diff options
author | Niall Sheridan <nsheridan@gmail.com> | 2019-07-07 21:33:44 +0100 |
---|---|---|
committer | Niall Sheridan <nsheridan@gmail.com> | 2019-07-07 21:33:44 +0100 |
commit | 8c12c6939aab9106db14ec2d11d983bc5b29fb2c (patch) | |
tree | f9dc8a7d167c6355e47a65c52d4eb7b9ea03e6c8 /vendor/github.com/gorilla/csrf | |
parent | 0bd454cc448b812da6c693b451d86ff4cadbb6b2 (diff) |
Switch to modules
Diffstat (limited to 'vendor/github.com/gorilla/csrf')
-rw-r--r-- | vendor/github.com/gorilla/csrf/AUTHORS | 20 | ||||
-rw-r--r-- | vendor/github.com/gorilla/csrf/Gopkg.lock | 27 | ||||
-rw-r--r-- | vendor/github.com/gorilla/csrf/Gopkg.toml | 34 | ||||
-rw-r--r-- | vendor/github.com/gorilla/csrf/LICENSE | 26 | ||||
-rw-r--r-- | vendor/github.com/gorilla/csrf/README.md | 237 | ||||
-rw-r--r-- | vendor/github.com/gorilla/csrf/context.go | 29 | ||||
-rw-r--r-- | vendor/github.com/gorilla/csrf/context_legacy.go | 28 | ||||
-rw-r--r-- | vendor/github.com/gorilla/csrf/csrf.go | 279 | ||||
-rw-r--r-- | vendor/github.com/gorilla/csrf/doc.go | 176 | ||||
-rw-r--r-- | vendor/github.com/gorilla/csrf/go.mod | 7 | ||||
-rw-r--r-- | vendor/github.com/gorilla/csrf/helpers.go | 203 | ||||
-rw-r--r-- | vendor/github.com/gorilla/csrf/options.go | 130 | ||||
-rw-r--r-- | vendor/github.com/gorilla/csrf/store.go | 82 |
13 files changed, 0 insertions, 1278 deletions
diff --git a/vendor/github.com/gorilla/csrf/AUTHORS b/vendor/github.com/gorilla/csrf/AUTHORS deleted file mode 100644 index 4e84c37..0000000 --- a/vendor/github.com/gorilla/csrf/AUTHORS +++ /dev/null @@ -1,20 +0,0 @@ -# This is the official list of gorilla/csrf authors for copyright purposes. -# Please keep the list sorted. - -adiabatic <adiabatic@users.noreply.github.com> -Google LLC (https://opensource.google.com) -jamesgroat <james@groat.com> -Joshua Carp <jm.carp@gmail.com> -Kamil Kisiel <kamil@kamilkisiel.net> -Kevin Burke <kev@inburke.com> -Kévin Dunglas <dunglas@gmail.com> -Kristoffer Berdal <web@flexd.net> -Martin Angers <martin.n.angers@gmail.com> -Matt Silverlock <matt@eatsleeprepeat.net> -Philip I. Thomas <mail@philipithomas.com> -Richard Musiol <mail@richard-musiol.de> -Seth Hoenig <seth.a.hoenig@gmail.com> -Stefano Vettorazzi <stefanovc@gmail.com> -Wayne Ashley Berry <wayneashleyberry@gmail.com> -田浩浩 <llitfkitfk@gmail.com> -陈东海 <cdh_cjx@163.com> diff --git a/vendor/github.com/gorilla/csrf/Gopkg.lock b/vendor/github.com/gorilla/csrf/Gopkg.lock deleted file mode 100644 index 5db9540..0000000 --- a/vendor/github.com/gorilla/csrf/Gopkg.lock +++ /dev/null @@ -1,27 +0,0 @@ -# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'. - - -[[projects]] - name = "github.com/gorilla/context" - packages = ["."] - revision = "1ea25387ff6f684839d82767c1733ff4d4d15d0a" - version = "v1.1" - -[[projects]] - name = "github.com/gorilla/securecookie" - packages = ["."] - revision = "667fe4e3466a040b780561fe9b51a83a3753eefc" - version = "v1.1" - -[[projects]] - name = "github.com/pkg/errors" - packages = ["."] - revision = "645ef00459ed84a119197bfb8d8205042c6df63d" - version = "v0.8.0" - -[solve-meta] - analyzer-name = "dep" - analyzer-version = 1 - inputs-digest = "1695686bc8fa0eb76df9fe8c5ca473686071ddcf795a0595a9465a03e8ac9bef" - solver-name = "gps-cdcl" - solver-version = 1 diff --git a/vendor/github.com/gorilla/csrf/Gopkg.toml b/vendor/github.com/gorilla/csrf/Gopkg.toml deleted file mode 100644 index 02837b1..0000000 --- a/vendor/github.com/gorilla/csrf/Gopkg.toml +++ /dev/null @@ -1,34 +0,0 @@ - -# Gopkg.toml example -# -# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md -# for detailed Gopkg.toml documentation. -# -# required = ["github.com/user/thing/cmd/thing"] -# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"] -# -# [[constraint]] -# name = "github.com/user/project" -# version = "1.0.0" -# -# [[constraint]] -# name = "github.com/user/project2" -# branch = "dev" -# source = "github.com/myfork/project2" -# -# [[override]] -# name = "github.com/x/y" -# version = "2.4.0" - - -[[constraint]] - name = "github.com/gorilla/context" - version = "1.1.0" - -[[constraint]] - name = "github.com/gorilla/securecookie" - version = "1.1.0" - -[[constraint]] - name = "github.com/pkg/errors" - version = "0.8.0" diff --git a/vendor/github.com/gorilla/csrf/LICENSE b/vendor/github.com/gorilla/csrf/LICENSE deleted file mode 100644 index c1eb344..0000000 --- a/vendor/github.com/gorilla/csrf/LICENSE +++ /dev/null @@ -1,26 +0,0 @@ -Copyright (c) 2015-2018, The Gorilla Authors. All rights reserved. - -Redistribution and use in source and binary forms, with or without modification, -are permitted provided that the following conditions are met: - -1. Redistributions of source code must retain the above copyright notice, this -list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright notice, -this list of conditions and the following disclaimer in the documentation and/or -other materials provided with the distribution. - -3. Neither the name of the copyright holder nor the names of its contributors -may be used to endorse or promote products derived from this software without -specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR -ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON -ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/gorilla/csrf/README.md b/vendor/github.com/gorilla/csrf/README.md deleted file mode 100644 index 6bcca60..0000000 --- a/vendor/github.com/gorilla/csrf/README.md +++ /dev/null @@ -1,237 +0,0 @@ -# gorilla/csrf - -[![GoDoc](https://godoc.org/github.com/gorilla/csrf?status.svg)](https://godoc.org/github.com/gorilla/csrf) [![Build Status](https://travis-ci.org/gorilla/csrf.svg?branch=master)](https://travis-ci.org/gorilla/csrf) [![Sourcegraph](https://sourcegraph.com/github.com/gorilla/csrf/-/badge.svg)](https://sourcegraph.com/github.com/gorilla/csrf?badge) - -gorilla/csrf is a HTTP middleware library that provides [cross-site request -forgery](http://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/) (CSRF) -protection. It includes: - -- The `csrf.Protect` middleware/handler provides CSRF protection on routes - attached to a router or a sub-router. -- A `csrf.Token` function that provides the token to pass into your response, - whether that be a HTML form or a JSON response body. -- ... and a `csrf.TemplateField` helper that you can pass into your `html/template` - templates to replace a `{{ .csrfField }}` template tag with a hidden input - field. - -gorilla/csrf is designed to work with any Go web framework, including: - -- The [Gorilla](http://www.gorillatoolkit.org/) toolkit -- Go's built-in [net/http](http://golang.org/pkg/net/http/) package -- [Goji](https://goji.io) - see the [tailored fork](https://github.com/goji/csrf) -- [Gin](https://github.com/gin-gonic/gin) -- [Echo](https://github.com/labstack/echo) -- ... and any other router/framework that rallies around Go's `http.Handler` interface. - -gorilla/csrf is also compatible with middleware 'helper' libraries like -[Alice](https://github.com/justinas/alice) and [Negroni](https://github.com/codegangsta/negroni). - -## Install - -With a properly configured Go toolchain: - -```sh -go get github.com/gorilla/csrf -``` - -## Examples - -- [HTML Forms](#html-forms) -- [JavaScript Apps](#javascript-applications) -- [Google App Engine](#google-app-engine) -- [Setting Options](#setting-options) - -gorilla/csrf is easy to use: add the middleware to your router with -the below: - -```go -CSRF := csrf.Protect([]byte("32-byte-long-auth-key")) -http.ListenAndServe(":8000", CSRF(r)) -``` - -...and then collect the token with `csrf.Token(r)` in your handlers before -passing it to the template, JSON body or HTTP header (see below). - -Note that the authentication key passed to `csrf.Protect([]byte(key))` should be -32-bytes long and persist across application restarts. Generating a random key -won't allow you to authenticate existing cookies and will break your CSRF -validation. - -gorilla/csrf inspects the HTTP headers (first) and form body (second) on -subsequent POST/PUT/PATCH/DELETE/etc. requests for the token. - -### HTML Forms - -Here's the common use-case: HTML forms you want to provide CSRF protection for, -in order to protect malicious POST requests being made: - -```go -package main - -import ( - "net/http" - - "github.com/gorilla/csrf" - "github.com/gorilla/mux" -) - -func main() { - r := mux.NewRouter() - r.HandleFunc("/signup", ShowSignupForm) - // All POST requests without a valid token will return HTTP 403 Forbidden. - // We should also ensure that our mutating (non-idempotent) handler only - // matches on POST requests. We can check that here, at the router level, or - // within the handler itself via r.Method. - r.HandleFunc("/signup/post", SubmitSignupForm).Methods("POST") - - // Add the middleware to your router by wrapping it. - http.ListenAndServe(":8000", - csrf.Protect([]byte("32-byte-long-auth-key"))(r)) - // PS: Don't forget to pass csrf.Secure(false) if you're developing locally - // over plain HTTP (just don't leave it on in production). -} - -func ShowSignupForm(w http.ResponseWriter, r *http.Request) { - // signup_form.tmpl just needs a {{ .csrfField }} template tag for - // csrf.TemplateField to inject the CSRF token into. Easy! - t.ExecuteTemplate(w, "signup_form.tmpl", map[string]interface{}{ - csrf.TemplateTag: csrf.TemplateField(r), - }) - // We could also retrieve the token directly from csrf.Token(r) and - // set it in the request header - w.Header.Set("X-CSRF-Token", token) - // This is useful if you're sending JSON to clients or a front-end JavaScript - // framework. -} - -func SubmitSignupForm(w http.ResponseWriter, r *http.Request) { - // We can trust that requests making it this far have satisfied - // our CSRF protection requirements. -} -``` - -Note that the CSRF middleware will (by necessity) consume the request body if the -token is passed via POST form values. If you need to consume this in your -handler, insert your own middleware earlier in the chain to capture the request -body. - -### JavaScript Applications - -This approach is useful if you're using a front-end JavaScript framework like -React, Ember or Angular, or are providing a JSON API. - -We'll also look at applying selective CSRF protection using -[gorilla/mux's](http://www.gorillatoolkit.org/pkg/mux) sub-routers, -as we don't handle any POST/PUT/DELETE requests with our top-level router. - -```go -package main - -import ( - "github.com/gorilla/csrf" - "github.com/gorilla/mux" -) - -func main() { - r := mux.NewRouter() - - api := r.PathPrefix("/api").Subrouter() - api.HandleFunc("/user/{id}", GetUser).Methods("GET") - - http.ListenAndServe(":8000", - csrf.Protect([]byte("32-byte-long-auth-key"))(r)) -} - -func GetUser(w http.ResponseWriter, r *http.Request) { - // Authenticate the request, get the id from the route params, - // and fetch the user from the DB, etc. - - // Get the token and pass it in the CSRF header. Our JSON-speaking client - // or