Add CSRF support to chromad.

cmd/chromad/main.go

@@ -9,6 +9,8 @@ import (
 
 	rice "github.com/GeertJohan/go.rice"
 	"github.com/alecthomas/kong"
+	"github.com/alecthomas/kong-hcl"
+	"github.com/gorilla/csrf"
 	"github.com/gorilla/mux"
 
 	"github.com/alecthomas/chroma"
@@ -24,10 +26,6 @@ var (
 	htmlTemplate = template.Must(template.New("html").Parse(templateFiles.MustString("index.html.tmpl")))
 )
 
-var cli struct {
-	Bind string `help:"HTTP bind address." default:"127.0.0.1:8080"`
-}
-
 type context struct {
 	Background       template.CSS
 	SelectedLanguage string
@@ -37,6 +35,7 @@ type context struct {
 	Text             string
 	HTML             template.HTML
 	Error            string
+	CSRFField        template.HTML
 }
 
 func handler(w http.ResponseWriter, r *http.Request) {
@@ -84,6 +83,7 @@ func contextFromRequest(r *http.Request) context {
 		SelectedLanguage: r.Form.Get("language"),
 		SelectedStyle:    r.Form.Get("style"),
 		Text:             r.Form.Get("text"),
+		CSRFField:        csrf.TemplateField(r),
 	}
 	if err != nil {
 		ctx.Error = err.Error()
@@ -104,13 +104,25 @@ func contextFromRequest(r *http.Request) context {
 }
 
 func main() {
-	ctx := kong.Parse(&cli)
+	var cli struct {
+		Config  kong.ConfigFlag `help:"Load configuration." placeholder:"FILE"`
+		Bind    string          `help:"HTTP bind address." default:"127.0.0.1:8080"`
+		CSRFKey string          `help:"CSRF key." default:""`
+	}
+	ctx := kong.Parse(&cli, kong.Configuration(konghcl.Loader))
+
 	log.Println("Starting")
 
 	router := mux.NewRouter()
 	router.Handle("/", http.HandlerFunc(handler))
 	router.Handle("/static/{file:.*}", http.StripPrefix("/static/", http.FileServer(staticFiles.HTTPBox())))
 
-	err := http.ListenAndServe(cli.Bind, router)
+	options := []csrf.Option{}
+	if cli.CSRFKey == "" {
+		options = append(options, csrf.Secure(false))
+	}
+	CSRF := csrf.Protect([]byte(cli.CSRFKey), options...)
+
+	err := http.ListenAndServe(cli.Bind, CSRF(router))
 	ctx.FatalIfErrorf(err)
 }

cmd/chromad/templates/index.html.tmpl

@@ -25,6 +25,7 @@
   <h1 class="title">Chroma Playground</h1>
 
   <form id="chroma" method="post">
+    {{ .CSRFField }}
     <div class="columns">
       <div class="column field">
         <label class="label">Language</label>

go.mod

@@ -5,9 +5,11 @@ require (
 	github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38
 	github.com/alecthomas/colour v0.0.0-20160524082231-60882d9e2721 // indirect
 	github.com/alecthomas/kong v0.1.15
+	github.com/alecthomas/kong-hcl v0.1.7
 	github.com/alecthomas/repr v0.0.0-20180818092828-117648cd9897 // indirect
 	github.com/danwakefield/fnmatch v0.0.0-20160403171240-cbb64ac3d964
 	github.com/dlclark/regexp2 v1.1.6
+	github.com/gorilla/csrf v1.6.0
 	github.com/gorilla/mux v1.7.3
 	github.com/mattn/go-colorable v0.0.9
 	github.com/mattn/go-isatty v0.0.4

go.sum

@@ -6,8 +6,11 @@ github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38 h1:smF2tmSOzy2Mm
 github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38/go.mod h1:r7bzyVFMNntcxPZXK3/+KdruV1H5KSlyVY0gc+NgInI=
 github.com/alecthomas/colour v0.0.0-20160524082231-60882d9e2721 h1:JHZL0hZKJ1VENNfmXvHbgYlbUOvpzYzvy2aZU5gXVeo=
 github.com/alecthomas/colour v0.0.0-20160524082231-60882d9e2721/go.mod h1:QO9JBoKquHd+jz9nshCh40fOfO+JzsoXy8qTHF68zU0=
+github.com/alecthomas/kong v0.1.13/go.mod h1:0m2VYms8rH0qbCqVB2gvGHk74bqLIq0HXjCs5bNbNQU=
 github.com/alecthomas/kong v0.1.15 h1:IWBg+KrLvoHBicD50OzMI8fKjrtAa1okMR9g38HVM/s=
 github.com/alecthomas/kong v0.1.15/go.mod h1:0m2VYms8rH0qbCqVB2gvGHk74bqLIq0HXjCs5bNbNQU=
+github.com/alecthomas/kong-hcl v0.1.7 h1:BhqAe2mE/cBq7Plnb218eTonsp4KcXf0BZCu3bO3qxg=
+github.com/alecthomas/kong-hcl v0.1.7/go.mod h1:+diJg0tzfMUY/5uDo0dlb7uThhVpWr59PuYkdtRJbms=
 github.com/alecthomas/repr v0.0.0-20180818092828-117648cd9897 h1:p9Sln00KOTlrYkxI1zYWl1QLnEqAqEARBEYa8FQnQcY=
 github.com/alecthomas/repr v0.0.0-20180818092828-117648cd9897/go.mod h1:xTS7Pm1pD1mvyM075QCDSRqH6qRLXylzS24ZTpRiSzQ=
 github.com/daaku/go.zipexe v1.0.0 h1:VSOgZtH418pH9L16hC/JrgSNJbbAL26pj7lmD1+CGdY=
@@ -19,14 +22,22 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dlclark/regexp2 v1.1.6 h1:CqB4MjHw0MFCDj+PHHjiESmHX+N7t0tJzKvC6M97BRg=
 github.com/dlclark/regexp2 v1.1.6/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
+github.com/gorilla/csrf v1.6.0 h1:60oN1cFdncCE8tjwQ3QEkFND5k37lQPcRjnlvm7CIJ0=
+github.com/gorilla/csrf v1.6.0/go.mod h1:7tSf8kmjNYr7IWDCYhd3U8Ck34iQ/Yw5CJu7bAkHEGI=
 github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=
 github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRUIY4=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-isatty v0.0.4 h1:bnP0vzxcAdeI1zdubAl5PjU6zsERjGZb7raWodagDYs=
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/nkovacs/streamquote v0.0.0-20170412213628-49af9bddb229/go.mod h1:0aYXnNPJ8l7uZxf45rWW1a/uME32OF0rhiYGNQ2oF2E=
+github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=