9193f3eebc
Bumps the go-deps group with 11 updates in the / directory: | Package | From | To | | --- | --- | --- | | [cloud.google.com/go/compute](https://github.com/googleapis/google-cloud-go) | `1.25.1` | `1.26.0` | | [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go) | `1.5.1` | `1.5.2` | | [github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5](https://github.com/Azure/azure-sdk-for-go) | `5.5.0` | `5.7.0` | | [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) | `1.51.25` | `1.52.0` | | [github.com/getsentry/sentry-go](https://github.com/getsentry/sentry-go) | `0.26.0` | `0.27.0` | | [github.com/gophercloud/gophercloud](https://github.com/gophercloud/gophercloud) | `1.10.0` | `1.11.0` | | [github.com/jackc/pgtype](https://github.com/jackc/pgtype) | `1.14.1` | `1.14.3` | | [github.com/labstack/echo/v4](https://github.com/labstack/echo) | `4.11.4` | `4.12.0` | | [github.com/openshift-online/ocm-sdk-go](https://github.com/openshift-online/ocm-sdk-go) | `0.1.398` | `0.1.418` | | [github.com/osbuild/images](https://github.com/osbuild/images) | `0.56.0` | `0.58.0` | | [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) | `1.18.0` | `1.19.0` | Updates `cloud.google.com/go/compute` from 1.25.1 to 1.26.0 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.25.1...pubsub/v1.26.0) Updates `github.com/Azure/azure-sdk-for-go/sdk/azidentity` from 1.5.1 to 1.5.2 - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/internal/v1.5.1...sdk/internal/v1.5.2) Updates `github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5` from 5.5.0 to 5.7.0 - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/resourcemanager/compute/armcompute/v5.5.0...sdk/resourcemanager/compute/armcompute/v5.7.0) Updates `github.com/aws/aws-sdk-go` from 1.51.25 to 1.52.0 - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.51.25...v1.52.0) Updates `github.com/getsentry/sentry-go` from 0.26.0 to 0.27.0 - [Release notes](https://github.com/getsentry/sentry-go/releases) - [Changelog](https://github.com/getsentry/sentry-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/getsentry/sentry-go/compare/v0.26.0...v0.27.0) Updates `github.com/gophercloud/gophercloud` from 1.10.0 to 1.11.0 - [Release notes](https://github.com/gophercloud/gophercloud/releases) - [Changelog](https://github.com/gophercloud/gophercloud/blob/v1.11.0/CHANGELOG.md) - [Commits](https://github.com/gophercloud/gophercloud/compare/v1.10.0...v1.11.0) Updates `github.com/jackc/pgtype` from 1.14.1 to 1.14.3 - [Changelog](https://github.com/jackc/pgtype/blob/master/CHANGELOG.md) - [Commits](https://github.com/jackc/pgtype/compare/v1.14.1...v1.14.3) Updates `github.com/jackc/pgx/v4` from 4.18.1 to 4.18.2 - [Changelog](https://github.com/jackc/pgx/blob/v4.18.2/CHANGELOG.md) - [Commits](https://github.com/jackc/pgx/compare/v4.18.1...v4.18.2) Updates `github.com/labstack/echo/v4` from 4.11.4 to 4.12.0 - [Release notes](https://github.com/labstack/echo/releases) - [Changelog](https://github.com/labstack/echo/blob/master/CHANGELOG.md) - [Commits](https://github.com/labstack/echo/compare/v4.11.4...v4.12.0) Updates `github.com/openshift-online/ocm-sdk-go` from 0.1.398 to 0.1.418 - [Release notes](https://github.com/openshift-online/ocm-sdk-go/releases) - [Changelog](https://github.com/openshift-online/ocm-sdk-go/blob/main/CHANGES.md) - [Commits](https://github.com/openshift-online/ocm-sdk-go/compare/v0.1.398...v0.1.418) Updates `github.com/osbuild/images` from 0.56.0 to 0.58.0 - [Release notes](https://github.com/osbuild/images/releases) - [Commits](https://github.com/osbuild/images/compare/v0.56.0...v0.58.0) Updates `github.com/prometheus/client_golang` from 1.18.0 to 1.19.0 - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.18.0...v1.19.0) Updates `golang.org/x/sync` from 0.6.0 to 0.7.0 - [Commits](https://github.com/golang/sync/compare/v0.6.0...v0.7.0) Updates `google.golang.org/api` from 0.175.0 to 0.177.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.175.0...v0.177.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/compute dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/getsentry/sentry-go dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/gophercloud/gophercloud dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/jackc/pgtype dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/jackc/pgx/v4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/labstack/echo/v4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/openshift-online/ocm-sdk-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/osbuild/images dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: golang.org/x/sync dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps ... Signed-off-by: dependabot[bot] <support@github.com>
218 lines
6.4 KiB
Go
218 lines
6.4 KiB
Go
// SPDX-License-Identifier: MIT
|
|
// SPDX-FileCopyrightText: © 2015 LabStack LLC and Echo contributors
|
|
|
|
package middleware
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/labstack/echo/v4"
|
|
)
|
|
|
|
// CSRFConfig defines the config for CSRF middleware.
