syncthing/cmd/syncthing/gui_csrf.go

// Copyright (C) 2014 The Syncthing Authors.
//
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
// You can obtain one at http://mozilla.org/MPL/2.0/.

package main

import (
	"bufio"
	"fmt"
	"net/http"
	"os"
	"strings"

	"github.com/syncthing/syncthing/lib/osutil"
	"github.com/syncthing/syncthing/lib/sync"
)

var csrfTokens []string
var csrfMut = sync.NewMutex()

// Check for CSRF token on /rest/ URLs. If a correct one is not given, reject
// the request with 403. For / and /index.html, set a new CSRF cookie if none
// is currently set.
func csrfMiddleware(unique, prefix, apiKey string, next http.Handler) http.Handler {
	loadCsrfTokens()
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Allow requests carrying a valid API key
		if apiKey != "" && r.Header.Get("X-API-Key") == apiKey {
			next.ServeHTTP(w, r)
			return
		}

		// Allow requests for the front page, and set a CSRF cookie if there isn't already a valid one.
		if !strings.HasPrefix(r.URL.Path, prefix) {
			cookie, err := r.Cookie("CSRF-Token-" + unique)
			if err != nil || !validCsrfToken(cookie.Value) {
				cookie = &http.Cookie{
					Name:  "CSRF-Token-" + unique,
					Value: newCsrfToken(),
				}
				http.SetCookie(w, cookie)
			}
			next.ServeHTTP(w, r)
			return
		}

		if r.Method == "GET" {
			// Allow GET requests unconditionally
			next.ServeHTTP(w, r)
			return
		}

		// Verify the CSRF token
		token := r.Header.Get("X-CSRF-Token-" + unique)
		if !validCsrfToken(token) {
			http.Error(w, "CSRF Error", 403)
			return
		}

		next.ServeHTTP(w, r)
	})
}

func validCsrfToken(token string) bool {
	csrfMut.Lock()
	defer csrfMut.Unlock()
	for _, t := range csrfTokens {
		if t == token {
			return true
		}
	}
	return false
}

func newCsrfToken() string {
	token := randomString(32)

	csrfMut.Lock()
	csrfTokens = append(csrfTokens, token)
	if len(csrfTokens) > 10 {
		csrfTokens = csrfTokens[len(csrfTokens)-10:]
	}
	defer csrfMut.Unlock()

	saveCsrfTokens()

	return token
}

func saveCsrfTokens() {
	// We're ignoring errors in here. It's not super critical and there's
	// nothing relevant we can do about them anyway...

	name := locations[locCsrfTokens]
	f, err := osutil.CreateAtomic(name, 0600)
	if err != nil {
		return
	}

	for _, t := range csrfTokens {
		fmt.Fprintln(f, t)
	}

	f.Close()
}

func loadCsrfTokens() {
	f, err := os.Open(locations[locCsrfTokens])
	if err != nil {
		return
	}
	defer f.Close()

	s := bufio.NewScanner(f)
	for s.Scan() {
		csrfTokens = append(csrfTokens, s.Text())
	}
}
Use more inclusive copyright header 2014-11-16 21:13:20 +01:00			`// Copyright (C) 2014 The Syncthing Authors.`
Relicense to GPL 2014-09-29 21:43:32 +02:00			`//`
MPLv2 2015-03-07 21:36:35 +01:00			`// This Source Code Form is subject to the terms of the Mozilla Public`
			`// License, v. 2.0. If a copy of the MPL was not distributed with this file,`
			`// You can obtain one at http://mozilla.org/MPL/2.0/.`
Copyright cleanup 2014-09-04 08:31:38 +02:00
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`package main`

			`import (`
			`"bufio"`
			`"fmt"`
			`"net/http"`
			`"os"`
CSRF protection should only cover /rest 2014-07-06 15:00:44 +02:00			`"strings"`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00
mv internal lib 2015-08-06 11:29:25 +02:00			`"github.com/syncthing/syncthing/lib/osutil"`
			`"github.com/syncthing/syncthing/lib/sync"`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`)`

			`var csrfTokens []string`
Run vet and lint. Make us lint clean. 2015-04-28 22:32:10 +02:00			`var csrfMut = sync.NewMutex()`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00
			`// Check for CSRF token on /rest/ URLs. If a correct one is not given, reject`
			`// the request with 403. For / and /index.html, set a new CSRF cookie if none`
			`// is currently set.`
Use different session cookies per device 2015-06-22 17:57:08 +02:00			`func csrfMiddleware(unique, prefix, apiKey string, next http.Handler) http.Handler {`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`loadCsrfTokens()`
Remove martini, use standard http mux 2014-07-05 21:40:29 +02:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`// Allow requests carrying a valid API key`
Add session support (fixes #611) 2014-09-01 22:51:44 +02:00			`if apiKey != "" && r.Header.Get("X-API-Key") == apiKey {`
Remove martini, use standard http mux 2014-07-05 21:40:29 +02:00			`next.ServeHTTP(w, r)`
			`return`
			`}`

