CSRF and various enhancements

2020-05-10 03:20:13 +12:00 · 2020-05-10 03:20:13 +12:00 · 47cc40bc5a
parent 270a662c75
commit 47cc40bc5a
10 changed files with 95 additions and 26 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -2738,8 +2738,8 @@
      "integrity": "sha512-q0M/9eZHzmr0AulXyPwNfZjtwZ/RBZlbN3K3CErVrk50T2ASYI7Bye0EvekFY3IP1Nt2DHu0re+V2ZHIpMkuWg=="
    },
    "pinski": {
-      "version": "github:cloudrac3r/pinski#61809e18606265ec47813f3bdab80928c70ae203",
-      "from": "github:cloudrac3r/pinski#61809e18606265ec47813f3bdab80928c70ae203",
+      "version": "github:cloudrac3r/pinski#059bfb3c07f36b7e175bce52e4715646b6acfebd",
+      "from": "github:cloudrac3r/pinski#059bfb3c07f36b7e175bce52e4715646b6acfebd",
      "requires": {
        "mime": "^2.4.4",
        "pug": "^2.0.3",
--- a/package.json
+++ b/package.json
@ -19,7 +19,7 @@
    "mixin-deep": "^2.0.1",
    "node-dir": "^0.1.17",
    "node-fetch": "^2.6.0",
-    "pinski": "github:cloudrac3r/pinski#61809e18606265ec47813f3bdab80928c70ae203",
+    "pinski": "github:cloudrac3r/pinski#059bfb3c07f36b7e175bce52e4715646b6acfebd",
    "pug": "^2.0.4",
    "semver": "^7.2.1",
    "sharp": "^0.25.2",
--- a/src/lib/constants.js
+++ b/src/lib/constants.js
@ -166,6 +166,7 @@ let constants = {
 		instance_list_cache_time: 3*60*1000,
 		updater_cache_time: 2*60*1000,
 		cache_sweep_interval: 3*60*1000,
+		csrf_time: 60*60*1000,
 		self_blocked_status: {
 			enabled: true,
 			time: 2*60*60*1000,
@ -232,7 +233,7 @@ let constants = {

 	additional_routes: [],

-	database_version: 6
+	database_version: 7
 }

 // Override values from config and export the result
--- a/src/lib/utils/upgradedb.js
+++ b/src/lib/utils/upgradedb.js
@ -85,6 +85,15 @@ const deltas = new Map([
 			db.prepare("ALTER TABLE UserSettings ADD COLUMN rewrite_twitter TEXT NOT NULL DEFAULT ''")
 				.run()
 		})()
+	}],
+	// version 6 to version 7
+	[7, function() {
+		db.transaction(() => {
+			db.prepare("DROP TABLE IF EXISTS CSRFTokens")
+				.run()
+			db.prepare("CREATE TABLE CSRFTokens (token TEXT NOT NULL, expires INTEGER NOT NULL, PRIMARY KEY (token))")
+				.run()
+		})()
 	}]
 ])

--- a/src/site/api/settings.js
+++ b/src/site/api/settings.js
@ -1,6 +1,6 @@
 const constants = require("../../lib/constants")
 const {render, redirect} = require("pinski/plugins")
-const {getSettings} = require("./utils/getsettings")
+const {getSettings, getToken, generateCSRF, checkCSRF} = require("./utils/getsettings")
 const crypto = require("crypto")
 const db = require("../../lib/db")