|
|
type CSRFConfig struct {
|
|
// Skipper defines a function to skip middleware.
|
|
Skipper Skipper
|
|
|
|
// TokenLength is the length of the generated token.
|
|
TokenLength uint8 `yaml:"token_length"`
|
|
// Optional. Default value 32.
|
|
|
|
// TokenLookup is a string in the form of "<source>:<name>" or "<source>:<name>,<source>:<name>" that is used
|
|
// to extract token from the request.
|
|
// Optional. Default value "header:X-CSRF-Token".
|
|
// Possible values:
|
|
// - "header:<name>" or "header:<name>:<cut-prefix>"
|
|
// - "query:<name>"
|
|
// - "form:<name>"
|
|
// Multiple sources example:
|
|
// - "header:X-CSRF-Token,query:csrf"
|
|
TokenLookup string `yaml:"token_lookup"`
|
|
|
|
// Context key to store generated CSRF token into context.
|
|
// Optional. Default value "csrf".
|
|
ContextKey string `yaml:"context_key"`
|
|
|
|
// Name of the CSRF cookie. This cookie will store CSRF token.
|
|
// Optional. Default value "csrf".
|
|
CookieName string `yaml:"cookie_name"`
|
|
|
|
// Domain of the CSRF cookie.
|
|
// Optional. Default value none.
|
|
CookieDomain string `yaml:"cookie_domain"`
|
|
|
|
// Path of the CSRF cookie.
|
|
// Optional. Default value none.
|
|
CookiePath string `yaml:"cookie_path"`
|
|
|
|
// Max age (in seconds) of the CSRF cookie.
|
|
// Optional. Default value 86400 (24hr).
|
|
CookieMaxAge int `yaml:"cookie_max_age"`
|
|
|
|
// Indicates if CSRF cookie is secure.
|
|
// Optional. Default value false.
|
|
CookieSecure bool `yaml:"cookie_secure"`
|
|
|
|
// Indicates if CSRF cookie is HTTP only.
|
|
// Optional. Default value false.
|
|
CookieHTTPOnly bool `yaml:"cookie_http_only"`
|
|
|
|
// Indicates SameSite mode of the CSRF cookie.
|
|
// Optional. Default value SameSiteDefaultMode.
|
|
CookieSameSite http.SameSite `yaml:"cookie_same_site"`
|
|
|
|
// ErrorHandler defines a function which is executed for returning custom errors.
|
|
ErrorHandler CSRFErrorHandler
|
|
}
|
|
|
|
// CSRFErrorHandler is a function which is executed for creating custom errors.
|
|
type CSRFErrorHandler func(err error, c echo.Context) error
|
|
|
|
// ErrCSRFInvalid is returned when CSRF check fails
|
|
var ErrCSRFInvalid = echo.NewHTTPError(http.StatusForbidden, "invalid csrf token")
|
|
|
|
// DefaultCSRFConfig is the default CSRF middleware config.
|
|
var DefaultCSRFConfig = CSRFConfig{
|
|
Skipper: DefaultSkipper,
|
|
TokenLength: 32,
|
|
TokenLookup: "header:" + echo.HeaderXCSRFToken,
|
|
ContextKey: "csrf",
|
|
CookieName: "_csrf",
|
|
CookieMaxAge: 86400,
|
|
CookieSameSite: http.SameSiteDefaultMode,
|
|
}
|
|
|
|
// CSRF returns a Cross-Site Request Forgery (CSRF) middleware.
|
|
// See: https://en.wikipedia.org/wiki/Cross-site_request_forgery
|
|
func CSRF() echo.MiddlewareFunc {
|
|
c := DefaultCSRFConfig
|
|
return CSRFWithConfig(c)
|
|
}
|
|
|
|
// CSRFWithConfig returns a CSRF middleware with config.
|
|
// See `CSRF()`.
