syncthing/cmd/syncthing/gui_csrf.go

// Copyright (C) 2014 The Syncthing Authors.
//
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
// You can obtain one at http://mozilla.org/MPL/2.0/.

package main

import (
	"bufio"
	"fmt"
	"net/http"
	"os"
	"strings"
	"time"

	"github.com/syncthing/syncthing/internal/osutil"
	"github.com/syncthing/syncthing/internal/sync"
)

var csrfTokens []string
var csrfMut = sync.NewMutex()

// Check for CSRF token on /rest/ URLs. If a correct one is not given, reject
// the request with 403. For / and /index.html, set a new CSRF cookie if none
// is currently set.
func csrfMiddleware(prefix, apiKey string, next http.Handler) http.Handler {
	loadCsrfTokens()
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Allow requests carrying a valid API key
		if apiKey != "" && r.Header.Get("X-API-Key") == apiKey {
			next.ServeHTTP(w, r)
			return
		}

		// Allow requests for the front page, and set a CSRF cookie if there isn't already a valid one.
		if !strings.HasPrefix(r.URL.Path, prefix) {
			cookie, err := r.Cookie("CSRF-Token")
			if err != nil || !validCsrfToken(cookie.Value) {
				cookie = &http.Cookie{
					Name:  "CSRF-Token",
					Value: newCsrfToken(),
				}
				http.SetCookie(w, cookie)
			}
			next.ServeHTTP(w, r)
			return
		}

		if r.Method == "GET" {
			// Allow GET requests unconditionally
			next.ServeHTTP(w, r)
			return
		}

		// Verify the CSRF token
		token := r.Header.Get("X-CSRF-Token")
		if !validCsrfToken(token) {
			http.Error(w, "CSRF Error", 403)
			return
		}

		next.ServeHTTP(w, r)
	})
}

func validCsrfToken(token string) bool {
	csrfMut.Lock()
	defer csrfMut.Unlock()
	for _, t := range csrfTokens {
		if t == token {
			return true
		}
	}
	return false
}

func newCsrfToken() string {
	token := randomString(32)

	csrfMut.Lock()
	csrfTokens = append(csrfTokens, token)
	if len(csrfTokens) > 10 {
		csrfTokens = csrfTokens[len(csrfTokens)-10:]
	}
	defer csrfMut.Unlock()

	saveCsrfTokens()

	return token
}

func saveCsrfTokens() {
	name := locations[locCsrfTokens]
	tmp := fmt.Sprintf("%s.tmp.%d", name, time.Now().UnixNano())

	f, err := os.OpenFile(tmp, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0644)
	if err != nil {
		return
	}
	defer os.Remove(tmp)

	for _, t := range csrfTokens {
		_, err := fmt.Fprintln(f, t)
		if err != nil {
			return
		}
	}

	err = f.Close()
	if err != nil {
		return
	}

	osutil.Rename(tmp, name)
}

func loadCsrfTokens() {
	f, err := os.Open(locations[locCsrfTokens])
	if err != nil {
		return
	}
	defer f.Close()

	s := bufio.NewScanner(f)
	for s.Scan() {
		csrfTokens = append(csrfTokens, s.Text())
	}
}
Use more inclusive copyright header 2014-11-16 21:13:20 +01:00			`// Copyright (C) 2014 The Syncthing Authors.`
Relicense to GPL 2014-09-29 21:43:32 +02:00			`//`
MPLv2 2015-03-07 21:36:35 +01:00			`// This Source Code Form is subject to the terms of the Mozilla Public`
			`// License, v. 2.0. If a copy of the MPL was not distributed with this file,`
			`// You can obtain one at http://mozilla.org/MPL/2.0/.`
Copyright cleanup 2014-09-04 08:31:38 +02:00
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`package main`

			`import (`
			`"bufio"`
			`"fmt"`
			`"net/http"`
			`"os"`
CSRF protection should only cover /rest 2014-07-06 15:00:44 +02:00			`"strings"`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`"time"`

Move top level packages to internal. 2014-09-22 21:42:11 +02:00			`"github.com/syncthing/syncthing/internal/osutil"`
Add mutex logging 2015-04-23 00:54:31 +02:00			`"github.com/syncthing/syncthing/internal/sync"`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`)`