			`// Allow requests for the front page, and set a CSRF cookie if there isn't already a valid one.`
CSRF protection should only cover /rest 2014-07-06 15:00:44 +02:00			`if !strings.HasPrefix(r.URL.Path, prefix) {`
Use different session cookies per device 2015-06-22 17:57:08 +02:00			`cookie, err := r.Cookie("CSRF-Token-" + unique)`
Remove martini, use standard http mux 2014-07-05 21:40:29 +02:00			`if err != nil \|\| !validCsrfToken(cookie.Value) {`
			`cookie = &http.Cookie{`
Use different session cookies per device 2015-06-22 17:57:08 +02:00			`Name: "CSRF-Token-" + unique,`
Remove martini, use standard http mux 2014-07-05 21:40:29 +02:00			`Value: newCsrfToken(),`
			`}`
			`http.SetCookie(w, cookie)`
			`}`
			`next.ServeHTTP(w, r)`
			`return`
			`}`
API key change should take effect on restart only 2014-06-05 09:16:12 +02:00
Allow GET requests without CSRF 2014-08-02 08:19:10 +02:00			`if r.Method == "GET" {`
			`// Allow GET requests unconditionally`
			`next.ServeHTTP(w, r)`
			`return`
			`}`

Remove martini, use standard http mux 2014-07-05 21:40:29 +02:00			`// Verify the CSRF token`
Use different session cookies per device 2015-06-22 17:57:08 +02:00			`token := r.Header.Get("X-CSRF-Token-" + unique)`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`if !validCsrfToken(token) {`
			`http.Error(w, "CSRF Error", 403)`
Remove martini, use standard http mux 2014-07-05 21:40:29 +02:00			`return`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`}`
Remove martini, use standard http mux 2014-07-05 21:40:29 +02:00
			`next.ServeHTTP(w, r)`
			`})`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`}`

			`func validCsrfToken(token string) bool {`
			`csrfMut.Lock()`
			`defer csrfMut.Unlock()`
			`for _, t := range csrfTokens {`
			`if t == token {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`func newCsrfToken() string {`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 16:41:24 +01:00			`token := randomString(32)`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00
			`csrfMut.Lock()`
			`csrfTokens = append(csrfTokens, token)`
			`if len(csrfTokens) > 10 {`
			`csrfTokens = csrfTokens[len(csrfTokens)-10:]`
			`}`
			`defer csrfMut.Unlock()`

			`saveCsrfTokens()`

			`return token`
			`}`

			`func saveCsrfTokens() {`
Add osutil.AtomicWriter This captures the common pattern of writing to a temp file and moving it to it's real name only if everything went well. It reduces the amount of code in some places where we do this, but maybe not as much as I expected because the upgrade thing is still a special snowflake... 2015-07-11 17:03:40 +02:00			`// We're ignoring errors in here. It's not super critical and there's`
			`// nothing relevant we can do about them anyway...`
Revert "Merge pull request #2053 from calmh/atomicwriter" (fixes #2058) This reverts commit b611f72e0829f60f3410e6f07652794f437d35ad, reversing changes made to a04b005e932244aa12882dfb95443df0c182163f. 2015-07-13 12:44:59 +02:00
Add osutil.AtomicWriter This captures the common pattern of writing to a temp file and moving it to it's real name only if everything went well. It reduces the amount of code in some places where we do this, but maybe not as much as I expected because the upgrade thing is still a special snowflake... 2015-07-11 17:03:40 +02:00			`name := locations[locCsrfTokens]`
			`f, err := osutil.CreateAtomic(name, 0600)`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`if err != nil {`
			`return`
			`}`

			`for _, t := range csrfTokens {`
Add osutil.AtomicWriter This captures the common pattern of writing to a temp file and moving it to it's real name only if everything went well. It reduces the amount of code in some places where we do this, but maybe not as much as I expected because the upgrade thing is still a special snowflake... 2015-07-11 17:03:40 +02:00			`fmt.Fprintln(f, t)`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`}`

Add osutil.AtomicWriter This captures the common pattern of writing to a temp file and moving it to it's real name only if everything went well. It reduces the amount of code in some places where we do this, but maybe not as much as I expected because the upgrade thing is still a special snowflake... 2015-07-11 17:03:40 +02:00			`f.Close()`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`}`

			`func loadCsrfTokens() {`
Move index to index-v0.11.0.db (new format) and centralize location config 2015-03-29 12:55:27 +02:00			`f, err := os.Open(locations[locCsrfTokens])`
Implement CSRF protection for REST interface (fixes #287) 2014-06-04 21:20:07 +02:00			`if err != nil {`
			`return`
			`}`
			`defer f.Close()`

			`s := bufio.NewScanner(f)`
			`for s.Scan() {`
			`csrfTokens = append(csrfTokens, s.Text())`
			`}`
			`}`