From: Nathan Yergler Date: Mon, 5 Sep 2011 01:15:52 +0000 (-0700) Subject: Issue 361 Initial implementation of CSRF protection middleware X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=f1226c98c44119261b6e1a5652d32e49eb912a53;p=mediagoblin.git Issue 361 Initial implementation of CSRF protection middleware --- diff --git a/mediagoblin/config_spec.ini b/mediagoblin/config_spec.ini index a0fbde09..8018b243 100644 --- a/mediagoblin/config_spec.ini +++ b/mediagoblin/config_spec.ini @@ -41,6 +41,9 @@ celery_setup_elsewhere = boolean(default=False) # source files for a media file but can also be a HUGE security risk. allow_attachments = boolean(default=False) +# Cookie stuff +secret_key = string(default="Something Super Duper Secrit!") +csrf_cookie_name = string(default='mediagoblin_nonce') [storage:publicstore] base_dir = string(default="%(here)s/user_dev/media/public") diff --git a/mediagoblin/middleware/__init__.py b/mediagoblin/middleware/__init__.py index 586debbf..05325ee5 100644 --- a/mediagoblin/middleware/__init__.py +++ b/mediagoblin/middleware/__init__.py @@ -16,4 +16,5 @@ ENABLED_MIDDLEWARE = ( 'mediagoblin.middleware.noop:NoOpMiddleware', + 'mediagoblin.middleware.csrf:CsrfMiddleware', ) diff --git a/mediagoblin/middleware/csrf.py b/mediagoblin/middleware/csrf.py new file mode 100644 index 00000000..a372d0b5 --- /dev/null +++ b/mediagoblin/middleware/csrf.py @@ -0,0 +1,131 @@ +# GNU MediaGoblin -- federated, autonomous media hosting +# Copyright (C) 2011 MediaGoblin contributors. See AUTHORS. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +import hashlib +import random + +from webob.exc import HTTPForbidden +from wtforms import Form, HiddenField, validators + +from mediagoblin import mg_globals + +# Use the system (hardware-based) random number generator if it exists. +# -- this optimization is lifted from Django +if hasattr(random, 'SystemRandom'): + randrange = random.SystemRandom().randrange +else: + randrange = random.randrange + + +class CsrfForm(Form): + """Simple form to handle rendering a CSRF token and confirming it + is included in the POST.""" + + csrf_token = HiddenField("", + [validators.Required()]) + +def render_csrf_form_token(request): + """Render the CSRF token in a format suitable for inclusion in a + form.""" + + form = CsrfForm(csrf_token = request.environ['CSRF_TOKEN']) + + return form.csrf_token + +class CsrfMiddleware(object): + """CSRF Protection Middleware + + Adds a CSRF Cookie to responses and verifies that it is present + and matches the form token for non-safe requests. + """ + + MAX_CSRF_KEY = 2 << 63 + SAFE_HTTP_METHODS = ("GET", "HEAD", "OPTIONS", "TRACE") + + def __init__(self, mg_app): + self.app = mg_app + + def process_request(self, request): + """For non-safe requests, confirm that the tokens are present + and match. + """ + + # get the token from the cookie + try: + request.environ['CSRF_TOKEN'] = \ + request.cookies[mg_globals.app_config['csrf_cookie_name']] + + except KeyError, e: + # if it doesn't exist, make a new one + request.environ['CSRF_TOKEN'] = self._make_token(request) + + # if this is a non-"safe" request (ie, one that could have + # side effects), confirm that the CSRF tokens are present and + # valid + if request.method not in self.SAFE_HTTP_METHODS: + return self.verify_tokens(request) + + def process_response(self, request, response): + """Add the CSRF cookie to the response if needed and set Vary + headers. + """ + + # set the CSRF cookie + response.set_cookie( + mg_globals.app_config['csrf_cookie_name'], + request.environ['CSRF_TOKEN'], + max_age=60*60*24*7*52, path='/', + domain=mg_globals.app_config.get('csrf_cookie_domain', None), + secure=(request.scheme.lower() == 'https'), + httponly=True) + + # update the Vary header + response.vary = (response.vary or []) + ['Cookie'] + + def _make_token(self, request): + """Generate a new token to use for CSRF protection.""" + + return hashlib.md5("%s%s" % + (randrange(0, self.MAX_CSRF_KEY), + mg_globals.app_config['secret_key']) + ).hexdigest() + + def verify_tokens(self, request): + """Verify that the CSRF Cookie exists and that it matches the + form value.""" + + # confirm the cookie token was presented + cookie_token = request.cookies.get( + mg_globals.app_config['csrf_cookie_name'], + None) + + if cookie_token is None: + # the CSRF cookie must be present in the request + return HTTPForbidden() + + # get the form token and confirm it matches + form = CsrfForm(request.POST) + if form.validate(): + form_token = form.csrf_token.data + + if form_token == cookie_token: + # all's well that ends well + return + + # either the tokens didn't match or the form token wasn't + # present; either way, the request is denied + return HTTPForbidden() + diff --git a/mediagoblin/util.py b/mediagoblin/util.py index e391b8b0..bc72f8df 100644 --- a/mediagoblin/util.py +++ b/mediagoblin/util.py @@ -39,6 +39,7 @@ from wtforms.form import Form from mediagoblin import mg_globals from mediagoblin import messages from mediagoblin.db.util import ObjectId +from mediagoblin.middleware.csrf import render_csrf_form_token from itertools import izip, count @@ -125,6 +126,8 @@ def render_template(request, template_path, context): template = request.template_env.get_template( template_path) context['request'] = request + context['csrf_token'] = render_csrf_form_token(request) + rendered = template.render(context) if TESTS_ENABLED: