web: re-enable CSRF attack protection

botlabs-gg · May 24, 2020 · f23e1b4 · f23e1b4
1 parent 8b44ba2
commit f23e1b4
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/web/middleware.go b/web/middleware.go
@@ -175,6 +175,28 @@ func RequireSessionMiddleware(inner http.Handler) http.Handler {
 	return http.HandlerFunc(mw)
 }
 
+func CSRFProtectionMW(inner http.Handler) http.Handler {
+	mw := func(w http.ResponseWriter, r *http.Request) {
+		// validate the origin header (if present) for protection against CSRF attacks
+		// i don't think putting in more protection against CSRF attacks is needed, considering literally every browser these days support it
+		origin := r.Header.Get("Origin")
+		if origin != "" {
+			split := strings.SplitN(origin, ":", 3)
+			hostSplit := strings.SplitN(common.ConfHost.GetString(), ":", 2)
+
+			if len(split) < 2 || !strings.EqualFold("//"+hostSplit[0], split[1]) {
+				CtxLogger(r.Context()).Error("Mismatched origin: ", hostSplit[0]+" : "+split[1])
+				WriteErrorResponse(w, r, "Bad origin", http.StatusUnauthorized)
+				return
+			}
+		}
+
+		inner.ServeHTTP(w, r)
+	}
+
+	return http.HandlerFunc(mw)
+}
+
 // UserInfoMiddleware fills the context with user information and the guilds it's on guilds if possible
 func UserInfoMiddleware(inner http.Handler) http.Handler {
 	mw := func(w http.ResponseWriter, r *http.Request) {

diff --git a/web/web.go b/web/web.go
@@ -380,6 +380,7 @@ func setupRootMux() {
 	mux.Use(SkipStaticMW(BaseTemplateDataMiddleware))
 	mux.Use(SkipStaticMW(SessionMiddleware))
 	mux.Use(SkipStaticMW(UserInfoMiddleware))
+	mux.Use(SkipStaticMW(CSRFProtectionMW))
 	mux.Use(addPromCountMW)
 
 	// General handlers