luisgulo/focalboard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add X-Requested-With header check for CSRF

Browse Source
This commit is contained in:
Chen-I Lim 2021-02-02 16:54:15 -08:00
parent 26f73135bc
commit 0e8174b020
2 changed files with 49 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
server/api/api.go
View File

@ -18,6 +18,11 @@ import (
"github.com/mattermost/focalboard/server/utils" "github.com/mattermost/focalboard/server/utils"
) )
const (
HEADER_REQUESTED_WITH = "X-Requested-With"
HEADER_REQUESTED_WITH_XML = "XMLHttpRequest"
)
// ---------------------------------------------------------------------------------------------------- // ----------------------------------------------------------------------------------------------------
// REST APIs // REST APIs
@ -35,35 +40,61 @@ func (a *API) app() *app.App {
} }
func (a *API) RegisterRoutes(r *mux.Router) { func (a *API) RegisterRoutes(r *mux.Router) {
r.HandleFunc("/api/v1/blocks", a.sessionRequired(a.handleGetBlocks)).Methods("GET") a.addHandler(r, "/api/v1/blocks", "GET", a.sessionRequired(a.handleGetBlocks))
r.HandleFunc("/api/v1/blocks", a.sessionRequired(a.handlePostBlocks)).Methods("POST") a.addHandler(r, "/api/v1/blocks", "POST", a.sessionRequired(a.handlePostBlocks))
r.HandleFunc("/api/v1/blocks/{blockID}", a.sessionRequired(a.handleDeleteBlock)).Methods("DELETE") a.addHandler(r, "/api/v1/blocks/{blockID}", "DELETE", a.sessionRequired(a.handleDeleteBlock))
r.HandleFunc("/api/v1/blocks/{blockID}/subtree", a.attachSession(a.handleGetSubTree, false)).Methods("GET") a.addHandler(r, "/api/v1/blocks/{blockID}/subtree", "GET", a.attachSession(a.handleGetSubTree, false))
r.HandleFunc("/api/v1/users/me", a.sessionRequired(a.handleGetMe)).Methods("GET") a.addHandler(r, "/api/v1/users/me", "GET", a.sessionRequired(a.handleGetMe))
r.HandleFunc("/api/v1/users/{userID}", a.sessionRequired(a.handleGetUser)).Methods("GET") a.addHandler(r, "/api/v1/users/{userID}", "GET", a.sessionRequired(a.handleGetUser))
r.HandleFunc("/api/v1/users/{userID}/changepassword", a.sessionRequired(a.handleChangePassword)).Methods("POST") a.addHandler(r, "/api/v1/users/{userID}/changepassword", "POST", a.sessionRequired(a.handleChangePassword))
r.HandleFunc("/api/v1/login", a.handleLogin).Methods("POST") a.addHandler(r, "/api/v1/login", "POST", a.sessionRequired(a.handleLogin))
r.HandleFunc("/api/v1/register", a.handleRegister).Methods("POST") a.addHandler(r, "/api/v1/register", "POST", a.sessionRequired(a.handleRegister))
r.HandleFunc("/api/v1/files", a.sessionRequired(a.handleUploadFile)).Methods("POST") a.addHandler(r, "api/v1/files", "POST", a.sessionRequired(a.handleUploadFile))
r.HandleFunc("/files/{filename}", a.sessionRequired(a.handleServeFile)).Methods("GET") a.addHandler(r, "/files/{filename}", "GET", a.sessionRequired(a.handleServeFile))
r.HandleFunc("/api/v1/blocks/export", a.sessionRequired(a.handleExport)).Methods("GET") a.addHandler(r, "/api/v1/blocks/export", "GET", a.sessionRequired(a.handleExport))
r.HandleFunc("/api/v1/blocks/import", a.sessionRequired(a.handleImport)).Methods("POST") a.addHandler(r, "/api/v1/blocks/import", "POST", a.sessionRequired(a.handleImport))
r.HandleFunc("/api/v1/sharing/{rootID}", a.sessionRequired(a.handlePostSharing)).Methods("POST") a.addHandler(r, "/api/v1/sharing/{rootID}", "POST", a.sessionRequired(a.handlePostSharing))
r.HandleFunc("/api/v1/sharing/{rootID}", a.handleGetSharing).Methods("GET") a.addHandler(r, "/api/v1/sharing/{rootID}", "GET", a.sessionRequired(a.handleGetSharing))
r.HandleFunc("/api/v1/workspace", a.sessionRequired(a.handleGetWorkspace)).Methods("GET") a.addHandler(r, "/api/v1/workspace", "GET", a.sessionRequired(a.handleGetWorkspace))
r.HandleFunc("/api/v1/workspace/regenerate_signup_token", a.sessionRequired(a.handlePostWorkspaceRegenerateSignupToken)).Methods("POST") a.addHandler(r, "/api/v1/workspace/regenerate_signup_token", "POST", a.sessionRequired(a.handlePostWorkspaceRegenerateSignupToken))
} }
func (a *API) RegisterAdminRoutes(r *mux.Router) { func (a *API) RegisterAdminRoutes(r *mux.Router) {
r.HandleFunc("/api/v1/admin/users/{username}/password", a.adminRequired(a.handleAdminSetPassword)).Methods("POST") r.HandleFunc("/api/v1/admin/users/{username}/password", a.adminRequired(a.handleAdminSetPassword)).Methods("POST")
} }
func (a *API) addHandler(r *mux.Router, path string, method string, f func(http.ResponseWriter, *http.Request)) {
r.HandleFunc(path, a.preHandle(f)).Methods(method)
}
func (a *API) preHandle(handler func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
return func(w http.ResponseWriter, r *http.Request) {
if !a.checkCSRFToken(r) {
log.Println("checkCSRFToken FAILED")
errorResponse(w, http.StatusBadRequest, nil, nil)
return
}
handler(w, r)
}
}
func (a *API) checkCSRFToken(r *http.Request) bool {
token := r.Header.Get(HEADER_REQUESTED_WITH)
if token == HEADER_REQUESTED_WITH_XML {
return true
}
return false
}
func (a *API) handleGetBlocks(w http.ResponseWriter, r *http.Request) { func (a *API) handleGetBlocks(w http.ResponseWriter, r *http.Request) {
query := r.URL.Query() query := r.URL.Query()
parentID := query.Get("parent_id") parentID := query.Get("parent_id")

1
webapp/src/octoClient.ts
View File

@ -87,6 +87,7 @@ class OctoClient {
Accept: 'application/json', Accept: 'application/json',
'Content-Type': 'application/json', 'Content-Type': 'application/json',
Authorization: this.token ? 'Bearer ' + this.token : '', Authorization: this.token ? 'Bearer ' + this.token : '',
'X-Requested-With': 'XMLHttpRequest',
} }
} }