Skip to content

Conversation

@savas5445
Copy link

What type of PR is this? (check all applicable)

  • Refactor
  • Feature
  • Bug Fix
  • Optimization
  • Documentation Update
  • Go Version Update
  • Dependency Update

Description

Related Tickets & Documents

  • Related Issue #
  • Closes #

Added/updated tests?

  • Yes
  • No, and this is why: please replace this line with details on why tests
    have not been included
  • I need help with writing tests

Run verifications and test

  • make verify is passing
  • make test is passing

elithrar and others added 30 commits February 13, 2016 09:00
- subtle.ConstantTimeCompare did not check for matching slice lengths prior to Go
  1.3 (fixed in https://codereview.appspot.com/118750043).
- gorilla/csrf was released a year after this came into place.
- Our TravisCI tests did not test against older versions of Go, and this wasn't
  caught as a result.
- Have added Go 1.2 and Go 1.3 to the TravisCI config to address any future
  issues.
[bugfix] Compare token fix


- subtle.ConstantTimeCompare did not check for matching slice lengths prior to Go
  1.3 (fixed in https://codereview.appspot.com/118750043).
- gorilla/csrf was released a year after this came into place.
- Our TravisCI tests did not test against older versions of Go, and this wasn't
  caught as a result.
- Have added Go 1.2 and Go 1.3 to the TravisCI config to address any future
  regressions.
[ci] Update .travis.yml to build Go 1.6
- Go 1.7 adds a context.Context to the *http.Request. We now use this instead of
  gorilla/context for >= Go 1.7.
- NOTE: this introduces a minor breaking change to the public API due to the
  shallow copy made in http.Request.WithContext. UnsafeSkipCheck now returns a
  *http.Request to allow the copied request to be saved by the caller. Package
  users who do NOT save the returned request will not skip the CSRF check (fails
  closed).
- As per gorilla#38 - we now support a MaxAge of 0 to allow for session cookie support.
  gorilla/csrf's CSRF tokens are designed to be reasonably long lived (12
  hours), but there are some applications that require this.
- Note that setting a MaxAge < 0 will default to 12 hours, so you must
  explcitly set csrf.MaxAge(0) to invoke this behaviour.
* Fix package import
* Explicitly load templates
* Fix `HandleFunc` invocation
kisielk and others added 29 commits December 7, 2018 08:48
* [build] Add CircleCI config
* Remove CI jobs for Go 1.6 and below.
* Add trusted origins feature

Closes gorilla#116

* Refactor Trusted Origins feature to be more like Django.

Instead of accepting []*url.URL, which can cause weird problems, now TrustedOrigins accept []string, which is the list of hosts accepted by the middleware...So the schema doesn't matter anymore and it's more friendly to use.

* Add table driven tests for the Trusted Origins feature as requested

* Fix documentation of the TrustedOrigins feature

* Add a section describing the Trusted Origins feature for Javascript applications on the README

* Add more test cases for the table driven tests for the TrustedOrigins feature

* Fix documentation of the TrustedOrigins feature so the lint error is fixed
* Add SameSite with build constraied
* Update options test
* Fix after feedback
* Add docs
…illa#132)

Also add a comment over SameSiteDefaultMode discouraging its use.
* change: set SameSite=Lax by default
* deps: update errors to v0.9.1
* build: add go 1.13, go 1.14
* docs: update SameSiteDefaultMode godoc
…ssage (gorilla#149)

* Fix wrong error being reported when token missing in request
* Remove a condition that never becomes true
* Add myself to the list of AUTHORS assuming this is good style
* Fix minor style issue
Signed-off-by: Corey Daley <[email protected]>
)

<!--
For Work In Progress Pull Requests, please use the Draft PR feature,
see https://github.blog/2019-02-14-introducing-draft-pull-requests/ for
further details.

     For a timely review/response, please avoid force-pushing additional
     commits if your PR already received reviews or comments.

     Before submitting a Pull Request, please ensure that you have:
- 📖 Read the Contributing guide:
https://github.com/gorilla/.github/blob/main/CONTRIBUTING.md
- 📖 Read the Code of Conduct:
https://github.com/gorilla/.github/blob/main/CODE_OF_CONDUCT.md

     - Provide tests for your changes.
     - Use descriptive commit messages.
	 - Comment your code where appropriate.
	 - Squash your commits
     - Update any related documentation.

