add an auth token to any URL that modifies the system, to avoid CSRF vulnerabilities

2009-01-19 12:32:49 -05:00 · 2009-01-19 12:32:49 -05:00 · 99143b3413
commit 99143b3413
parent 84b0b40615
13 changed files with 76 additions and 16 deletions
--- a/www/kojiweb/buildtargetedit.chtml
+++ b/www/kojiweb/buildtargetedit.chtml
@ -9,6 +9,7 @@
  #end if

  <form action="#if $target then 'buildtargetedit' else 'buildtargetcreate'#">
+    $util.authToken($self, form=True)
    #if $target
    <input type="hidden" name="targetID" value="$target.id"/>
    #end if
--- a/www/kojiweb/buildtargetinfo.chtml
+++ b/www/kojiweb/buildtargetinfo.chtml
@ -19,10 +19,10 @@
    </tr>
    #if 'admin' in $perms
    <tr>
-      <th colspan="2"><a href="buildtargetedit?targetID=$target.id">Edit</a></th>
+      <th colspan="2"><a href="buildtargetedit?targetID=$target.id$util.authToken($self)">Edit</a></th>
    </tr>
    <tr>
-      <th colspan="2"><a href="buildtargetdelete?targetID=$target.id">Delete</a></th>
+      <th colspan="2"><a href="buildtargetdelete?targetID=$target.id$util.authToken($self)">Delete</a></th>
    </tr>
    #end if
  </table>
--- a/www/kojiweb/buildtargets.chtml
+++ b/www/kojiweb/buildtargets.chtml
@ -70,7 +70,7 @@
  
  #if 'admin' in $perms
  <br/>
-  <a href="buildtargetcreate">Create new Build Target</a>
+  <a href="buildtargetcreate$util.authToken($self, first=True)">Create new Build Target</a>
  #end if

 #include "includes/footer.chtml"
--- a/www/kojiweb/hostinfo.chtml
+++ b/www/kojiweb/hostinfo.chtml
@ -27,9 +27,9 @@
        $util.imageTag($enabled)
        #if 'admin' in $perms
        #if $host.enabled
-        <span class="adminLink">(<a href="disablehost?hostID=$host.id">disable</a>)</span>
+        <span class="adminLink">(<a href="disablehost?hostID=$host.id$util.authToken($self)">disable</a>)</span>
        #else
-        <span class="adminLink">(<a href="enablehost?hostID=$host.id">enable</a>)</span>
+        <span class="adminLink">(<a href="enablehost?hostID=$host.id$util.authToken($self)">enable</a>)</span>
        #end if
        #end if
      </td>
--- a/www/kojiweb/index.chtml
+++ b/www/kojiweb/index.chtml
@ -168,8 +168,8 @@
      <td>#if $notif.package then $notif.package.name else 'all'#</td>
      <td>#if $notif.tag then $notif.tag.name else 'all'#</td>
      <td>#if $notif.success_only then 'success only' else 'all'#</td>
-      <td><a href="notificationedit?notificationID=$notif.id">edit</a></td>
-      <td><a href="notificationdelete?notificationID=$notif.id">delete</a></td>
+      <td><a href="notificationedit?notificationID=$notif.id$util.authToken($self)">edit</a></td>
+      <td><a href="notificationdelete?notificationID=$notif.id$util.authToken($self)">delete</a></td>
    </tr>
    #end for
    #if $len($notifs) == 0
@ -180,7 +180,7 @@
  </table>

  <br/>
-  <a href="notificationcreate">Add a Notification</a>
+  <a href="notificationcreate$util.authToken($self, first=True)">Add a Notification</a>
  #end if
    
 #include "includes/footer.chtml"
--- a/www/kojiweb/index.py
+++ b/www/kojiweb/index.py
@ -8,6 +8,7 @@ import Cheetah.Filters
 import Cheetah.Template
 import datetime
 import time
+import md5
 import koji
 import kojiweb.util

@ -49,6 +50,30 @@ def _getUserCookie(req):

    return None

+def _truncTime():
+    now = datetime.datetime.now()
+    # truncate to the nearest 15 minutes
+    return now.replace(minute=(now.minute / 15 * 15), second=0, microsecond=0)
+
+def _genToken(req, tstamp=None):
+    if hasattr(req, 'currentLogin') and req.currentLogin:
+        user = req.currentLogin
+    else:
+        return ''
+    if tstamp == None:
+        tstamp = _truncTime()
+    return md5.new(user + str(tstamp) + req.get_options()['Secret']).hexdigest()[-8:]
+
+def _getValidTokens(req):
+    tokens = []
+    now = _truncTime()
+    for delta in (0, 15, 30):
+        token_time = now - datetime.timedelta(minutes=delta)
+        token = _genToken(req, token_time)
+        if token:
+            tokens.append(token)
+    return tokens
+
 def _krbLogin(req, session, principal):
    options = req.get_options()
    wprinc = options['WebPrincipal']
@ -81,6 +106,19 @@ def _assertLogin(req):
                raise koji.AuthError, 'could not login using principal: %s' % req.currentLogin
        else:
            raise koji.AuthError, 'KojiWeb is incorrectly configured for authentication, contact the system administrator'
+
+        # verify a valid authToken was passed in to avoid CSRF
+        authToken = req.form.get('a', '')
+        validTokens = _getValidTokens(req)
+        if authToken and authToken in validTokens:
+            # we have a token and it's valid
+            pass
+        else:
+            # their authToken is likely expired
+            # send them back to the page that brought them here so they
+            # can re-click the link with a valid authToken
+            _redirectBack(req, page=None, forceSSL=(_getBaseURL(req).startswith('https://')))
+            assert False
    else:
        mod_python.util.redirect(req, 'login')
        assert False
@ -117,7 +155,8 @@ def _genHTML(req, fileName):
        req._values['currentUser'] = req.currentUser
    else:
        req._values['currentUser'] = None
-        
+    req._values['authToken'] = _genToken(req)
+
    tmpl_class = TEMPLATES.get(fileName)
    if not tmpl_class:
        tmpl_class = Cheetah.Template.Template.compile(file=fileName)
--- a/www/kojiweb/notificationedit.chtml
+++ b/www/kojiweb/notificationedit.chtml
@ -9,6 +9,7 @@
  #end if

