synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-15 22:20:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: relax csrf to exclude path based apps (#11430)

Browse Source 
* fix: relax csrf to exclude path based apps
* add unit test to verify path based apps are not CSRF blocked
This commit is contained in:
Steven Masley
2024-01-08 16:33:57 -06:00
committed by GitHub
parent 9f5a59d5c5
commit fb29af664b
4 changed files with 151 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
coderd/httpmw/csrf.go
View File

@ -3,6 +3,7 @@ package httpmw
import (
"net/http"
"regexp"
"strings"
"github.com/justinas/nosurf"
"golang.org/x/xerrors"
@ -12,6 +13,8 @@ import (
// CSRF is a middleware that verifies that a CSRF token is present in the request
// for non-GET requests.
// If enforce is false, then CSRF enforcement is disabled. We still want
// to include the CSRF middleware because it will set the CSRF cookie.
func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
mw := nosurf.New(next)
@ -19,10 +22,16 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
mw.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
http.Error(w, "Something is wrong with your CSRF token. Please refresh the page. If this error persists, try clearing your cookies.", http.StatusBadRequest)
}))
mw.ExemptRegexp(regexp.MustCompile("/api/v2/users/first"))
// Exempt all requests that do not require CSRF protection.
// All GET requests are exempt by default.
mw.ExemptPath("/api/v2/csp/reports")
// This should not be required?
mw.ExemptRegexp(regexp.MustCompile("/api/v2/users/first"))
// Agent authenticated routes
mw.ExemptRegexp(regexp.MustCompile("api/v2/workspaceagents/me/*"))
mw.ExemptRegexp(regexp.MustCompile("api/v2/workspaceagents/*"))
@ -36,6 +45,11 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
mw.ExemptRegexp(regexp.MustCompile("/organizations/[^/]+/provisionerdaemons/*"))
mw.ExemptFunc(func(r *http.Request) bool {
// Only enforce CSRF on API routes.
if !strings.HasPrefix(r.URL.Path, "/api") {
return true
}
// CSRF only affects requests that automatically attach credentials via a cookie.
// If no cookie is present, then there is no risk of CSRF.
//nolint:govet