JavaScript framework can now read the header and return the token in - // in its own "X-CSRF-Token" request header on the subsequent POST. - w.Header().Set("X-CSRF-Token", csrf.Token(r)) - b, err := json.Marshal(user) - if err != nil { - http.Error(w, err.Error(), 500) - return - } - - w.Write(b) -} -``` - -### Google App Engine - -If you're using [Google App -Engine](https://cloud.google.com/appengine/docs/go/how-requests-are-handled#Go_Requests_and_HTTP), -which doesn't allow you to hook into the default `http.ServeMux` directly, -you can still use gorilla/csrf (and gorilla/mux): - -```go -package app - -// Remember: appengine has its own package main -func init() { - r := mux.NewRouter() - r.HandleFunc("/", IndexHandler) - // ... - - // We pass our CSRF-protected router to the DefaultServeMux - http.Handle("/", csrf.Protect([]byte(your-key))(r)) -} -``` - -### Setting Options - -What about providing your own error handler and changing the HTTP header the -package inspects on requests? (i.e. an existing API you're porting to Go). Well, -gorilla/csrf provides options for changing these as you see fit: - -```go -func main() { - CSRF := csrf.Protect( - []byte("a-32-byte-long-key-goes-here"), - csrf.RequestHeader("Authenticity-Token"), - csrf.FieldName("authenticity_token"), - csrf.ErrorHandler(http.HandlerFunc(serverError(403))), - ) - - r := mux.NewRouter() - r.HandleFunc("/signup", GetSignupForm) - r.HandleFunc("/signup/post", PostSignupForm) - - http.ListenAndServe(":8000", CSRF(r)) -} -``` - -Not too bad, right? - -If there's something you're confused about or a feature you would like to see -added, open an issue. - -## Design Notes - -Getting CSRF protection right is important, so here's some background: - -- This library generates unique-per-request (masked) tokens as a mitigation - against the [BREACH attack](http://breachattack.com/). -- The 'base' (unmasked) token is stored in the session, which means that - multiple browser tabs won't cause a user problems as their per-request token - is compared with the base token. -- Operates on a "whitelist only" approach where safe (non-mutating) HTTP methods - (GET, HEAD, OPTIONS, TRACE) are the _only_ methods where token validation is not - enforced. -- The design is based on the battle-tested - [Django](https://docs.djangoproject.com/en/1.8/ref/csrf/) and [Ruby on - Rails](http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html) - approaches. -- Cookies are authenticated and based on the [securecookie](https://github.com/gorilla/securecookie) - library. They're also Secure (issued over HTTPS only) and are HttpOnly - by default, because sane defaults are important. -- Go's `crypto/rand` library is used to generate the 32 byte (256 bit) tokens - and the one-time-pad used for masking them. - -This library does not seek to be adventurous. - -## License - -BSD licensed. See the LICENSE file for details. diff --git a/vendor/github.com/gorilla/csrf/context.go b/vendor/github.com/gorilla/csrf/context.go deleted file mode 100644 index d8bb42f..0000000 --- a/vendor/github.com/gorilla/csrf/context.go +++ /dev/null @@ -1,29 +0,0 @@ -// +build go1.7 - -package csrf - -import ( - "context" - "net/http" - - "github.com/pkg/errors" -) - -func contextGet(r *http.Request, key string) (interface{}, error) { - val := r.Context().Value(key) - if val == nil { - return nil, errors.Errorf("no value exists in the context for key %q", key) - } - - return val, nil -} - -func contextSave(r *http.Request, key string, val interface{}) *http.Request { - ctx := r.Context() - ctx = context.WithValue(ctx, key, val) - return r.WithContext(ctx) -} - -func contextClear(r *http.Request) { - // no-op for go1.7+ -} diff --git a/vendor/github.com/gorilla/csrf/context_legacy.go b/vendor/github.com/gorilla/csrf/context_legacy.go deleted file mode 100644 index f88c9eb..0000000 --- a/vendor/github.com/gorilla/csrf/context_legacy.go +++ /dev/null @@ -1,28 +0,0 @@ -// +build !go1.7 - -package csrf - -import ( - "net/http" - - "github.com/gorilla/context" - - "github.com/pkg/errors" -) - -func contextGet(r *http.Request, key string) (interface{}, error) { - if val, ok := context.GetOk(r, key); ok { - return val, nil - } - - return nil, errors.Errorf("no value exists in the context for key %q", key) -} - -func contextSave(r *http.Request, key string, val interface{}) *http.Request { - context.Set(r, key, val) - return r -} - -func contextClear(r *http.Request) { - context.Clear(r) -} diff --git a/vendor/github.com/gorilla/csrf/csrf.go b/vendor/github.com/gorilla/csrf/csrf.go deleted file mode 100644 index cc7878f..0000000 --- a/vendor/github.com/gorilla/csrf/csrf.go +++ /dev/null @@ -1,279 +0,0 @@ -package csrf - -import ( - "fmt" - "net/http" - "net/url" - - "github.com/pkg/errors" - - "github.com/gorilla/securecookie" -) - -// CSRF token length in bytes. -const tokenLength = 32 - -// Context/session keys & prefixes -const ( - tokenKey string = "gorilla.csrf.Token" - formKey string = "gorilla.csrf.Form" - errorKey string = "gorilla.csrf.Error" - skipCheckKey string = "gorilla.csrf.Skip" - cookieName string = "_gorilla_csrf" - errorPrefix string = "gorilla/csrf: " -) - -var ( - // The name value used in form fields. - fieldName = tokenKey - // defaultAge sets the default MaxAge for cookies. - defaultAge = 3600 * 12 - // The default HTTP request header to inspect - headerName = "X-CSRF-Token" - // Idempotent (safe) methods as defined by RFC7231 section 4.2.2. - safeMethods = []string{"GET", "HEAD", "OPTIONS", "TRACE"} -) - -// TemplateTag provides a default template tag - e.g. {{ .csrfField }} - for use -// with the TemplateField function. -var TemplateTag = "csrfField" - -var ( - // ErrNoReferer is returned when a HTTPS request provides an empty Referer - // header. - ErrNoReferer = errors.New("referer not supplied") - // ErrBadReferer is returned when the scheme & host in the URL do not match - // the supplied Referer header. - ErrBadReferer = errors.New("referer invalid") - // ErrNoToken is returned if no CSRF token is supplied in the request. - ErrNoToken = errors.New("CSRF token not found in request") - // ErrBadToken is returned if the CSRF token in the request does not match - // the token in the session, or is otherwise malformed. - ErrBadToken = errors.New("CSRF token invalid") -) - -type csrf struct { - h http.Handler - sc *securecookie.SecureCookie - st store - opts options -} - -// options contains the optional settings for the CSRF middleware. -type options struct { - MaxAge int - Domain string - Path string - // Note that the function and field names match the case of the associated - // http.Cookie field instead of the "correct" HTTPOnly name that golint suggests. - HttpOnly bool - Secure bool - RequestHeader string - FieldName string - ErrorHandler http.Handler - CookieName string -} - -// Protect is HTTP middleware that provides Cross-Site Request Forgery -// protection. -// -// It securely generates a masked (unique-per-request) token that -// can be embedded in the HTTP response (e.g. form field or HTTP header). -// The original (unmasked) token is stored in the session, which is inaccessible -// by an attacker (provided you are using HTTPS). Subsequent requests are -// expected to include this token, which is compared against the session token. -// Requests that do not provide a matching token are served with a HTTP 403 -// 'Forbidden' error response. -// -// Example: -// package main -// -// import ( -// "html/template" -// -// "github.com/gorilla/csrf" -// "github.com/gorilla/mux" -// ) -// -// var t = template.Must(template.New("signup_form.tmpl").Parse(form)) -// -// func main() { -// r := mux.NewRouter() -// -// r.HandleFunc("/signup", GetSignupForm) -// // POST requests without a valid token will return a HTTP 403 Forbidden. -// r.HandleFunc("/signup/post", PostSignupForm) -// -// // Add the middleware to your router. -// http.ListenAndServe(":8000", -// // Note that the authentication key provided should be 32 bytes -// // long and persist across application restarts. -// csrf.Protect([]byte("32-byte-long-auth-key"))(r)) -// } -// -// func GetSignupForm(w http.ResponseWriter, r *http.Request) { -// // signup_form.tmpl just needs a {{ .csrfField }} template tag for -// // csrf.TemplateField to inject the CSRF token into. Easy! -// t.ExecuteTemplate(w, "signup_form.tmpl", map[string]interface{}{ -// csrf.TemplateTag: csrf.TemplateField(r), -// }) -// // We could also retrieve the token directly from csrf.Token(r) and -// // set it in the request header - w.Header.Set("X-CSRF-Token", token) -// // This is useful if you're sending JSON to clients or a front-end JavaScript -// // framework. -// } -// -func Protect(authKey []byte, opts ...Option) func(http.Handler) http.Handler { - return func(h http.Handler) http.Handler { - cs := parseOptions(h, opts...) - - // Set the defaults if no options have been specified - if cs.opts.ErrorHandler == nil { - cs.opts.ErrorHandler = http.HandlerFunc(unauthorizedHandler) - } - - if cs.opts.MaxAge < 0 { - // Default of 12 hours - cs.opts.MaxAge = defaultAge - } - - if cs.opts.FieldName == "" { - cs.opts.FieldName = fieldName - } - - if cs.opts.CookieName == "" { - cs.opts.CookieName = cookieName - } - - if cs.opts.RequestHeader == "" { - cs.opts.RequestHeader = headerName - } - - // Create an authenticated securecookie instance. - if cs.sc == nil { - cs.sc = securecookie.New(authKey, nil) - // Use JSON serialization (faster than one-off gob encoding) - cs.sc.SetSerializer(securecookie.JSONEncoder{}) - // Set the MaxAge of the underlying securecookie. - cs.sc.MaxAge(cs.opts.MaxAge) - } - - if cs.st == nil { - // Default to the cookieStore - cs.st = &cookieStore{ - name: cs.opts.CookieName, - maxAge: cs.opts.MaxAge, - secure: cs.opts.Secure, - httpOnly: cs.opts.HttpOnly, - path: cs.opts.Path, - domain: cs.opts.Domain, - sc: cs.sc, - } - } - - return cs - } -} - -// Implements http.Handler for the csrf type. -func (cs *csrf) ServeHTTP(w http.ResponseWriter, r *http.Request) { - // Skip the check if directed to. This should always be a bool. - if val, err := contextGet(r, skipCheckKey); err == nil { - if skip, ok := val.