			`var csrfTokens []string`
Run vet and lint. Make us lint clean. 2015-04-28 22:32:10 +02:00			`var csrfMut = sync.NewMutex()`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00
			`// Check for CSRF token on /rest/ URLs. If a correct one is not given, reject`
			`// the request with 403. For / and /index.html, set a new CSRF cookie if none`
			`// is currently set.`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`func csrfMiddleware(prefix, apiKey string, next http.Handler) http.Handler {`
			`loadCsrfTokens()`
Remove martini, use standard http mux 2014-07-05 21:40:29 +02:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`// Allow requests carrying a valid API key`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`if apiKey != "" && r.Header.Get("X-API-Key") == apiKey {`
Remove martini, use standard http mux 2014-07-05 21:40:29 +02:00			`next.ServeHTTP(w, r)`
			`return`
			`}`

			`// Allow requests for the front page, and set a CSRF cookie if there isn't already a valid one.`
CSRF protection should only cover /rest 2014-07-06 15:00:44 +02:00			`if !strings.HasPrefix(r.URL.Path, prefix) {`
Remove martini, use standard http mux 2014-07-05 21:40:29 +02:00			`cookie, err := r.Cookie("CSRF-Token")`
			`if err != nil \|\| !validCsrfToken(cookie.Value) {`
			`cookie = &http.Cookie{`
			`Name: "CSRF-Token",`
			`Value: newCsrfToken(),`
			`}`
			`http.SetCookie(w, cookie)`
			`}`
			`next.ServeHTTP(w, r)`
			`return`
			`}`
API key change should take effect on restart only 2014-06-05 09:16:12 +02:00
Allow GET requests without CSRF 2014-08-02 08:19:10 +02:00			`if r.Method == "GET" {`
			`// Allow GET requests unconditionally`
			`next.ServeHTTP(w, r)`
			`return`
			`}`

Remove martini, use standard http mux 2014-07-05 21:40:29 +02:00			`// Verify the CSRF token`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`token := r.Header.Get("X-CSRF-Token")`
			`if !validCsrfToken(token) {`
			`http.Error(w, "CSRF Error", 403)`
Remove martini, use standard http mux 2014-07-05 21:40:29 +02:00			`return`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`}`
Remove martini, use standard http mux 2014-07-05 21:40:29 +02:00
			`next.ServeHTTP(w, r)`
			`})`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`}`

			`func validCsrfToken(token string) bool {`
			`csrfMut.Lock()`
			`defer csrfMut.Unlock()`
			`for _, t := range csrfTokens {`
			`if t == token {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`func newCsrfToken() string {`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 16:41:24 +01:00			`token := randomString(32)`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00
			`csrfMut.Lock()`
			`csrfTokens = append(csrfTokens, token)`
			`if len(csrfTokens) > 10 {`
			`csrfTokens = csrfTokens[len(csrfTokens)-10:]`
			`}`
			`defer csrfMut.Unlock()`

			`saveCsrfTokens()`

			`return token`
			`}`

			`func saveCsrfTokens() {`
Move index to index-v0.11.0.db (new format) and centralize location config 2015-03-29 12:55:27 +02:00			`name := locations[locCsrfTokens]`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`tmp := fmt.Sprintf("%s.tmp.%d", name, time.Now().UnixNano())`

			`f, err := os.OpenFile(tmp, os.O_CREATE\|os.O_EXCL\|os.O_WRONLY, 0644)`
			`if err != nil {`
			`return`
			`}`
			`defer os.Remove(tmp)`

			`for _, t := range csrfTokens {`
			`_, err := fmt.Fprintln(f, t)`
			`if err != nil {`
			`return`
			`}`
			`}`

			`err = f.Close()`
			`if err != nil {`
			`return`
			`}`

			`osutil.Rename(tmp, name)`
			`}`

			`func loadCsrfTokens() {`
Move index to index-v0.11.0.db (new format) and centralize location config 2015-03-29 12:55:27 +02:00			`f, err := os.Open(locations[locCsrfTokens])`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`if err != nil {`
			`return`
			`}`
			`defer f.Close()`

			`s := bufio.NewScanner(f)`
			`for s.Scan() {`
			`csrfTokens = append(csrfTokens, s.Text())`
			`}`
			`}`