self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2025-01-11 18:24:43 +02:00
Code Issues Releases Activity

Server: Added form tokens to prevent CSRF attacks

Browse Source
This commit is contained in:
Laurent Cozic 2021-07-24 17:45:30 +01:00
parent b7e9848428
commit 19b45de298
8 changed files with 82 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
packages/server/src/app.ts
View File

@ -135,7 +135,19 @@ async function main() {
await next(); await next();
} catch (error) { } catch (error) {
ctx.status = error.httpCode || 500; ctx.status = error.httpCode || 500;
ctx.body = JSON.stringify({ error: error.message });
// Since this is a low level error, rendering a view might fail too,
// so catch this and default to rendering JSON.
try {
ctx.body = await ctx.joplin.services.mustache.renderView({
name: 'error',
title: 'Error',
path: 'index/error',
content: { error },
});
} catch (anotherError) {
ctx.body = { error: anotherError.message };
}
} }
}); });

4
packages/server/src/routes/index/upgrade.ts
View File

@ -10,6 +10,7 @@ import { bodyFields } from '../../utils/requestUtils';
import { NotificationKey } from '../../models/NotificationModel'; import { NotificationKey } from '../../models/NotificationModel';
import { AccountType } from '../../models/UserModel'; import { AccountType } from '../../models/UserModel';
import { ErrorBadRequest } from '../../utils/errors'; import { ErrorBadRequest } from '../../utils/errors';
import { createCsrfTag } from '../../utils/csrf';
interface FormFields { interface FormFields {
upgrade_button: string; upgrade_button: string;
@ -21,7 +22,7 @@ function upgradeUrl() {
return `${config().baseUrl}/upgrade`; return `${config().baseUrl}/upgrade`;
} }
router.get('upgrade', async (_path: SubPath, _ctx: AppContext) => { router.get('upgrade', async (_path: SubPath, ctx: AppContext) => {
interface PlanRow { interface PlanRow {
basicLabel: string; basicLabel: string;
proLabel: string; proLabel: string;
@ -51,6 +52,7 @@ router.get('upgrade', async (_path: SubPath, _ctx: AppContext) => {
basicPrice: plans.basic.price, basicPrice: plans.basic.price,
proPrice: plans.pro.price, proPrice: plans.pro.price,
postUrl: upgradeUrl(), postUrl: upgradeUrl(),
csrfTag: await createCsrfTag(ctx),
}; };
view.cssFiles = ['index/upgrade']; view.cssFiles = ['index/upgrade'];
return view; return view;

2
packages/server/src/routes/index/users.ts
View File

@ -17,6 +17,7 @@ import { getCanShareFolder, totalSizeClass } from '../../models/utils/user';
import { yesNoDefaultOptions } from '../../utils/views/select'; import { yesNoDefaultOptions } from '../../utils/views/select';
import { confirmUrl } from '../../utils/urlUtils'; import { confirmUrl } from '../../utils/urlUtils';
import { cancelSubscription, updateSubscriptionType } from '../../utils/stripe'; import { cancelSubscription, updateSubscriptionType } from '../../utils/stripe';
import { createCsrfTag } from '../../utils/csrf';
export interface CheckRepeatPasswordInput { export interface CheckRepeatPasswordInput {
password: string; password: string;
@ -146,6 +147,7 @@ router.get('users/:id', async (path: SubPath, ctx: AppContext, user: User = null
view.content.error = error; view.content.error = error;
view.content.postUrl = postUrl; view.content.postUrl = postUrl;
view.content.showDisableButton = !isNew && !!owner.is_admin && owner.id !== user.id && user.enabled; view.content.showDisableButton = !isNew && !!owner.is_admin && owner.id !== user.id && user.enabled;
view.content.csrfTag = await createCsrfTag(ctx);
if (subscription) { if (subscription) {
view.content.subscription = subscription; view.content.subscription = subscription;