     - Add gorilla/pull-request-reviewers as a Reviewer
-->

## What type of PR is this? (check all applicable)

- [ ] Refactor
- [ ] Feature
- [ ] Bug Fix
- [ ] Optimization
- [ ] Documentation Update

## Description

## Related Tickets & Documents

<!--
For pull requests that relate or close an issue, please include them
below. We like to follow [Github's guidance on linking issues to pull
requests](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue).

For example having the text: "closes #1234" would connect the current
pull
request to issue 1234.  And when we merge the pull request, Github will
automatically close the issue.
-->

- Related Issue #
- Closes #

## Added/updated tests?

- [ ] Yes
- [ ] No, and this is why: _please replace this line with details on why
tests
      have not been included_
- [ ] I need help with writing tests

## Run verifications and test

- [ ] `make verify` is passing
- [ ] `make test` is passing
<!--
For Work In Progress Pull Requests, please use the Draft PR feature,
see https://github.blog/2019-02-14-introducing-draft-pull-requests/ for
further details.

     For a timely review/response, please avoid force-pushing additional
     commits if your PR already received reviews or comments.

     Before submitting a Pull Request, please ensure that you have:
- 📖 Read the Contributing guide:
https://github.com/gorilla/.github/blob/main/CONTRIBUTING.md
- 📖 Read the Code of Conduct:
https://github.com/gorilla/.github/blob/main/CODE_OF_CONDUCT.md

     - Provide tests for your changes.
     - Use descriptive commit messages.
	 - Comment your code where appropriate.
	 - Squash your commits
     - Update any related documentation.

     - Add gorilla/pull-request-reviewers as a Reviewer
-->

## What type of PR is this? (check all applicable)

- [ ] Refactor
- [ ] Feature
- [ ] Bug Fix
- [ ] Optimization
- [ ] Documentation Update

## Description

## Related Tickets & Documents

<!--
For pull requests that relate or close an issue, please include them
below. We like to follow [Github's guidance on linking issues to pull
requests](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue).

For example having the text: "closes #1234" would connect the current
pull
request to issue 1234.  And when we merge the pull request, Github will
automatically close the issue.
-->

- Related Issue #
- Closes #

## Added/updated tests?

- [ ] Yes
- [ ] No, and this is why: _please replace this line with details on why
tests
      have not been included_
- [ ] I need help with writing tests

## Run verifications and test

- [ ] `make verify` is passing
- [ ] `make test` is passing
<!--
For Work In Progress Pull Requests, please use the Draft PR feature,
see https://github.blog/2019-02-14-introducing-draft-pull-requests/ for
further details.

     For a timely review/response, please avoid force-pushing additional
     commits if your PR already received reviews or comments.

     Before submitting a Pull Request, please ensure that you have:
- 📖 Read the Contributing guide:
https://github.com/gorilla/.github/blob/main/CONTRIBUTING.md
- 📖 Read the Code of Conduct:
https://github.com/gorilla/.github/blob/main/CODE_OF_CONDUCT.md

     - Provide tests for your changes.
     - Use descriptive commit messages.
	 - Comment your code where appropriate.
	 - Squash your commits
     - Update any related documentation.

     - Add gorilla/pull-request-reviewers as a Reviewer
-->

## What type of PR is this? (check all applicable)

- [ ] Refactor
- [ ] Feature
- [ ] Bug Fix
- [ ] Optimization
- [ ] Documentation Update

## Description

## Related Tickets & Documents

<!--
For pull requests that relate or close an issue, please include them
below. We like to follow [Github's guidance on linking issues to pull
requests](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue).

For example having the text: "closes #1234" would connect the current
pull
request to issue 1234.  And when we merge the pull request, Github will
automatically close the issue.
-->

- Related Issue #
- Closes #

## Added/updated tests?

- [ ] Yes
- [ ] No, and this is why: _please replace this line with details on why
tests
      have not been included_
- [ ] I need help with writing tests

## Run verifications and test

- [ ] `make verify` is passing
- [ ] `make test` is passing

Signed-off-by: Corey Daley <[email protected]>
…#162)

Fixes gorilla#158, which is essentially that
1. none of the examples in the README for working with a JavaScript
frontend will work without proper CORS config on the backend
2. there is no example at all for using the HTTP header instead of
getting the CSRF token from the hidden form field

**Summary of Changes**

I have merged/copied over these simplified examples from my own
repository of working examples.

I was not sure how the maintainers may want to reference these examples
in the main README. Copying them over to the README verbatim would be
putting a lot of code into the README, but without changing the current
README, the content there differs significantly from the examples.

---------

Co-authored-by: Corey Daley <[email protected]>
<!--
For Work In Progress Pull Requests, please use the Draft PR feature,
see https://github.blog/2019-02-14-introducing-draft-pull-requests/ for
further details.