(bool); ok { - if skip { - cs.h.ServeHTTP(w, r) - return - } - } - } - - // Retrieve the token from the session. - // An error represents either a cookie that failed HMAC validation - // or that doesn't exist. - realToken, err := cs.st.Get(r) - if err != nil || len(realToken) != tokenLength { - // If there was an error retrieving the token, the token doesn't exist - // yet, or it's the wrong length, generate a new token. - // Note that the new token will (correctly) fail validation downstream - // as it will no longer match the request token. - realToken, err = generateRandomBytes(tokenLength) - if err != nil { - r = envError(r, err) - cs.opts.ErrorHandler.ServeHTTP(w, r) - return - } - - // Save the new (real) token in the session store. - err = cs.st.Save(realToken, w) - if err != nil { - r = envError(r, err) - cs.opts.ErrorHandler.ServeHTTP(w, r) - return - } - } - - // Save the masked token to the request context - r = contextSave(r, tokenKey, mask(realToken, r)) - // Save the field name to the request context - r = contextSave(r, formKey, cs.opts.FieldName) - - // HTTP methods not defined as idempotent ("safe") under RFC7231 require - // inspection. - if !contains(safeMethods, r.Method) { - // Enforce an origin check for HTTPS connections. As per the Django CSRF - // implementation (https://goo.gl/vKA7GE) the Referer header is almost - // always present for same-domain HTTP requests. - if r.URL.Scheme == "https" { - // Fetch the Referer value. Call the error handler if it's empty or - // otherwise fails to parse. - referer, err := url.Parse(r.Referer()) - if err != nil || referer.String() == "" { - r = envError(r, ErrNoReferer) - cs.opts.ErrorHandler.ServeHTTP(w, r) - return - } - - if sameOrigin(r.URL, referer) == false { - r = envError(r, ErrBadReferer) - cs.opts.ErrorHandler.ServeHTTP(w, r) - return - } - } - - // If the token returned from the session store is nil for non-idempotent - // ("unsafe") methods, call the error handler. - if realToken == nil { - r = envError(r, ErrNoToken) - cs.opts.ErrorHandler.ServeHTTP(w, r) - return - } - - // Retrieve the combined token (pad + masked) token and unmask it. - requestToken := unmask(cs.requestToken(r)) - - // Compare the request token against the real token - if !compareTokens(requestToken, realToken) { - r = envError(r, ErrBadToken) - cs.opts.ErrorHandler.ServeHTTP(w, r) - return - } - - } - - // Set the Vary: Cookie header to protect clients from caching the response. - w.Header().Add("Vary", "Cookie") - - // Call the wrapped handler/router on success. - cs.h.ServeHTTP(w, r) - // Clear the request context after the handler has completed. - contextClear(r) -} - -// unauthorizedhandler sets a HTTP 403 Forbidden status and writes the -// CSRF failure reason to the response. -func unauthorizedHandler(w http.ResponseWriter, r *http.Request) { - http.Error(w, fmt.Sprintf("%s - %s", - http.StatusText(http.StatusForbidden), FailureReason(r)), - http.StatusForbidden) - return -} diff --git a/vendor/github.com/gorilla/csrf/doc.go b/vendor/github.com/gorilla/csrf/doc.go deleted file mode 100644 index 503c948..0000000 --- a/vendor/github.com/gorilla/csrf/doc.go +++ /dev/null @@ -1,176 +0,0 @@ -/* -Package csrf (gorilla/csrf) provides Cross Site Request Forgery (CSRF) -prevention middleware for Go web applications & services. - -It includes: - -* The `csrf.Protect` middleware/handler provides CSRF protection on routes -attached to a router or a sub-router. - -* A `csrf.Token` function that provides the token to pass into your response, -whether that be a HTML form or a JSON response body. - -* ... and a `csrf.TemplateField` helper that you can pass into your `html/template` -templates to replace a `{{ .csrfField }}` template tag with a hidden input -field. - -gorilla/csrf is easy to use: add the middleware to individual handlers with -the below: - - CSRF := csrf.Protect([]byte("32-byte-long-auth-key")) - http.HandlerFunc("/route", CSRF(YourHandler)) - -... and then collect the token with `csrf.Token(r)` before passing it to the -template, JSON body or HTTP header (you pick!). gorilla/csrf inspects the form body -(first) and HTTP headers (second) on subsequent POST/PUT/PATCH/DELETE/etc. requests -for the token. - -Note that the authentication key passed to `csrf.Protect([]byte(key))` should be -32-bytes long and persist across application restarts. Generating a random key -won't allow you to authenticate existing cookies and will break your CSRF -validation. - -Here's the common use-case: HTML forms you want to provide CSRF protection for, -in order to protect malicious POST requests being made: - - package main - - import ( - "fmt" - "html/template" - "net/http" - - "github.com/gorilla/csrf" - "github.com/gorilla/mux" - ) - - var form = ` - <html> - <head> - <title>Sign Up!</title> - </head> - <body> - <form method="POST" action="/signup/post" accept-charset="UTF-8"> - <input type="text" name="name"> - <input type="text" name="email"> - <!-- - The default template tag used by the CSRF middleware . - This will be replaced with a hidden <input> field containing the - masked CSRF token. - --> - {{ .csrfField }} - <input type="submit" value="Sign up!"> - </form> - </body> - </html> - ` - - var t = template.Must(template.New("signup_form.tmpl").Parse(form)) - - func main() { - r := mux.NewRouter() - r.HandleFunc("/signup", ShowSignupForm) - // All POST requests without a valid token will return HTTP 403 Forbidden. - // We should also ensure that our mutating (non-idempotent) handler only - // matches on POST requests. We can check that here, at the router level, or - // within the handler itself via r.Method. - r.HandleFunc("/signup/post", SubmitSignupForm).Methods("POST") - - // Add the middleware to your router by wrapping it. - http.ListenAndServe(":8000", - csrf.Protect([]byte("32-byte-long-auth-key"))(r)) - // PS: Don't forget to pass csrf.Secure(false) if you're developing locally - // over plain HTTP (just don't leave it on in production). - } - - func ShowSignupForm(w http.ResponseWriter, r *http.Request) { - // signup_form.tmpl just needs a {{ .csrfField }} template tag for - // csrf.TemplateField to inject the CSRF token into. Easy! - t.ExecuteTemplate(w, "signup_form.tmpl", map[string]interface{}{ - csrf.TemplateTag: