octoleo/syncthing
1
0
Fork 0
mirror of https://github.com/octoleo/syncthing.git synced 2024-11-06 05:17:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
c791dba392
syncthing/lib/api/api_csrf.go

174 lines
4.1 KiB
Go
Raw Normal View History

Use more inclusive copyright header
2014-11-16 20:13:20 +00:00
// Copyright (C) 2014 The Syncthing Authors.
Relicense to GPL
2014-09-29 19:43:32 +00:00
//
MPLv2
2015-03-07 20:36:35 +00:00
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
all: Update license url to https (ref #3976)
2017-02-09 06:52:18 +00:00
// You can obtain one at https://mozilla.org/MPL/2.0/.
Copyright cleanup
2014-09-04 06:31:38 +00:00
cmd/syncthing, lib/api: Separate api/gui into own package (ref #4085) (#5529) * cmd/syncthing, lib/gui: Separate gui into own package (ref #4085) * fix tests * Don't use main as interface name (make old go happy) * gui->api * don't leak state via locations and use in-tree config * let api (un-)subscribe to config * interface naming and exporting * lib/ur * fix tests and lib/foldersummary * shorter URVersion and ur debug fix * review * model.JsonCompletion(FolderCompletion) -> FolderCompletion.Map() * rename debug facility https -> api * folder summaries in model * disassociate unrelated constants * fix merge fail * missing id assignement
2019-03-26 19:53:58 +00:00
package api
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
import (
"bufio"
"fmt"
"net/http"
"os"
CSRF protection should only cover /rest
2014-07-06 13:00:44 +00:00
"strings"
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
mv internal lib
2015-08-06 09:29:25 +00:00
"github.com/syncthing/syncthing/lib/osutil"
lib/rand: Break out random functions into separate package The intention for this package is to provide a combination of the security of crypto/rand and the convenience of math/rand. It should be the first choice of random data unless ultimate performance is required and the usage is provably irrelevant from a security standpoint. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3186
2016-05-26 07:02:56 +00:00
"github.com/syncthing/syncthing/lib/rand"
mv internal lib
2015-08-06 09:29:25 +00:00
"github.com/syncthing/syncthing/lib/sync"
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
)
Don't allow in use CSRF tokens to expire (fixes #1008)
2016-01-03 20:56:19 +00:00
const maxCsrfTokens = 25
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
type csrfManager struct {
// tokens is a list of valid tokens. It is sorted so that the most
// recently used token is first in the list. New tokens are added to the front
// of the list (as it is the most recently used at that time). The list is
// pruned to a maximum of maxCsrfTokens, throwing away the least recently used
// tokens.
tokens []string
tokensMut sync.Mutex
unique string
prefix string
apiKeyValidator apiKeyValidator
next http.Handler
saveLocation string
}
type apiKeyValidator interface {
IsValidAPIKey(key string) bool
}
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
// Check for CSRF token on /rest/ URLs. If a correct one is not given, reject
// the request with 403. For / and /index.html, set a new CSRF cookie if none
// is currently set.
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
func newCsrfManager(unique string, prefix string, apiKeyValidator apiKeyValidator, next http.Handler, saveLocation string) *csrfManager {
m := &csrfManager{
tokensMut: sync.NewMutex(),
lib/api: Fix and optimize csrfManager (#8329) An off-by-one error could cause tokens to be forgotten. Suppose tokens := []string{"foo", "bar", "baz", "quux"} i := 2 token := tokens[i] // token == "baz" Then, after copy(tokens[1:], tokens[:i+1]) tokens[0] = token we have tokens == []string{"baz", "foo", "bar", "baz"} The short test actually relied on this bug.
2022-05-07 10:30:13 +00:00
tokens: make([]string, 0, maxCsrfTokens),
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
unique: unique,
prefix: prefix,
apiKeyValidator: apiKeyValidator,
next: next,
saveLocation: saveLocation,
}
m.load()
return m
}
Remove martini, use standard http mux
2014-07-05 19:40:29 +00:00
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
func (m *csrfManager) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Allow requests carrying a valid API key
if m.apiKeyValidator.IsValidAPIKey(r.Header.Get("X-API-Key")) {
// Set the access-control-allow-origin header for CORS requests
// since a valid API key has been provided
w.Header().Add("Access-Control-Allow-Origin", "*")
m.next.ServeHTTP(w, r)
return
}
cmd/syncthing, lib/config: Enable HTTP CPU/heap profile collection for users This adds a config to enable debug functions on the API server, which is by default disabled. When enabled, the /rest/debug things become available and become available without requiring a CSRF token (although authentication is required if configured). We also add a new endpoint /rest/debug/cpuprof?duration=15s (with the duration being configurable, defaulting to 30s). This runs a CPU profile for the duration and returns it as a file. It sets headers so that a browser will save the file with an informative name. The same is done for heap profiles, /rest/debug/heapprof, which does not take any parameters. The purpose of this is that any user can enable debugging under advanced, then point their browser to the endpoint above and get a file that contains a CPU or heap profile we can use, with the filename telling us what version and architecture the profile is from. On the command line, this becomes curl -O -J http://localhost:8082/rest/debug/cpuprof?duration=5s curl: Saved to filename 'syncthing-cpu-darwin-amd64-v0.14.3+4-g935bcc0-110307.pprof' GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3467
2016-08-02 11:06:45 +00:00
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
if strings.HasPrefix(r.URL.Path, "/rest/debug") {
// Debugging functions are only available when explicitly
// enabled, and can be accessed without a CSRF token
m.next.ServeHTTP(w, r)
return
}
// Allow requests for anything not under the protected path prefix,
// and set a CSRF cookie if there isn't already a valid one.