@ -9,13 +9,22 @@ module.exports = [
 		route: "/settings", methods: ["GET"], code: async ({req, url}) => {
 			const settings = getSettings(req)
 			// console.log(settings)
-			const saved = url.searchParams.has("saved")
-			return render(200, "pug/settings.pug", {saved, constants, settings})
+			const csrf = generateCSRF()
+			const message = url.searchParams.get("message")
+			const status = url.searchParams.get("status")
+			return render(200, "pug/settings.pug", {constants, settings, csrf, status, message})
 		}
 	},
 	{
-		route: "/settings", methods: ["POST"], upload: true, code: async ({body}) => {
+		route: "/settings", methods: ["POST"], upload: true, code: async ({req, body}) => {
+			const oldToken = getToken(req)
 			const params = new URLSearchParams(body.toString())
+			if (!checkCSRF(params.get("csrf"))) {
+				const returnParams = new URLSearchParams()
+				returnParams.append("status", "fail")
+				returnParams.append("message", "Form timed out or reused.\n(Invalid or missing CSRF token.)")
+				return redirect("/settings?" + returnParams.toString(), 303)
+			}
 			const prepared = {}
 			for (const setting of constants.user_settings) {
 				let valueOrDefault
@ -42,14 +51,15 @@ module.exports = [
 			prepared.created = Date.now()
 			const fields = constants.user_settings.map(s => s.name)
 			db.prepare(`INSERT INTO UserSettings (token, created, ${fields.join(", ")}) VALUES (@token, @created, ${fields.map(f => "@"+f).join(", ")})`).run(prepared)
+			db.prepare("DELETE FROM UserSettings WHERE token = ?").run(oldToken)
 			const expires = new Date(Date.now() + 4000*24*60*60*1000).toUTCString()
 			return {
 				statusCode: 303,
 				headers: {
-					"Location": "/settings?saved=1",
-					"Set-Cookie": `settings=${prepared.token}; Path=/; Expires=${expires}; SameSite=Strict`
+					"Location": "/settings?status=success&message=Saved.",
+					"Set-Cookie": `settings=${prepared.token}; Path=/; Expires=${expires}; SameSite=Lax`
 				},
-				contentType: "text/html",
+				contentType: "text/html; charset=UTF-8",
 				content: "Redirecting..."
 			}
 		}
--- a/src/site/api/utils/getsettings.js
+++ b/src/site/api/utils/getsettings.js
@ -1,3 +1,4 @@
+const crypto = require("crypto")
 const {parse} = require("cookie")

 const constants = require("../../../lib/constants")
@ -19,14 +20,49 @@ function addDefaults(input = {}) {
 	return result
 }

-function getSettings(req) {
-	if (!req.headers.cookie) return addDefaults()
+function getToken(req) {
+	if (!req.headers.cookie) return null
 	const cookie = parse(req.headers.cookie)
-	const settings = cookie.settings
-	if (!settings) return addDefaults()
-	const row = db.prepare("SELECT * FROM UserSettings WHERE token = ?").get(settings)
-	if (!row) return addDefaults()
-	return addDefaults(row)
+	const token = cookie.settings
+	if (token) return token
+	else return null
 }