  <form action="#if $notif then 'notificationedit' else 'notificationcreate'#">
+    $util.authToken($self, form=True)
    #if $notif
    <input type="hidden" name="notificationID" value="$notif.id"/>
    #end if
--- a/www/kojiweb/tagedit.chtml
+++ b/www/kojiweb/tagedit.chtml
@ -9,6 +9,7 @@
  #end if

  <form action="#if $tag then 'tagedit' else 'tagcreate'#">
+    $util.authToken($self, form=True)
    <table>
      <tr>
        <th>Name</th>
--- a/www/kojiweb/taginfo.chtml
+++ b/www/kojiweb/taginfo.chtml
@ -7,7 +7,7 @@
  <table>
    #if $child and 'admin' in $perms
    <tr>
-      <th colspan="2"><a href="tagparent?tagID=$child.id&parentID=$tag.id&action=add">Add $tag.name as parent of $child.name</a></th>
+      <th colspan="2"><a href="tagparent?tagID=$child.id&parentID=$tag.id&action=add$util.authToken($self)">Add $tag.name as parent of $child.name</a></th>
    </tr>
    #end if
    <tr>
@ -54,7 +54,7 @@
              <span class="treeLabel">
                <a href="taginfo?tagID=$parent.parent_id">$parent.name</a>
                #if $depth == 1 and 'admin' in $perms
-                <span class="treeLink">(<a href="tagparent?tagID=$tag.id&parentID=$parent.parent_id&action=edit">edit</a>) (<a href="tagparent?tagID=$tag.id&parentID=$parent.parent_id&action=remove">remove</a>)</span>
+                <span class="treeLink">(<a href="tagparent?tagID=$tag.id&parentID=$parent.parent_id&action=edit$util.authToken($self)">edit</a>) (<a href="tagparent?tagID=$tag.id&parentID=$parent.parent_id&action=remove$util.authToken($self)">remove</a>)</span>
                #end if
              </span>
            </span>
@ -125,10 +125,10 @@
    </tr>
    #if 'admin' in $perms
    <tr>
-      <td colspan="2"><a href="tagedit?tagID=$tag.id">Edit tag</a></td>
+      <td colspan="2"><a href="tagedit?tagID=$tag.id$util.authToken($self)">Edit tag</a></td>
    </tr>
    <tr>
-      <td colspan="2"><a href="tagdelete?tagID=$tag.id">Delete tag</a></td>
+      <td colspan="2"><a href="tagdelete?tagID=$tag.id$util.authToken($self)">Delete tag</a></td>
    </tr>
    #end if
  </table>
--- a/www/kojiweb/tagparent.chtml
+++ b/www/kojiweb/tagparent.chtml
@ -9,6 +9,7 @@
  #end if

  <form action="tagparent">
+    $util.authToken($self, form=True)
    <input type="hidden" name="action" value="#if $inheritanceData then 'edit' else 'add'#"/>
    <table>
      <tr>
--- a/www/kojiweb/tags.chtml
+++ b/www/kojiweb/tags.chtml
@ -70,7 +70,7 @@

  #if 'admin' in $perms
  <br/>
-  <a href="tagcreate">Create new Tag</a>
+  <a href="tagcreate$util.authToken($self, first=True)">Create new Tag</a>
  #end if

 #include "includes/footer.chtml"
--- a/www/kojiweb/taskinfo.chtml
+++ b/www/kojiweb/taskinfo.chtml
@ -171,9 +171,9 @@
      <td class="task$state">$state
      #if $currentUser and ('admin' in $perms or $task.owner == $currentUser.id)
      #if $task.state in ($koji.TASK_STATES.FREE, $koji.TASK_STATES.OPEN, $koji.TASK_STATES.ASSIGNED)
-      <span class="adminLink">(<a href="canceltask?taskID=$task.id">cancel</a>)</span>
+      <span class="adminLink">(<a href="canceltask?taskID=$task.id$util.authToken($self)">cancel</a>)</span>
      #elif $task.state in ($koji.TASK_STATES.CANCELED, $koji.TASK_STATES.FAILED) and (not $parent)
-      <span class="adminLink">(<a href="resubmittask?taskID=$task.id">resubmit</a>)</span>
+      <span class="adminLink">(<a href="resubmittask?taskID=$task.id$util.authToken($self)">resubmit</a>)</span>
      #end if
      #end if
      </td>
--- a/www/lib/kojiweb/util.py
+++ b/www/lib/kojiweb/util.py
@ -316,6 +316,23 @@ def escapeHTML(value):
           replace('<', '&lt;').\
           replace('>', '&gt;')

+def authToken(template, first=False, form=False):
+    """Return the current authToken if it exists.
+    If form is True, return it enclosed in a hidden input field.
+    Otherwise, return it in a format suitable for appending to a URL.
+    If first is True, prefix it with ?, otherwise prefix it
+    with &.  If no authToken exists, return an empty string."""
+    token = template.getVar('authToken', default=None)
+    if token != None:
+        if form:
+            return '<input type="hidden" name="a" value="%s"/>' % token
+        if first:
+            return '?a=' + token
+        else:
+            return '&a=' + token
+    else:
+        return ''
+
 def explainError(error):
    """Explain an exception in user-consumable terms