From ee878e3951d059363a1538a94d14576af8e7f83c Mon Sep 17 00:00:00 2001 From: Aleksandr Bulyshchenko Date: Tue, 22 May 2018 02:09:48 +0300 Subject: [PATCH] Support secure cookie for csrf-token (#3839) * dep: Update github.com/go-macaron/csrf Update github.com/go-macaron/csrf with dep to revision 503617c6b372 to fix issue of csrf-token security. This update includes following commits: - Add support for the Cookie HttpOnly flag - Support secure mode for csrf cookie Signed-off-by: Aleksandr Bulyshchenko * routers: set csrf-token security depending on COOKIE_SECURE Signed-off-by: Aleksandr Bulyshchenko --- Gopkg.lock | 3 ++- routers/routes/routes.go | 1 + vendor/github.com/go-macaron/csrf/csrf.go | 25 ++++++++++++++++------- 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/Gopkg.lock b/Gopkg.lock index 147b63fdda..9e1adb1947 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -254,9 +254,10 @@ revision = "8aa5919789ab301e865595eb4b1114d6b9847deb" [[projects]] + branch = "master" name = "github.com/go-macaron/csrf" packages = ["."] - revision = "6a9a7df172cc1fcd81e4585f44b09200b6087cc0" + revision = "503617c6b37257a55dff6293ec28556506c3a9a8" [[projects]] branch = "master" diff --git a/routers/routes/routes.go b/routers/routes/routes.go index 1585a0876d..cb9fbb16aa 100644 --- a/routers/routes/routes.go +++ b/routers/routes/routes.go @@ -119,6 +119,7 @@ func NewMacaron() *macaron.Macaron { Secret: setting.SecretKey, Cookie: setting.CSRFCookieName, SetCookie: true, + Secure: setting.SessionConfig.Secure, Header: "X-Csrf-Token", CookiePath: setting.AppSubURL, })) diff --git a/vendor/github.com/go-macaron/csrf/csrf.go b/vendor/github.com/go-macaron/csrf/csrf.go index affc95abfd..19c9b479fa 100644 --- a/vendor/github.com/go-macaron/csrf/csrf.go +++ b/vendor/github.com/go-macaron/csrf/csrf.go @@ -41,6 +41,8 @@ type CSRF interface { GetCookieName() string // Return cookie path GetCookiePath() string + // Return the flag value used for the csrf token. + GetCookieHttpOnly() bool // Return the token. GetToken() string // Validate by token. @@ -58,6 +60,8 @@ type csrf struct { Cookie string //Cookie path CookiePath string + // Cookie HttpOnly flag value used for the csrf token. + CookieHttpOnly bool // Token generated to pass via header, cookie, or hidden form value. Token string // This value must be unique per user. @@ -88,6 +92,11 @@ func (c *csrf) GetCookiePath() string { return c.CookiePath } +// GetCookieHttpOnly returns the flag value used for the csrf token. +func (c *csrf) GetCookieHttpOnly() bool { + return c.CookieHttpOnly +} + // GetToken returns the current token. This is typically used // to populate a hidden form in an HTML template. func (c *csrf) GetToken() string { @@ -116,6 +125,7 @@ type Options struct { Cookie string // Cookie path. CookiePath string + CookieHttpOnly bool // Key used for getting the unique ID per user. SessionKey string // oldSeesionKey saves old value corresponding to SessionKey. @@ -173,12 +183,13 @@ func Generate(options ...Options) macaron.Handler { opt := prepareOptions(options) return func(ctx *macaron.Context, sess session.Store) { x := &csrf{ - Secret: opt.Secret, - Header: opt.Header, - Form: opt.Form, - Cookie: opt.Cookie, - CookiePath: opt.CookiePath, - ErrorFunc: opt.ErrorFunc, + Secret: opt.Secret, + Header: opt.Header, + Form: opt.Form, + Cookie: opt.Cookie, + CookiePath: opt.CookiePath, + CookieHttpOnly: opt.CookieHttpOnly, + ErrorFunc: opt.ErrorFunc, } ctx.MapTo(x, (*CSRF)(nil)) @@ -211,7 +222,7 @@ func Generate(options ...Options) macaron.Handler { // FIXME: actionId. x.Token = GenerateToken(x.Secret, x.ID, "POST") if opt.SetCookie { - ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", false, true, time.Now().AddDate(0, 0, 1)) + ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1)) } }