iarv/znc
1
0
Fork 0
mirror of https://github.com/znc/znc.git synced 2026-03-28 17:42:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1327 from lol768/module_csrf_override

Browse Source 
Module CSRF override support (mark II)

Close #1180
Close #1296
This commit is contained in:
Alexey Sokolov
2016-10-08 23:31:06 +01:00
committed by GitHub
parent 222ae86fcc d40d87e268
commit 39646b620d
9 changed files with 136 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
include/znc/HTTPSock.h
View File

@@ -83,6 +83,7 @@ class CHTTPSock : public CSocket {
const CString& GetPass() const;
const CString& GetParamString() const;
const CString& GetContentType() const;
const CString& GetURI() const;
const CString& GetURIPrefix() const;
bool IsPost() const;
// !Getters

6
include/znc/Modules.h
View File

@@ -477,6 +477,12 @@ class CModule {
*/
virtual bool OnWebRequest(CWebSock& WebSock, const CString& sPageName,
CTemplate& Tmpl);
/** If ValidateWebRequestCSRFCheck returned false, a CSRF error will be printed.
* @param WebSock The active request.
* @param sPageName The name of the page that has been requested.
* @return You MUST return true if the CSRF token is valid.
*/
virtual bool ValidateWebRequestCSRFCheck(CWebSock& WebSock, const CString& sPageName);
/** Registers a sub page for the sidebar.
* @param spSubPage The SubPage instance.
*/

4
include/znc/WebModules.h
View File

@@ -178,6 +178,9 @@ class CWebSock : public CHTTPSock {
static void FinishUserSessions(const CUser& User);
CString GetCSRFCheck();
bool ValidateCSRFCheck(const CString& sURI);
protected:
using CHTTPSock::PrintErrorPage;
@@ -186,7 +189,6 @@ class CWebSock : public CHTTPSock {
VCString GetDirs(CModule* pModule, bool bIsTemplate);
void SetPaths(CModule* pModule, bool bIsTemplate = false);
void SetVars();
CString GetCSRFCheck();
private:
EPageReqResult OnPageRequestInternal(const CString& sURI,

21
modules/data/samplewebapi/tmpl/index.tmpl Normal file
View File

@@ -0,0 +1,21 @@
<? INC Header.tmpl ?>
<form method="post" action="<? VAR URIPrefix TOP ?><? VAR ModPath ?>">
<div class="section">
<h3>Sample Web API</h3>
<div class="sectionbg">
<div class="sectionbody">
<div class="subsection full">
<div class="inputlabel">Text:</div>
<textarea name="text" cols="70" rows="5" class="monospace"></textarea>
<br /><span class="info">Sample text that will be returned plain on submit/API request.</span>
</div>
<div class="subsection submitline">
<input type="submit" name="submit" value="Submit" />
</div>
</div>
</div>
</div>
</form>
<? INC Footer.tmpl ?>

59
modules/samplewebapi.cpp Normal file
View File

@@ -0,0 +1,59 @@
/*
* Copyright (C) 2004-2016 ZNC, see the NOTICE file for details.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <znc/IRCNetwork.h>
class CSampleWebAPIMod : public CModule {
public:
MODCONSTRUCTOR(CSampleWebAPIMod) {}
~CSampleWebAPIMod() override {}
bool OnWebRequest(CWebSock& WebSock, const CString& sPageName,
CTemplate& Tmpl) override {
if (sPageName != "index") {
// only accept requests to index
return false;
}
if (WebSock.IsPost()) {
// print the text we just recieved
CString text = WebSock.GetRawParam("text", true);
WebSock.PrintHeader(text.length(), "text/plain; charset=UTF-8");
WebSock.Write(text);
WebSock.Close(Csock::CLT_AFTERWRITE);
return false;
}
return true;
}
bool WebRequiresLogin() {
return false;
}
bool ValidateWebRequestCSRFCheck(CWebSock& WebSock,
const CString& sPageName) override {
return true;
}
};
template <>
void TModInfo<CSampleWebAPIMod>(CModInfo& Info) {
Info.SetWikiPage("samplewebapi");
}
GLOBALMODULEDEFS(CSampleWebAPIMod, "Sample Web API module.")

