Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
## [Unreleased]

### Added
- CSRF protection: enable Rack::Session::Cookie (SameSite=Strict, HttpOnly) and Rack::Protection::AuthenticityToken on all state-changing endpoints; add authenticity_token to all HTML forms (@mattimustang)
- Security regression tests for CSRF token presence in rendered forms (@mattimustang)

### Changed

Expand Down
1 change: 1 addition & 0 deletions lib/oxidized/web/views/diffs.haml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
- params = "node=#{@info[:node]}&group=#{@info[:group]}&oid=#{@info[:oid]}"
- params = "#{params}&epoch=#{@info[:time].to_i}&num=#{@info[:num]}"
%form{action: url_for("/node/version/diffs?#{params}"), method: 'post', role: 'form'}
%input{type: 'hidden', name: 'authenticity_token', value: Rack::Protection::AuthenticityToken.token(session)}
.form-group
%select.form-select#oid2{name: 'oid2'}
- diff2 = {}
Expand Down
1 change: 1 addition & 0 deletions lib/oxidized/web/views/layout.haml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
%form.d-flex{role: 'search',
action: url_for('/nodes/conf_search'),
method: 'post'}
%input{type: 'hidden', name: 'authenticity_token', value: Rack::Protection::AuthenticityToken.token(session)}
%input.form-control.me-2{type: 'text',
name: 'search_in_conf_textbox',
placeholder: 'Search in Configs',
Expand Down
10 changes: 10 additions & 0 deletions lib/oxidized/web/webapp.rb
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@
require 'tilt/haml'
require 'htmlentities'
require 'charlock_holmes'
require 'rack/session'
require 'rack/protection'
require 'securerandom'
module Oxidized
module API
require 'oxidized/web/version'
Expand All @@ -13,6 +16,13 @@ class WebApp < Sinatra::Base
set :public_folder, proc { File.join(root, 'public') }
set :haml, { escape_html: false }

use Rack::Session::Cookie,
key: 'rack.session',
secret: SecureRandom.hex(32),
same_site: :strict,
http_only: true
use Rack::Protection::AuthenticityToken unless ENV['APP_ENV'] == 'test'

get '/' do
redirect url_for('/nodes')
end
Expand Down
47 changes: 47 additions & 0 deletions spec/web/csrf_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
require_relative '../spec_helper'

describe Oxidized::API::WebApp do
include Rack::Test::Methods

def app
Oxidized::API::WebApp
end

before do
@nodes = mock('Oxidized::Nodes')
app.set(:nodes, @nodes)
end

describe 'CSRF protection' do
it 'includes authenticity_token in the conf_search form on every page' do
@nodes.stubs(:list).returns([])

get '/nodes'

_(last_response.ok?).must_equal true
_(last_response.body).must_include("name='authenticity_token'")
end

it 'includes authenticity_token in the version diffs form' do
versions = [{ oid: 'C006', time: Time.parse('2025-02-05 19:49:00 +0100') }]
diff = { patch: "- old line\n+ new line\n", stat: [1, 1] }
@nodes.stubs(:version).returns(versions)
@nodes.stubs(:get_diff).returns(diff)

get '/node/version/diffs?node=sw5&group=&oid=C006&epoch=0&num=1'

_(last_response.ok?).must_equal true
_(last_response.body).must_include("name='authenticity_token'")
end

it 'sets a SameSite=Strict session cookie' do
@nodes.stubs(:list).returns([])

get '/nodes'

_(last_response.ok?).must_equal true
cookie = last_response.headers['Set-Cookie'].to_s
_(cookie.downcase).must_include('samesite=strict')
end
end
end