csrf.TemplateField(r), - }) - } - - func SubmitSignupForm(w http.ResponseWriter, r *http.Request) { - // We can trust that requests making it this far have satisfied - // our CSRF protection requirements. - fmt.Fprintf(w, "%v\n", r.PostForm) - } - -Note that the CSRF middleware will (by necessity) consume the request body if the -token is passed via POST form values. If you need to consume this in your -handler, insert your own middleware earlier in the chain to capture the request -body. - -You can also send the CSRF token in the response header. This approach is useful -if you're using a front-end JavaScript framework like Ember or Angular, or are -providing a JSON API: - - package main - - import ( - "github.com/gorilla/csrf" - "github.com/gorilla/mux" - ) - - func main() { - r := mux.NewRouter() - - api := r.PathPrefix("/api").Subrouter() - api.HandleFunc("/user/:id", GetUser).Methods("GET") - - http.ListenAndServe(":8000", - csrf.Protect([]byte("32-byte-long-auth-key"))(r)) - } - - func GetUser(w http.ResponseWriter, r *http.Request) { - // Authenticate the request, get the id from the route params, - // and fetch the user from the DB, etc. - - // Get the token and pass it in the CSRF header. Our JSON-speaking client - // or JavaScript framework can now read the header and return the token in - // in its own "X-CSRF-Token" request header on the subsequent POST. - w.Header().Set("X-CSRF-Token", csrf.Token(r)) - b, err := json.Marshal(user) - if err != nil { - http.Error(w, err.Error(), 500) - return - } - - w.Write(b) - } - -If you're writing a client that's supposed to mimic browser behavior, make sure to -send back the CSRF cookie (the default name is _gorilla_csrf, but this can be changed -with the CookieName Option) along with either the X-CSRF-Token header or the gorilla.csrf.Token form field. - -In addition: getting CSRF protection right is important, so here's some background: - -* This library generates unique-per-request (masked) tokens as a mitigation -against the BREACH attack (http://breachattack.com/). - -* The 'base' (unmasked) token is stored in the session, which means that -multiple browser tabs won't cause a user problems as their per-request token -is compared with the base token. - -* Operates on a "whitelist only" approach where safe (non-mutating) HTTP methods -(GET, HEAD, OPTIONS, TRACE) are the *only* methods where token validation is not -enforced. - -* The design is based on the battle-tested Django -(https://docs.djangoproject.com/en/1.8/ref/csrf/) and Ruby on Rails -(http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html) -approaches. - -* Cookies are authenticated and based on the securecookie -(https://github.com/gorilla/securecookie) library. They're also Secure (issued -over HTTPS only) and are HttpOnly by default, because sane defaults are -important. - -* Go's `crypto/rand` library is used to generate the 32 byte (256 bit) tokens -and the one-time-pad used for masking them. - -This library does not seek to be adventurous. - -*/ -package csrf diff --git a/vendor/github.com/gorilla/csrf/go.mod b/vendor/github.com/gorilla/csrf/go.mod deleted file mode 100644 index 2d2ce4d..0000000 --- a/vendor/github.com/gorilla/csrf/go.mod +++ /dev/null @@ -1,7 +0,0 @@ -module github.com/gorilla/csrf - -require ( - github.com/gorilla/context v1.1.1 - github.com/gorilla/securecookie v1.1.1 - github.com/pkg/errors v0.8.0 -) diff --git a/vendor/github.com/gorilla/csrf/helpers.go b/vendor/github.com/gorilla/csrf/helpers.go deleted file mode 100644 index 3dacfd2..0000000 --- a/vendor/github.com/gorilla/csrf/helpers.go +++ /dev/null @@ -1,203 +0,0 @@ -package csrf - -import ( - "crypto/rand" - "crypto/subtle" - "encoding/base64" - "fmt" - "html/template" - "net/http" - "net/url" -) - -// Token returns a masked CSRF token ready for passing into HTML template or -// a JSON response body. An empty token will be returned if the middleware -// has not been applied (which will fail subsequent validation). -func Token(r *http.Request) string { - if val, err := contextGet(r, tokenKey); err == nil { - if maskedToken, ok := val.(string); ok { - return maskedToken - } - } - - return "" -} - -// FailureReason makes CSRF validation errors available in the request context. -// This is useful when you want to log the cause of the error or report it to -// client. -func FailureReason(r *http.Request) error { - if val, err := contextGet(r, errorKey); err == nil { - if err, ok := val.(error); ok { - return err - } - } - - return nil -} - -// UnsafeSkipCheck will skip the CSRF check for any requests. This must be -// called before the CSRF middleware. -// -// Note: You should not set this without otherwise securing the request from -// CSRF attacks. The primary use-case for this function is to turn off CSRF -// checks for non-browser clients using authorization tokens against your API. -func UnsafeSkipCheck(r *http.Request) *http.Request { - return contextSave(r, skipCheckKey, true) -} - -// TemplateField is a template helper for html/template that provides an <input> field -// populated with a CSRF token. -// -// Example: -// -// // The following tag in our form.tmpl template: -// {{ .csrfField }} -// -// // ... becomes: -// <input type="hidden" name="gorilla.csrf.Token" value="<token>"> -// -func TemplateField(r *http.Request) template.HTML { - if name, err := contextGet(r, formKey); err == nil { - fragment := fmt.Sprintf(`<input type="hidden" name="%s" value="%s">`, - name, Token(r)) - - return