2
src/HTTPSock.cpp
View File

@@ -536,6 +536,8 @@ const CString& CHTTPSock::GetContentType() const { return m_sContentType; }
const CString& CHTTPSock::GetParamString() const { return m_sPostData; }
const CString& CHTTPSock::GetURI() const { return m_sURI; }
const CString& CHTTPSock::GetURIPrefix() const { return m_sURIPrefix; }
bool CHTTPSock::HasParam(const CString& sName, bool bPost) const {

4
src/Modules.cpp
View File

@@ -594,6 +594,10 @@ bool CModule::OnWebRequest(CWebSock& WebSock, const CString& sPageName,
CTemplate& Tmpl) {
return false;
}
bool CModule::ValidateWebRequestCSRFCheck(CWebSock& WebSock,
const CString& sPageName) {
return WebSock.ValidateCSRFCheck(WebSock.GetURI());
}
bool CModule::OnEmbeddedWebRequest(CWebSock& WebSock, const CString& sPageName,
CTemplate& Tmpl) {
return false;

26
src/WebModules.cpp
View File

@@ -647,16 +647,17 @@ CWebSock::EPageReqResult CWebSock::OnPageRequestInternal(const CString& sURI,
return PAGE_DONE;
}
// Check that they really POSTed from one our forms by checking if they
// For pages *not provided* by modules, a CSRF check is performed which involves:
// Ensure that they really POSTed from one our forms by checking if they
// know the "secret" CSRF check value. Don't do this for login since
// CSRF against the login form makes no sense and the login form does a
// cookies-enabled check which would break otherwise.
// Don't do this, if user authenticated using http-basic auth, because:
// 1. they obviously know the password,
// 2. it's easier to automate some tasks e.g. user creation, without need to
// care about cookies and csrf
if (IsPost() && !m_bBasicAuth &&
GetParam("_CSRF_Check") != GetCSRFCheck() && sURI != "/login") {
// care about cookies and CSRF
if (IsPost() && !m_bBasicAuth && !sURI.StartsWith("/mods/") &&
!ValidateCSRFCheck(sURI)) {
DEBUG("Expected _CSRF_Check: " << GetCSRFCheck());
DEBUG("Actual _CSRF_Check: " << GetParam("_CSRF_Check"));
PrintErrorPage(
@@ -803,6 +804,19 @@ CWebSock::EPageReqResult CWebSock::OnPageRequestInternal(const CString& sURI,
if (!pModule) return PAGE_NOTFOUND;
// Pass CSRF check to module.
// Note that the normal CSRF checks are not applied to /mods/ URLs.
if (IsPost() && !m_bBasicAuth &&
!pModule->ValidateWebRequestCSRFCheck(*this, m_sPage)) {
DEBUG("Expected _CSRF_Check: " << GetCSRFCheck());
DEBUG("Actual _CSRF_Check: " << GetParam("_CSRF_Check"));
PrintErrorPage(
403, "Access denied",
"POST requests need to send "
"a secret token to prevent cross-site request forgery attacks.");
return PAGE_DONE;
}
m_Template["ModPath"] = pModule->GetWebPath();
m_Template["ModFilesPath"] = pModule->GetWebFilesPath();
@@ -969,6 +983,10 @@ CString CWebSock::GetCSRFCheck() {
return pSession->GetId().MD5();
}
bool CWebSock::ValidateCSRFCheck(const CString& sURI) {
return sURI == "/login" || GetParam("_CSRF_Check") == GetCSRFCheck();
}
bool CWebSock::OnLogin(const CString& sUser, const CString& sPass,
bool bBasic) {
DEBUG("=================== CWebSock::OnLogin(), basic auth? "

18
test/integration/main.cpp
View File

@@ -1965,4 +1965,22 @@ TEST_F(ZNCTest, KeepNickModule) {
":Unable to obtain nick user: Nope :-P, #error");
}
TEST_F(ZNCTest, ModuleCSRFOverride) {
auto znc = Run();
Z;
auto ircd = ConnectIRCd();
Z;
auto client = LoginClient();
Z;
client.Write("znc loadmod samplewebapi");
client.ReadUntil("Loaded module");
Z;
auto request = QNetworkRequest(QUrl("http://127.0.0.1:12345/mods/global/samplewebapi/"));
auto reply = HttpPost(request, {
{"text", "ipsum"}
})->readAll().toStdString();
Z;
EXPECT_THAT(reply, HasSubstr("ipsum"));
}
} // namespace