37
packages/server/src/utils/csrf.ts Normal file
View File

@ -0,0 +1,37 @@
import { ErrorForbidden } from './errors';
import { escapeHtml } from './htmlUtils';
import { bodyFields, isApiRequest } from './requestUtils';
import { AppContext } from './types';
interface BodyWithCsrfToken {
_csrf: string;
}
export async function csrfCheck(ctx: AppContext, isPublicRoute: boolean) {
if (isApiRequest(ctx)) return;
if (isPublicRoute) return;
if (!['POST', 'PUT'].includes(ctx.method)) return;
if (ctx.path === '/logout') return;
const userId = ctx.joplin.owner ? ctx.joplin.owner.id : '';
if (!userId) return;
const fields = await bodyFields<BodyWithCsrfToken>(ctx.req);
if (!fields._csrf) throw new ErrorForbidden('CSRF token is missing');
if (!(await ctx.joplin.models.token().isValid(userId, fields._csrf))) {
throw new ErrorForbidden(`Invalid CSRF token: ${fields._csrf}`);
}
await ctx.joplin.models.token().deleteByValue(userId, fields._csrf);
}
export async function createCsrfToken(ctx: AppContext) {
if (!ctx.joplin.owner) throw new Error('Cannot create CSRF token without a user');
return ctx.joplin.models.token().generate(ctx.joplin.owner.id);
}
export async function createCsrfTag(ctx: AppContext) {
const token = await createCsrfToken(ctx);
return `<input type="hidden" name="_csrf" value="${escapeHtml(token)}"/>`;
}

10
packages/server/src/utils/requestUtils.ts
View File

@ -22,6 +22,8 @@ export async function formParse(req: any): Promise<FormParseResult> {
return output; return output;
} }
if (req.__parsed) return req.__parsed;
// Note that for Formidable to work, the content-type must be set in the // Note that for Formidable to work, the content-type must be set in the
// headers // headers
return new Promise((resolve: Function, reject: Function) => { return new Promise((resolve: Function, reject: Function) => {
@ -32,7 +34,13 @@ export async function formParse(req: any): Promise<FormParseResult> {
return; return;
} }
resolve({ fields, files }); // Formidable seems to be doing some black magic and once a request
// has been parsed it cannot be parsed again. Doing so will do
// nothing, the code will just end there, or maybe wait
// indefinitely. So we cache the result on success and return it if
// some code somewhere tries again to parse the form.
req.__parsed = { fields, files };
resolve(req.__parsed);
}); });
}); });
} }

7
packages/server/src/utils/routeUtils.ts
View File

@ -4,6 +4,7 @@ import { ErrorBadRequest, ErrorForbidden, ErrorNotFound } from './errors';
import Router from './Router'; import Router from './Router';
import { AppContext, HttpMethod, RouteType } from './types'; import { AppContext, HttpMethod, RouteType } from './types';
import { URL } from 'url'; import { URL } from 'url';
import { csrfCheck } from './csrf';
const { ltrimSlashes, rtrimSlashes } = require('@joplin/lib/path-utils'); const { ltrimSlashes, rtrimSlashes } = require('@joplin/lib/path-utils');
@ -188,10 +189,14 @@ export async function execRequest(routes: Routers, ctx: AppContext) {
const endPoint = match.route.findEndPoint(ctx.request.method as HttpMethod, match.subPath.schema); const endPoint = match.route.findEndPoint(ctx.request.method as HttpMethod, match.subPath.schema);
if (ctx.URL && !isValidOrigin(ctx.URL.origin, baseUrl(endPoint.type), endPoint.type)) throw new ErrorNotFound(`Invalid origin: ${ctx.URL.origin}`, 'invalidOrigin'); if (ctx.URL && !isValidOrigin(ctx.URL.origin, baseUrl(endPoint.type), endPoint.type)) throw new ErrorNotFound(`Invalid origin: ${ctx.URL.origin}`, 'invalidOrigin');
const isPublicRoute = match.route.isPublic(match.subPath.schema);
// This is a generic catch-all for all private end points - if we // This is a generic catch-all for all private end points - if we
// couldn't get a valid session, we exit now. Individual end points // couldn't get a valid session, we exit now. Individual end points
// might have additional permission checks depending on the action. // might have additional permission checks depending on the action.
if (!match.route.isPublic(match.subPath.schema) && !ctx.joplin.owner) throw new ErrorForbidden(); if (!isPublicRoute && !ctx.joplin.owner) throw new ErrorForbidden();
await csrfCheck(ctx, isPublicRoute);
return endPoint.handler(match.subPath, ctx); return endPoint.handler(match.subPath, ctx);
} }