|
|
func CSRFWithConfig(config CSRFConfig) echo.MiddlewareFunc {
|
|
// Defaults
|
|
if config.Skipper == nil {
|
|
config.Skipper = DefaultCSRFConfig.Skipper
|
|
}
|
|
if config.TokenLength == 0 {
|
|
config.TokenLength = DefaultCSRFConfig.TokenLength
|
|
}
|
|
|
|
if config.TokenLookup == "" {
|
|
config.TokenLookup = DefaultCSRFConfig.TokenLookup
|
|
}
|
|
if config.ContextKey == "" {
|
|
config.ContextKey = DefaultCSRFConfig.ContextKey
|
|
}
|
|
if config.CookieName == "" {
|
|
config.CookieName = DefaultCSRFConfig.CookieName
|
|
}
|
|
if config.CookieMaxAge == 0 {
|
|
config.CookieMaxAge = DefaultCSRFConfig.CookieMaxAge
|
|
}
|
|
if config.CookieSameSite == http.SameSiteNoneMode {
|
|
config.CookieSecure = true
|
|
}
|
|
|
|
extractors, cErr := CreateExtractors(config.TokenLookup)
|
|
if cErr != nil {
|
|
panic(cErr)
|
|
}
|
|
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
return func(c echo.Context) error {
|
|
if config.Skipper(c) {
|
|
return next(c)
|
|
}
|
|
|
|
token := ""
|
|
if k, err := c.Cookie(config.CookieName); err != nil {
|
|
token = randomString(config.TokenLength)
|
|
} else {
|
|
token = k.Value // Reuse token
|
|
}
|
|
|
|
switch c.Request().Method {
|
|
case http.MethodGet, http.MethodHead, http.MethodOptions, http.MethodTrace:
|
|
default:
|
|
// Validate token only for requests which are not defined as 'safe' by RFC7231
|
|
var lastExtractorErr error
|
|
var lastTokenErr error
|
|
outer:
|
|
for _, extractor := range extractors {
|
|
clientTokens, err := extractor(c)
|
|
if err != nil {
|
|
lastExtractorErr = err
|
|
continue
|
|
}
|
|
|
|
for _, clientToken := range clientTokens {
|
|
if validateCSRFToken(token, clientToken) {
|
|
lastTokenErr = nil
|
|
lastExtractorErr = nil
|
|
break outer
|
|
}
|
|
lastTokenErr = ErrCSRFInvalid
|
|
}
|
|
}
|
|
var finalErr error
|
|
if lastTokenErr != nil {
|
|
finalErr = lastTokenErr
|
|
} else if lastExtractorErr != nil {
|
|
// ugly part to preserve backwards compatible errors. someone could rely on them
|
|
if lastExtractorErr == errQueryExtractorValueMissing {
|
|
lastExtractorErr = echo.NewHTTPError(http.StatusBadRequest, "missing csrf token in the query string")
|
|
} else if lastExtractorErr == errFormExtractorValueMissing {
|
|
lastExtractorErr = echo.NewHTTPError(http.StatusBadRequest, "missing csrf token in the form parameter")
|
|
} else if lastExtractorErr == errHeaderExtractorValueMissing {
|
|
lastExtractorErr = echo.NewHTTPError(http.StatusBadRequest, "missing csrf token in request header")
|
|
} else {
|
|
lastExtractorErr = echo.NewHTTPError(http.StatusBadRequest, lastExtractorErr.Error())
|
|
}
|
|
finalErr = lastExtractorErr
|
|
}
|
|
|
|
if finalErr != nil {
|
|
if config.ErrorHandler != nil {
|
|
return config.ErrorHandler(finalErr, c)
|
|
}
|
|
return finalErr
|
|
}
|
|
}
|
|
|
|
// Set CSRF cookie
|
|
cookie := new(http.Cookie)
|
|
cookie.Name = config.CookieName
|
|
cookie.Value = token
|
|
if config.CookiePath != "" {
|
|
cookie.Path = config.CookiePath
|
|
}
|
|
if config.CookieDomain != "" {
|
|
cookie.Domain = config.CookieDomain
|
|
}
|
|
if config.CookieSameSite != http.SameSiteDefaultMode {
|
|
cookie.SameSite = config.CookieSameSite
|
|
}
|
|
cookie.Expires = time.Now().Add(time.Duration(config.CookieMaxAge) * time.Second)
|
|
cookie.Secure = config.CookieSecure
|
|
cookie.HttpOnly = config.CookieHTTPOnly
|
|
c.SetCookie(cookie)
|
|
|
|
// Store token in the context
|
|
c.Set(config.ContextKey, token)
|
|
|
|
// Protect clients from caching the response
|
|
c.Response().Header().Add(echo.HeaderVary, echo.HeaderCookie)
|
|
|
|
return next(c)
|
|
}
|
|
}
|
|
}
|
|
|
|
func validateCSRFToken(token, clientToken string) bool {
|
|
return subtle.ConstantTimeCompare([]byte(token), []byte(clientToken)) == 1
|
|
}
|