time.Now()

  92. 	issueTime := time.Unix(0, nanos)

  93. 

  94. 	if now.Sub(issueTime) >= xsrfTimeout {

  95. 		return false

  96. 	}

  97. 

  98. 	// Ensure the token is not from the *future*, allow 1 minute grace period.

  99. 	if issueTime.After(now.Add(1 * time.Minute)) {

  100. 		return false

  101. 	}

  102. 

  103. 	return true

  104. }

  105. 

  106. func (self *xsrf) generate() {

  107. 	// Ensure we have XSRF token in the cookie first.

  108. 	var token string

  109. 	if cookie, err := self.Request.Cookie(xsrfCookieName); err == nil {

  110. 		if cookie.Value != "" {

  111. 			token = cookie.Value

  112. 		}

  113. 	}

  114. 	if token == "" {

  115. 		// Generate a base64-encoded token.

  116. 		nano := time.Now().UnixNano()

  117. 		hash := hmac.New(sha1.New, []byte(crypto.Random(32)))

  118. 		fmt.Fprintf(hash, "%s|%d", crypto.Random(12), nano)

  119. 		raw := fmt.Sprintf("%s|%d", hex.EncodeToString(hash.Sum(nil)), nano)

  120. 		token = base64.URLEncoding.EncodeToString([]byte(raw))

  121. 

  122. 		// The max-age directive takes priority over Expires.

  123. 		//	http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

  124. 		cookie := new(http.Cookie)

  125. 		cookie.Name = xsrfCookieName

  126. 		cookie.Value = token

  127. 		cookie.MaxAge = xsrfMaxAge

  128. 		cookie.Path = "/"

  129. 		cookie.HttpOnly = true

  130. 		http.SetCookie(self.ResponseWriter, cookie)

  131. 	}

  132. 	self.ResponseWriter.Header()[xsrfHeaderName] = []string{token}

  133. 	self.token = token

  134. }

  135. 

  136. // ---------------------------------------------------------------------------

  137. //  XSRF Middleware Supports

  138. // ---------------------------------------------------------------------------

  139. func XSRF(next http.Handler) http.Handler {

  140. 	fn := func(w http.ResponseWriter, r *http.Request) {

  141. 		x := new(xsrf)

  142. 		x.Request = r

  143. 		x.ResponseWriter = w

  144. 		x.generate()

  145. 

  146. 		if unsafeMethods.MatchString(r.Method) {

  147. 			// Ensure the URL came for "Referer" under HTTPS.

  148. 			if !x.checkOrigin() {

  149. 				http.Error(w, errXSRFReferer, http.StatusForbidden)

  150. 			}

  151. 

  152. 			// length => bytes => issue time checkpoints.

  153. 			if !x.checkToken(x.token) {

  154. 				http.Error(w, errXSRFToken, http.StatusForbidden)

  155. 			}

  156. 		}

  157. 

  158. 		// ensure browser will invalidate the cached XSRF token.

  159. 		w.Header().Add("Vary", "Cookie")

  160. 

  161. 		next.ServeHTTP(w, r)

  162. 	}

  163. 	return http.HandlerFunc(fn)

  164. }