     For a timely review/response, please avoid force-pushing additional
     commits if your PR already received reviews or comments.

     Before submitting a Pull Request, please ensure that you have:
- 📖 Read the Contributing guide:
https://github.com/gorilla/.github/blob/main/CONTRIBUTING.md
- 📖 Read the Code of Conduct:
https://github.com/gorilla/.github/blob/main/CODE_OF_CONDUCT.md

     - Provide tests for your changes.
     - Use descriptive commit messages.
	 - Comment your code where appropriate.
	 - Squash your commits
     - Update any related documentation.

     - Add gorilla/pull-request-reviewers as a Reviewer
-->

## What type of PR is this? (check all applicable)

- [x] Refactor
- [ ] Feature
- [ ] Bug Fix
- [ ] Optimization
- [ ] Documentation Update
- [ ] Go Version Update
- [ ] Dependency Update

## Description

## Related Tickets & Documents

<!--
For pull requests that relate or close an issue, please include them
below. We like to follow [Github's guidance on linking issues to pull
requests](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue).

For example having the text: "closes #1234" would connect the current
pull
request to issue 1234.  And when we merge the pull request, Github will
automatically close the issue.
-->

- Related Issue #
- Closes #

## Added/updated tests?

- [ ] Yes
- [ ] No, and this is why: _please replace this line with details on why
tests
      have not been included_
- [ ] I need help with writing tests

## Run verifications and test

- [x] `make verify` is passing
- [x] `make test` is passing
<!--
For Work In Progress Pull Requests, please use the Draft PR feature,
see https://github.blog/2019-02-14-introducing-draft-pull-requests/ for
further details.

     For a timely review/response, please avoid force-pushing additional
     commits if your PR already received reviews or comments.

     Before submitting a Pull Request, please ensure that you have:
- 📖 Read the Contributing guide:
https://github.com/gorilla/.github/blob/main/CONTRIBUTING.md
- 📖 Read the Code of Conduct:
https://github.com/gorilla/.github/blob/main/CODE_OF_CONDUCT.md

     - Provide tests for your changes.
     - Use descriptive commit messages.
	 - Comment your code where appropriate.
	 - Squash your commits
     - Update any related documentation.

     - Add gorilla/pull-request-reviewers as a Reviewer
-->

## What type of PR is this? (check all applicable)

- [ ] Refactor
- [ ] Feature
- [ ] Bug Fix
- [ ] Optimization
- [ ] Documentation Update
- [ ] Go Version Update
- [x] Dependency Update

## Description

## Related Tickets & Documents

<!--
For pull requests that relate or close an issue, please include them
below. We like to follow [Github's guidance on linking issues to pull
requests](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue).

For example having the text: "closes #1234" would connect the current
pull
request to issue 1234.  And when we merge the pull request, Github will
automatically close the issue.
-->

- Related Issue #
- Closes #

## Added/updated tests?

- [x] Yes
- [ ] No, and this is why: _please replace this line with details on why
tests
      have not been included_
- [ ] I need help with writing tests

## Run verifications and test

- [x] `make verify` is passing
- [x] `make test` is passing
* csrf: use context to determine TLS state

r.URL.Scheme is never populated for "server" requests, and so the
referer check never runs.

Instead we now ask the caller application to signal this explicitly via
request conext, and then enforce the check accordingly.

Separately, browsers do not always send the full URL as a Referer,
especially in the same-origin context meaning we cannot compare its host
against our trusted origin list. If the referer does not contain a host
we populate r.URL.Host with r.Host which is expected to be sent by all
clients as the first header of their request.

Add tests against the Origin header before attempting to enforce
same-origin restrictions using the Referer header.

Matching the Django CSRF behavior: if the Origin is present in either
the cleartext or TLS case we will evaluate it.

IFF we are in TLS and we have no Origin we will evaluate the Referer
against the allowlist. In doing so we take care to permit "path only"
Referers that are sent in same-origin context.

* add csrf.TLSRequest helper API to set request TLS context

Add a csrf.TLSRequest public API method that sets the appropriate TLS
context key and signals to the midldeware the need to run the
additiontal Referer checks.

* Enable Referer-based origin checks by default

Reverse the default position and presume that that the server is using
TLS either directly or via an upstream proxy and require the user to
explicitly disable referer-based checks.

This safe default means that users that upgrade the library without
making any other code changes will benefit from the Referer checks that
they thought were active already. Without this change we risk that some
codebases will mistakenly remain vulnerable even while using a patched
version of the library.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.