template.HTML(fragment) - } - - return template.HTML("") -} - -// mask returns a unique-per-request token to mitigate the BREACH attack -// as per http://breachattack.com/#mitigations -// -// The token is generated by XOR'ing a one-time-pad and the base (session) CSRF -// token and returning them together as a 64-byte slice. This effectively -// randomises the token on a per-request basis without breaking multiple browser -// tabs/windows. -func mask(realToken []byte, r *http.Request) string { - otp, err := generateRandomBytes(tokenLength) - if err != nil { - return "" - } - - // XOR the OTP with the real token to generate a masked token. Append the - // OTP to the front of the masked token to allow unmasking in the subsequent - // request. - return base64.StdEncoding.EncodeToString(append(otp, xorToken(otp, realToken)...)) -} - -// unmask splits the issued token (one-time-pad + masked token) and returns the -// unmasked request token for comparison. -func unmask(issued []byte) []byte { - // Issued tokens are always masked and combined with the pad. - if len(issued) != tokenLength*2 { - return nil - } - - // We now know the length of the byte slice. - otp := issued[tokenLength:] - masked := issued[:tokenLength] - - // Unmask the token by XOR'ing it against the OTP used to mask it. - return xorToken(otp, masked) -} - -// requestToken returns the issued token (pad + masked token) from the HTTP POST -// body or HTTP header. It will return nil if the token fails to decode. -func (cs *csrf) requestToken(r *http.Request) []byte { - // 1. Check the HTTP header first. - issued := r.Header.Get(cs.opts.RequestHeader) - - // 2. Fall back to the POST (form) value. - if issued == "" { - issued = r.PostFormValue(cs.opts.FieldName) - } - - // 3. Finally, fall back to the multipart form (if set). - if issued == "" && r.MultipartForm != nil { - vals := r.MultipartForm.Value[cs.opts.FieldName] - - if len(vals) > 0 { - issued = vals[0] - } - } - - // Decode the "issued" (pad + masked) token sent in the request. Return a - // nil byte slice on a decoding error (this will fail upstream). - decoded, err := base64.StdEncoding.DecodeString(issued) - if err != nil { - return nil - } - - return decoded -} - -// generateRandomBytes returns securely generated random bytes. -// It will return an error if the system's secure random number generator -// fails to function correctly. -func generateRandomBytes(n int) ([]byte, error) { - b := make([]byte, n) - _, err := rand.Read(b) - // err == nil only if len(b) == n - if err != nil { - return nil, err - } - - return b, nil - -} - -// sameOrigin returns true if URLs a and b share the same origin. The same -// origin is defined as host (which includes the port) and scheme. -func sameOrigin(a, b *url.URL) bool { - return (a.Scheme == b.Scheme && a.Host == b.Host) -} - -// compare securely (constant-time) compares the unmasked token from the request -// against the real token from the session. -func compareTokens(a, b []byte) bool { - // This is required as subtle.ConstantTimeCompare does not check for equal - // lengths in Go versions prior to 1.3. - if len(a) != len(b) { - return false - } - - return subtle.ConstantTimeCompare(a, b) == 1 -} - -// xorToken XORs tokens ([]byte) to provide unique-per-request CSRF tokens. It -// will return a masked token if the base token is XOR'ed with a one-time-pad. -// An unmasked token will be returned if a masked token is XOR'ed with the -// one-time-pad used to mask it. -func xorToken(a, b []byte) []byte { - n := len(a) - if len(b) < n { - n = len(b) - } - - res := make([]byte, n) - - for i := 0; i < n; i++ { - res[i] = a[i] ^ b[i] - } - - return res -} - -// contains is a helper function to check if a string exists in a slice - e.g. -// whether a HTTP method exists in a list of safe methods. -func contains(vals []string, s string) bool { - for _, v := range vals { - if v == s { - return true - } - } - - return false -} - -// envError stores a CSRF error in the request context. -func envError(r *http.Request, err error) *http.Request { - return contextSave(r, errorKey, err) -} diff --git a/vendor/github.com/gorilla/csrf/options.go b/vendor/github.com/gorilla/csrf/options.go deleted file mode 100644 index b50ebd4..0000000 --- a/vendor/github.com/gorilla/csrf/options.go +++ /dev/null @@ -1,130 +0,0 @@ -package csrf - -import "net/http" - -// Option describes a functional option for configuring the CSRF handler. -type Option func(*csrf) - -// MaxAge sets the maximum age (in seconds) of a CSRF token's underlying cookie. -// Defaults to 12 hours. -func MaxAge(age int) Option { - return func(cs *csrf) { - cs.opts.MaxAge = age - } -} - -// Domain sets the cookie domain. Defaults to the current domain of the request -// only (recommended). -// -// This should be a hostname and not a URL. If set, the domain is treated as -// being prefixed with a '.' - e.g. "example.com" becomes ".example.com" and -// matches "www.example.com" and "secure.example.com". -func Domain(domain string) Option { - return func(cs *csrf) { - cs.opts.Domain = domain - } -} - -// Path sets the cookie path. Defaults to the path the cookie was issued from -// (recommended). -// -// This instructs clients to only respond with cookie for that path and its -// subpaths - i.e. a cookie issued from "/register" would be included in requests -// to "/register/step2" and "/register/submit". -func Path(p string) Option { - return func(cs *csrf) { - cs.opts.Path = p - } -} - -// Secure sets the 'Secure' flag on the cookie. Defaults to true (recommended). -// Set this to 'false' in your development environment otherwise the cookie won't -// be sent over an insecure channel. Setting this via the presence of a 'DEV' -// environmental variable is a good way of making sure this won't make it to a -// production environment. -func Secure(s bool) Option { - return func(cs *csrf) { - cs.opts.Secure = s - } -} - -// HttpOnly sets the 'HttpOnly' flag on the cookie. Defaults to true (recommended). -func HttpOnly(h bool) Option { - return func(cs *csrf) { - // Note that the function and field names match the case of the - // related http.Cookie field instead of the "correct" HTTPOnly name - // that golint suggests. - cs.opts.HttpOnly = h - } -} - -// ErrorHandler allows you to change the handler called when CSRF request -// processing encounters an invalid token or request. A typical use would be to -// provide a handler that returns a static HTML file with a HTTP 403 status. By -// default a HTTP 403 status and a plain text CSRF failure reason are served. -// -// Note that a custom error handler can also access the csrf.FailureReason(r) -// function to retrieve the CSRF validation reason from the request context. -func ErrorHandler(h http.Handler) Option { - return func(cs *csrf) { - cs.opts.ErrorHandler = h - } -} - -// RequestHeader allows you to change the request header the CSRF middleware -// inspects. The default is X-CSRF-Token. -func RequestHeader(header string) Option { - return func(cs *csrf) { - cs.opts.RequestHeader = header - } -} - -// FieldName allows you to change the name attribute of the hidden <input> field -// inspected by this package. The default is 'gorilla.csrf.Token'. -func FieldName(name string) Option { - return func(cs *csrf) { - cs.opts.FieldName = name - } -} - -// CookieName changes the name of the CSRF cookie issued to clients. -// -// Note that cookie names should not contain whitespace, commas, semicolons, -// backslashes or control characters as per RFC6265. -func CookieName(name string) Option { - return func(cs *csrf) { - cs.opts.CookieName = name - } -} - -// setStore sets the store used by the CSRF middleware. -// Note: this is private (for now) to allow for internal API changes. -func setStore(s store) Option { - return func(cs *csrf) { - cs.st = s - } -} - -// parseOptions parses the supplied options functions and returns a configured -// csrf handler. -func parseOptions(h http.Handler, opts ...Option) *csrf { - // Set the handler to call after processing. - cs := &csrf{ - h: h, - } - - // Default to true. See Secure & HttpOnly function comments for rationale. - // Set here to allow package users to override the default. - cs.opts.Secure = true - cs.opts.HttpOnly = true - - // Range over each options function and apply it - // to our csrf type to configure it. Options functions are - // applied in order, with any conflicting options overriding - // earlier calls. - for _, option := range opts { - option(cs) - } - - return cs -} diff --git a/vendor/github.com/gorilla/csrf/store.go b/vendor/github.com/gorilla/csrf/store.go deleted file mode 100644 index 39f47ad..0000000 --- a/vendor/github.com/gorilla/csrf/store.go +++ /dev/null @@ -1,82 +0,0 @@ -package csrf - -import ( - "net/http" - "time" - - "github.com/gorilla/securecookie" -) - -// store represents the session storage used for CSRF tokens. -type store interface { - // Get returns the real CSRF token from the store. - Get(*http.Request) ([]byte, error) - // Save stores the real CSRF token in the store and writes a - // cookie to the http.ResponseWriter. - // For non-cookie stores, the cookie should contain a unique (256 bit) ID - // or key that references the token in the backend store. - // csrf.GenerateRandomBytes is a helper function for generating secure IDs. - Save(token []byte, w http.ResponseWriter) error -} - -// cookieStore is a signed cookie session store for CSRF tokens. -type cookieStore struct { - name string - maxAge int - secure bool - httpOnly bool - path string - domain string - sc *securecookie.SecureCookie -} - -// Get retrieves a CSRF token from the session cookie. It returns an empty token -// if decoding fails (e.g. HMAC validation fails or the named cookie doesn't exist). -func (cs *cookieStore) Get(r *http.Request) ([]byte, error) { - // Retrieve the cookie from the request - cookie, err := r.Cookie(cs.name) - if err != nil { - return nil, err - } - - token := make([]byte, tokenLength) - // Decode the HMAC authenticated cookie. - err = cs.sc.Decode(cs.name, cookie.Value, &token) - if err != nil { - return nil, err - } - - return token, nil -} - -// Save stores the CSRF token in the session cookie. -func (cs *cookieStore) Save(token []byte, w http.ResponseWriter) error { - // Generate an encoded cookie value with the CSRF token. - encoded, err := cs.sc.Encode(cs.name, token) - if err != nil { - return err - } - - cookie := &http.Cookie{ - Name: cs.name, - Value: encoded, - MaxAge: cs.maxAge, - HttpOnly: cs.httpOnly, - Secure: cs.secure, - Path: cs.path, - Domain: cs.domain, - } - - // Set the Expires field on the cookie based on the MaxAge - // If MaxAge <= 0, we don't set the Expires attribute, making the cookie - // session-only. - if cs.maxAge > 0 { - cookie.Expires = time.Now().Add( - time.Duration(cs.maxAge) * time.Second) - } - - // Write the authenticated cookie to the response. - http.SetCookie(w, cookie) - - return nil -} |