+function getSettings(req) {
+	const token = getToken(req)
+	if (token) {
+		const row = db.prepare("SELECT * FROM UserSettings WHERE token = ?").get(token)
+		if (row) {
+			return addDefaults(row)
+		}
+	}
+	return addDefaults()
+}
+
+function generateCSRF() {
+	const token = crypto.randomBytes(16).toString("hex")
+	const expires = Date.now() + constants.caching.csrf_time
+	db.prepare("INSERT INTO CSRFTokens (token, expires) VALUES (?, ?)").run(token, expires)
+	return token
+}
+
+function checkCSRF(token) {
+	const row = db.prepare("SELECT * FROM CSRFTokens WHERE token = ? AND expires > ?").get(token, Date.now())
+	if (row) {
+		db.prepare("DELETE FROM CSRFTokens WHERE token = ?").run(token)
+		return true
+	} else {
+		return false
+	}
+}
+
+function cleanCSRF() {
+	db.prepare("DELETE FROM CSRFTokens WHERE expires <= ?").run(Date.now())
+}
+cleanCSRF()
+setInterval(cleanCSRF, constants.caching.csrf_time)
+
+module.exports.getToken = getToken
 module.exports.getSettings = getSettings
+module.exports.generateCSRF = generateCSRF
+module.exports.checkCSRF = checkCSRF
--- a/src/site/pug/home.pug
+++ b/src/site/pug/home.pug
@ -9,6 +9,7 @@ html
 		header
 			h1.banner
 				img.banner-image(src="/static/img/banner-min.svg" alt="Bibliogram")
+
 		.go-sections-container
 			.go-sections
 				section
@ -21,6 +22,7 @@ html
 					form(method="get" action="/p").pair-entry
 						input(type="text" name="p" placeholder="Shortcode or URL").text
 						input(type="submit" value="Go").button
+
 		.about-container
 			section.about
 				h2 About Bibliogram
@ -31,23 +33,25 @@ html
 				p.
 					Bibliogram does #[em not] allow you to anonymously post, like, comment, follow, or view private profiles.
 					It does not preserve deleted posts.
+
 				h2 About this instance
 				ul
+					li: a(href="/settings") Settings
 					if hasPrivacyPolicy
 						li: a(href="/privacy") Privacy policy
 					else
 						li Owner has not written a privacy policy
 					li Instance is #{allUnblocked ? "not blocked" : "blocked"}
 					li RSS feeds are #{rssEnabled ? "enabled" : "disabled"}
-					li Tor is #{torAvailable ? "enabled" : "not available"}
+
 				h2 External links
-				ul.link-list
+				ul
 					-
 						const links = [
 							["https://github.com/cloudrac3r/bibliogram", "GitHub repository"],
 							["https://riot.im/app/#/room/#bibliogram:matrix.org", "Discussion room on Matrix"],
 							["https://github.com/cloudrac3r/bibliogram/wiki/Instances", "Other Bibliogram instances"],
-							["https://github.com/cloudrac3r/bibliogram/projects/1?fullscreen=true", "Project board"],
+							["https://github.com/cloudrac3r/bibliogram/projects/1?fullscreen=true", "Project roadmap"],
 							["https://cadence.moe/about/contact", "Contact the developer"]
 						]
 					each entry in links
--- a/src/site/pug/settings.pug
+++ b/src/site/pug/settings.pug
@ -1,4 +1,4 @@
-//- Needs saved, settings
+//- Needs constants, settings, csrf, status, message

 mixin fieldset(name)
 	fieldset
@ -31,12 +31,14 @@ html
 		title Settings | Bibliogram
 		include includes/head
 	body.settings-page
-		if saved
-			.status-notice Saved.
+		if status && message
+			.status-notice(class=status)= message
 			script.
 				history.replaceState(null, "", "/settings")
 		main.settings
 			form(action="/settings" method="post" enctype="application/x-www-form-urlencoded")
+				input(type="hidden" name="csrf" value=csrf)
+
 				h1 Settings

 				+fieldset("Features")
--- a/src/site/sass/includes/_main.sass
+++ b/src/site/sass/includes/_main.sass
@ -668,10 +668,16 @@ body
 	.status-notice
 		padding: 15px
 		font-size: 24px
-		line-height: 1
+		line-height: 1.36
 		text-align: center
-		background-color: map-get($theme, "background-banner-success")
 		color: map-get($theme, "foreground-banner")
+		white-space: pre-line
+
+		&.success
+			background-color: map-get($theme, "background-banner-success")
+
+		&.fail
+			background-color: map-get($theme, "background-banner-fail")

 	.action-container
 		margin-top: 20px
--- a/src/site/sass/themes/_classic.scss
+++ b/src/site/sass/themes/_classic.scss
@ -22,6 +22,7 @@ $theme: (
 	"background-primary-quote": #ccc,
 	"background-error-page": #191919,
 	"background-alert": #282828,
+	"background-banner-fail": #5f1111,
 	"background-banner-success": #0b420b,
 	"foreground-primary": #111,
 	"foreground-header": #000,