Github user kxepal commented on a diff in the pull request:
https://github.com/apache/couchdb-couch/pull/80#discussion_r36083909
--- Diff: src/couch_httpd_csrf.erl ---
@@ -0,0 +1,170 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may
not
+% use this file except in compliance with the License. You may obtain a
copy of
+% the License at
+%
+% http://www.apache.org/licenses/LICENSE-2.0
+%
+% Unless required by applicable law or agreed to in writing, software
+% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+% License for the specific language governing permissions and limitations
under
+% the License.
+
+%% This module provides optional CSRF protection to any client
+%%
+%% Clients should use the following pseudo code;
+%% if (hasCookie("CouchDB-CSRF")) {
+%% setRequestHeader("X-CouchDB-CSRF", cookieValue("CouchDB-CSRF"));
+%% } else {
+%% setRequestHeader("X-CouchDB-CSRF", "true")
+%% }
+%%
+%% If CouchDB sees the CouchDB-CSRF cookie then it checks its validity
+%% and whether the X-CouchDB-CSRF request header exists and matches.
+%% A 403 is returned if those checks fail.
+%% If CouchDB does not see the CouchDB-CSRF cookie but does see
+%% the X-CouchDB-CSRF header with value "true", a CouchDB-CSRF cookie
+%% is generated and returned.
+
+-module(couch_httpd_csrf).
+
+-export([validate/1, headers/2]).
+
+-include_lib("couch/include/couch_db.hrl").
+
+validate(#httpd{} = Req) ->
+ Cookie = csrf_from_req(Req),
+ Header = couch_httpd:header_value(Req, "X-CouchDB-CSRF"),
+ case {Cookie, Header} of
+ {undefined, undefined} ->
+ ok;
+ {undefined, "true"} ->
+ ok;
+ {"deleted", "true"} ->
+ ok;
+ {undefined, _} ->
+ throw({forbidden, <<"CSRF header sent without cookie">>});
+ {Csrf, Csrf} ->
+ ok = validate(Csrf);
+ _ ->
+ throw({forbidden, <<"CSRF Cookie/Header mismatch">>})
+ end;
+%% Check that we generated this CSRF token
+validate(Csrf) when is_list(Csrf) ->
+ case decode_cookie(Csrf) of
+ malformed ->
+ throw({bad_request, <<"Malformed CSRF Cookie">>});
+ Cookie ->
+ case validate_cookie(Cookie) of
+ true ->
+ ok;
+ false ->
+ throw({forbidden, <<"CSRF Cookie invalid or
expired">>})
+ end
+ end.
+
+
+headers(#httpd{} = Req, Headers) ->
+ Header = couch_httpd:header_value(Req, "X-CouchDB-CSRF"),
+ case {csrf_from_req(Req), csrf_in_headers(Headers), Header} of
+ {undefined, false, "true"} ->
+ [make_cookie() | Headers];
+ {"deleted", false, "true"} ->
+ [make_cookie() | Headers];
+ {Csrf, false, Csrf} when Csrf /= undefined ->
+ case decode_cookie(Csrf) of
+ malformed ->
+ [delete_cookie() | Headers];
+ Cookie ->
+ case validate_cookie(Cookie) of
+ true ->
+ case refresh_cookie(Cookie) of
+ true ->
+ [make_cookie() | Headers];
+ false ->
+ Headers
+ end;
+ false ->
+ [delete_cookie() | Headers]
+ end
+ end;
+ _ ->
+ Headers
+ end.
+
+
+make_cookie() ->
+ Secret = ?l2b(ensure_csrf_secret()),
+ Token = crypto:rand_bytes(8),
+ Timestamp = timestamp(),
+ Data = <<Token/binary, Timestamp:32>>,
+ Hmac = crypto:sha_mac(Secret, Data),
+ mochiweb_cookies:cookie("CouchDB-CSRF",
+ couch_util:encodeBase64Url(<<Data/binary, Hmac/binary>>),
+ [{path, "/"}, {max_age, max_age()}]).
+
+
+delete_cookie() ->
+ mochiweb_cookies:cookie("CouchDB-CSRF", "deleted",
+ [{path, "/"}, {max_age, 0}]).
+
+csrf_from_req(#httpd{} = Req) ->
+ case couch_httpd:header_value(Req, "Cookie") of
+ undefined ->
+ undefined;
+ Value ->
+ Cookies = mochiweb_cookies:parse_cookie(Value),
+ couch_util:get_value("CouchDB-CSRF", Cookies)
--- End diff --
Tabs is used in 113-117 lines.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