3
packages/server/src/views/index/upgrade.mustache
View File

@ -1,7 +1,8 @@
<h1 class="title">Upgrade your account</h1> <h1 class="title">Upgrade your account</h1>
<p class="subtitle">Upgrading to a Pro account to get the following benefits.</p> <p class="subtitle">Upgrade to a Pro account to get the following benefits.</p>
<form id="upgrade_form" action="{{{postUrl}}}" method="POST"> <form id="upgrade_form" action="{{{postUrl}}}" method="POST">
{{{csrfTag}}}
<table class="table is-hoverable user-props-table"> <table class="table is-hoverable user-props-table">
<tbody> <tbody>
<tr> <tr>

21
packages/server/src/views/index/user.mustache
View File

@ -4,6 +4,7 @@
<div class="block"> <div class="block">
{{> errorBanner}} {{> errorBanner}}
{{{csrfTag}}}
<input type="hidden" name="id" value="{{user.id}}"/> <input type="hidden" name="id" value="{{user.id}}"/>
<input type="hidden" name="is_new" value="{{isNew}}"/> <input type="hidden" name="is_new" value="{{isNew}}"/>
<div class="field"> <div class="field">
@ -94,11 +95,11 @@
</div> </div>
</div> </div>
<h1 class="title">Your subscription</h1> {{#subscription}}
<h1 class="title">Your subscription</h1>
<div class="block"> <div class="block">
{{#global.owner.is_admin}} {{#global.owner.is_admin}}
{{#subscription}}
<div class="control block"> <div class="control block">
<p class="block">Stripe Subscription ID: <a href="https://dashboard.stripe.com/subscriptions/{{subscription.stripe_subscription_id}}">{{subscription.stripe_subscription_id}}</a></p> <p class="block">Stripe Subscription ID: <a href="https://dashboard.stripe.com/subscriptions/{{subscription.stripe_subscription_id}}">{{subscription.stripe_subscription_id}}</a></p>
{{#showUpdateSubscriptionBasic}} {{#showUpdateSubscriptionBasic}}
@ -111,11 +112,9 @@
<input type="submit" name="cancel_subscription_button" class="button is-danger" value="Cancel subscription" /> <input type="submit" name="cancel_subscription_button" class="button is-danger" value="Cancel subscription" />
{{/showCancelSubscription}} {{/showCancelSubscription}}
</div> </div>
{{/subscription}} {{/global.owner.is_admin}}
{{/global.owner.is_admin}}
{{^global.owner.is_admin}} {{^global.owner.is_admin}}
{{#subscription}}
<div class="control block"> <div class="control block">
{{#showUpdateSubscriptionPro}} {{#showUpdateSubscriptionPro}}
<a href="{{{global.baseUrl}}}/upgrade" class="button is-warning block">Upgrade to Pro</a> <a href="{{{global.baseUrl}}}/upgrade" class="button is-warning block">Upgrade to Pro</a>
@ -125,9 +124,9 @@
<input type="submit" id="user_cancel_subscription_button" name="user_cancel_subscription_button" class="button is-danger" value="Cancel subscription" /> <input type="submit" id="user_cancel_subscription_button" name="user_cancel_subscription_button" class="button is-danger" value="Cancel subscription" />
{{/showCancelSubscription}} {{/showCancelSubscription}}
</div> </div>
{{/subscription}} {{/global.owner.is_admin}}
{{/global.owner.is_admin}} </div>
</div> {{/subscription}}
</form> </form>