1
0
Fork 0

Support secure cookie for csrf-token (#3839)

* dep: Update github.com/go-macaron/csrf

Update github.com/go-macaron/csrf with dep to revision 503617c6b372
to fix issue of csrf-token security.

This update includes following commits:
- Add support for the Cookie HttpOnly flag
- Support secure mode for csrf cookie

Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>

* routers: set csrf-token security depending on COOKIE_SECURE

Signed-off-by: Aleksandr Bulyshchenko <A.Bulyshchenko@globallogic.com>
This commit is contained in:
Aleksandr Bulyshchenko 2018-05-22 02:09:48 +03:00 committed by Lauris BH
parent 31067c0a89
commit ee878e3951
3 changed files with 21 additions and 8 deletions

3
Gopkg.lock generated
View file

@ -254,9 +254,10 @@
revision = "8aa5919789ab301e865595eb4b1114d6b9847deb" revision = "8aa5919789ab301e865595eb4b1114d6b9847deb"
[[projects]] [[projects]]
branch = "master"
name = "github.com/go-macaron/csrf" name = "github.com/go-macaron/csrf"
packages = ["."] packages = ["."]
revision = "6a9a7df172cc1fcd81e4585f44b09200b6087cc0" revision = "503617c6b37257a55dff6293ec28556506c3a9a8"
[[projects]] [[projects]]
branch = "master" branch = "master"

View file

@ -119,6 +119,7 @@ func NewMacaron() *macaron.Macaron {
Secret: setting.SecretKey, Secret: setting.SecretKey,
Cookie: setting.CSRFCookieName, Cookie: setting.CSRFCookieName,
SetCookie: true, SetCookie: true,
Secure: setting.SessionConfig.Secure,
Header: "X-Csrf-Token", Header: "X-Csrf-Token",
CookiePath: setting.AppSubURL, CookiePath: setting.AppSubURL,
})) }))

View file

@ -41,6 +41,8 @@ type CSRF interface {
GetCookieName() string GetCookieName() string
// Return cookie path // Return cookie path
GetCookiePath() string GetCookiePath() string
// Return the flag value used for the csrf token.
GetCookieHttpOnly() bool
// Return the token. // Return the token.
GetToken() string GetToken() string
// Validate by token. // Validate by token.
@ -58,6 +60,8 @@ type csrf struct {
Cookie string Cookie string
//Cookie path //Cookie path
CookiePath string CookiePath string
// Cookie HttpOnly flag value used for the csrf token.
CookieHttpOnly bool
// Token generated to pass via header, cookie, or hidden form value. // Token generated to pass via header, cookie, or hidden form value.
Token string Token string
// This value must be unique per user. // This value must be unique per user.
@ -88,6 +92,11 @@ func (c *csrf) GetCookiePath() string {
return c.CookiePath return c.CookiePath
} }
// GetCookieHttpOnly returns the flag value used for the csrf token.
func (c *csrf) GetCookieHttpOnly() bool {
return c.CookieHttpOnly
}
// GetToken returns the current token. This is typically used // GetToken returns the current token. This is typically used
// to populate a hidden form in an HTML template. // to populate a hidden form in an HTML template.
func (c *csrf) GetToken() string { func (c *csrf) GetToken() string {
@ -116,6 +125,7 @@ type Options struct {
Cookie string Cookie string
// Cookie path. // Cookie path.
CookiePath string CookiePath string
CookieHttpOnly bool
// Key used for getting the unique ID per user. // Key used for getting the unique ID per user.
SessionKey string SessionKey string
// oldSeesionKey saves old value corresponding to SessionKey. // oldSeesionKey saves old value corresponding to SessionKey.
@ -173,12 +183,13 @@ func Generate(options ...Options) macaron.Handler {
opt := prepareOptions(options) opt := prepareOptions(options)
return func(ctx *macaron.Context, sess session.Store) { return func(ctx *macaron.Context, sess session.Store) {
x := &csrf{ x := &csrf{
Secret: opt.Secret, Secret: opt.Secret,
Header: opt.Header, Header: opt.Header,
Form: opt.Form, Form: opt.Form,
Cookie: opt.Cookie, Cookie: opt.Cookie,
CookiePath: opt.CookiePath, CookiePath: opt.CookiePath,
ErrorFunc: opt.ErrorFunc, CookieHttpOnly: opt.CookieHttpOnly,
ErrorFunc: opt.ErrorFunc,
} }
ctx.MapTo(x, (*CSRF)(nil)) ctx.MapTo(x, (*CSRF)(nil))
@ -211,7 +222,7 @@ func Generate(options ...Options) macaron.Handler {
// FIXME: actionId. // FIXME: actionId.
x.Token = GenerateToken(x.Secret, x.ID, "POST") x.Token = GenerateToken(x.Secret, x.ID, "POST")
if opt.SetCookie { if opt.SetCookie {
ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", false, true, time.Now().AddDate(0, 0, 1)) ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1))
} }
} }