if !strings.HasPrefix(r.URL.Path, m.prefix) {
cookie, err := r.Cookie("CSRF-Token-" + m.unique)
if err != nil || !m.validToken(cookie.Value) {
l.Debugln("new CSRF cookie in response to request for", r.URL)
cookie = &http.Cookie{
Name: "CSRF-Token-" + m.unique,
Value: m.newToken(),
Remove martini, use standard http mux
2014-07-05 19:40:29 +00:00
}
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
http.SetCookie(w, cookie)
Remove martini, use standard http mux
2014-07-05 19:40:29 +00:00
}
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
m.next.ServeHTTP(w, r)
return
}
API key change should take effect on restart only
2014-06-05 07:16:12 +00:00
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
// Verify the CSRF token
token := r.Header.Get("X-CSRF-Token-" + m.unique)
if !m.validToken(token) {
http.Error(w, "CSRF Error", http.StatusForbidden)
return
}
Remove martini, use standard http mux
2014-07-05 19:40:29 +00:00
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
m.next.ServeHTTP(w, r)
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
}
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
func (m *csrfManager) validToken(token string) bool {
m.tokensMut.Lock()
defer m.tokensMut.Unlock()
for i, t := range m.tokens {
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
if t == token {
Don't allow in use CSRF tokens to expire (fixes #1008)
2016-01-03 20:56:19 +00:00
if i > 0 {
// Move this token to the head of the list. Copy the tokens at
// the front one step to the right and then replace the token
// at the head.
lib/api: Fix and optimize csrfManager (#8329) An off-by-one error could cause tokens to be forgotten. Suppose tokens := []string{"foo", "bar", "baz", "quux"} i := 2 token := tokens[i] // token == "baz" Then, after copy(tokens[1:], tokens[:i+1]) tokens[0] = token we have tokens == []string{"baz", "foo", "bar", "baz"} The short test actually relied on this bug.
2022-05-07 10:30:13 +00:00
copy(m.tokens[1:], m.tokens[:i])
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
m.tokens[0] = token
Don't allow in use CSRF tokens to expire (fixes #1008)
2016-01-03 20:56:19 +00:00
}
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
return true
}
}
return false
}
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
func (m *csrfManager) newToken() string {
lib/rand: Break out random functions into separate package The intention for this package is to provide a combination of the security of crypto/rand and the convenience of math/rand. It should be the first choice of random data unless ultimate performance is required and the usage is provably irrelevant from a security standpoint. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3186
2016-05-26 07:02:56 +00:00
token := rand.String(32)
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
m.tokensMut.Lock()
defer m.tokensMut.Unlock()
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
lib/api: Fix and optimize csrfManager (#8329) An off-by-one error could cause tokens to be forgotten. Suppose tokens := []string{"foo", "bar", "baz", "quux"} i := 2 token := tokens[i] // token == "baz" Then, after copy(tokens[1:], tokens[:i+1]) tokens[0] = token we have tokens == []string{"baz", "foo", "bar", "baz"} The short test actually relied on this bug.
2022-05-07 10:30:13 +00:00
if len(m.tokens) < maxCsrfTokens {
m.tokens = append(m.tokens, "")
}
copy(m.tokens[1:], m.tokens)
m.tokens[0] = token
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
m.save()
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
return token
}
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
func (m *csrfManager) save() {
Add osutil.AtomicWriter This captures the common pattern of writing to a temp file and moving it to it's real name only if everything went well. It reduces the amount of code in some places where we do this, but maybe not as much as I expected because the upgrade thing is still a special snowflake...
2015-07-11 15:03:40 +00:00
// We're ignoring errors in here. It's not super critical and there's
// nothing relevant we can do about them anyway...
Revert "Merge pull request #2053 from calmh/atomicwriter" (fixes #2058) This reverts commit b611f72e0829f60f3410e6f07652794f437d35ad, reversing changes made to a04b005e932244aa12882dfb95443df0c182163f.
2015-07-13 10:44:59 +00:00
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
if m.saveLocation == "" {
return
}
f, err := osutil.CreateAtomic(m.saveLocation)
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
if err != nil {
return
}
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
for _, t := range m.tokens {
Add osutil.AtomicWriter This captures the common pattern of writing to a temp file and moving it to it's real name only if everything went well. It reduces the amount of code in some places where we do this, but maybe not as much as I expected because the upgrade thing is still a special snowflake...
2015-07-11 15:03:40 +00:00
fmt.Fprintln(f, t)
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
}
Add osutil.AtomicWriter This captures the common pattern of writing to a temp file and moving it to it's real name only if everything went well. It reduces the amount of code in some places where we do this, but maybe not as much as I expected because the upgrade thing is still a special snowflake...
2015-07-11 15:03:40 +00:00
f.Close()
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
}
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
func (m *csrfManager) load() {
if m.saveLocation == "" {
return
}
f, err := os.Open(m.saveLocation)
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
if err != nil {
return
}
defer f.Close()
s := bufio.NewScanner(f)
for s.Scan() {
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
m.tokens = append(m.tokens, s.Text())
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
}
}
Reference in New Issue Copy Permalink