diff --git a/cmd/chromad/main.go b/cmd/chromad/main.go index 4eaa457..d7ad545 100644 --- a/cmd/chromad/main.go +++ b/cmd/chromad/main.go @@ -9,6 +9,8 @@ import ( rice "github.com/GeertJohan/go.rice" "github.com/alecthomas/kong" + "github.com/alecthomas/kong-hcl" + "github.com/gorilla/csrf" "github.com/gorilla/mux" "github.com/alecthomas/chroma" @@ -24,10 +26,6 @@ var ( htmlTemplate = template.Must(template.New("html").Parse(templateFiles.MustString("index.html.tmpl"))) ) -var cli struct { - Bind string `help:"HTTP bind address." default:"127.0.0.1:8080"` -} - type context struct { Background template.CSS SelectedLanguage string @@ -37,6 +35,7 @@ type context struct { Text string HTML template.HTML Error string + CSRFField template.HTML } func handler(w http.ResponseWriter, r *http.Request) { @@ -84,6 +83,7 @@ func contextFromRequest(r *http.Request) context { SelectedLanguage: r.Form.Get("language"), SelectedStyle: r.Form.Get("style"), Text: r.Form.Get("text"), + CSRFField: csrf.TemplateField(r), } if err != nil { ctx.Error = err.Error() @@ -104,13 +104,25 @@ func contextFromRequest(r *http.Request) context { } func main() { - ctx := kong.Parse(&cli) + var cli struct { + Config kong.ConfigFlag `help:"Load configuration." placeholder:"FILE"` + Bind string `help:"HTTP bind address." default:"127.0.0.1:8080"` + CSRFKey string `help:"CSRF key." default:""` + } + ctx := kong.Parse(&cli, kong.Configuration(konghcl.Loader)) + log.Println("Starting") router := mux.NewRouter() router.Handle("/", http.HandlerFunc(handler)) router.Handle("/static/{file:.*}", http.StripPrefix("/static/", http.FileServer(staticFiles.HTTPBox()))) - err := http.ListenAndServe(cli.Bind, router) + options := []csrf.Option{} + if cli.CSRFKey == "" { + options = append(options, csrf.Secure(false)) + } + CSRF := csrf.Protect([]byte(cli.CSRFKey), options...) + + err := http.ListenAndServe(cli.Bind, CSRF(router)) ctx.FatalIfErrorf(err) } diff --git a/cmd/chromad/templates/index.html.tmpl b/cmd/chromad/templates/index.html.tmpl index d9ca4bd..fa864ab 100644 --- a/cmd/chromad/templates/index.html.tmpl +++ b/cmd/chromad/templates/index.html.tmpl @@ -25,6 +25,7 @@

Chroma Playground

+ {{ .CSRFField }}
diff --git a/go.mod b/go.mod index 1314ec9..fa79135 100644 --- a/go.mod +++ b/go.mod @@ -5,9 +5,11 @@ require ( github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38 github.com/alecthomas/colour v0.0.0-20160524082231-60882d9e2721 // indirect github.com/alecthomas/kong v0.1.15 + github.com/alecthomas/kong-hcl v0.1.7 github.com/alecthomas/repr v0.0.0-20180818092828-117648cd9897 // indirect github.com/danwakefield/fnmatch v0.0.0-20160403171240-cbb64ac3d964 github.com/dlclark/regexp2 v1.1.6 + github.com/gorilla/csrf v1.6.0 github.com/gorilla/mux v1.7.3 github.com/mattn/go-colorable v0.0.9 github.com/mattn/go-isatty v0.0.4 diff --git a/go.sum b/go.sum index 2a5384b..55ac2cf 100644 --- a/go.sum +++ b/go.sum @@ -6,8 +6,11 @@ github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38 h1:smF2tmSOzy2Mm github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38/go.mod h1:r7bzyVFMNntcxPZXK3/+KdruV1H5KSlyVY0gc+NgInI= github.com/alecthomas/colour v0.0.0-20160524082231-60882d9e2721 h1:JHZL0hZKJ1VENNfmXvHbgYlbUOvpzYzvy2aZU5gXVeo= github.com/alecthomas/colour v0.0.0-20160524082231-60882d9e2721/go.mod h1:QO9JBoKquHd+jz9nshCh40fOfO+JzsoXy8qTHF68zU0= +github.com/alecthomas/kong v0.1.13/go.mod h1:0m2VYms8rH0qbCqVB2gvGHk74bqLIq0HXjCs5bNbNQU= github.com/alecthomas/kong v0.1.15 h1:IWBg+KrLvoHBicD50OzMI8fKjrtAa1okMR9g38HVM/s= github.com/alecthomas/kong v0.1.15/go.mod h1:0m2VYms8rH0qbCqVB2gvGHk74bqLIq0HXjCs5bNbNQU= +github.com/alecthomas/kong-hcl v0.1.7 h1:BhqAe2mE/cBq7Plnb218eTonsp4KcXf0BZCu3bO3qxg= +github.com/alecthomas/kong-hcl v0.1.7/go.mod h1:+diJg0tzfMUY/5uDo0dlb7uThhVpWr59PuYkdtRJbms= github.com/alecthomas/repr v0.0.0-20180818092828-117648cd9897 h1:p9Sln00KOTlrYkxI1zYWl1QLnEqAqEARBEYa8FQnQcY= github.com/alecthomas/repr v0.0.0-20180818092828-117648cd9897/go.mod h1:xTS7Pm1pD1mvyM075QCDSRqH6qRLXylzS24ZTpRiSzQ= github.com/daaku/go.zipexe v1.0.0 h1:VSOgZtH418pH9L16hC/JrgSNJbbAL26pj7lmD1+CGdY= @@ -19,14 +22,22 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dlclark/regexp2 v1.1.6 h1:CqB4MjHw0MFCDj+PHHjiESmHX+N7t0tJzKvC6M97BRg= github.com/dlclark/regexp2 v1.1.6/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc= +github.com/gorilla/csrf v1.6.0 h1:60oN1cFdncCE8tjwQ3QEkFND5k37lQPcRjnlvm7CIJ0= +github.com/gorilla/csrf v1.6.0/go.mod h1:7tSf8kmjNYr7IWDCYhd3U8Ck34iQ/Yw5CJu7bAkHEGI= github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw= github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRUIY4= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-isatty v0.0.4 h1:bnP0vzxcAdeI1zdubAl5PjU6zsERjGZb7raWodagDYs= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/nkovacs/streamquote v0.0.0-20170412213628-49af9bddb229/go.mod h1:0aYXnNPJ8l7uZxf45rWW1a/uME32OF0rhiYGNQ2oF2E= +github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=