Redirect on bad CSRF instead of presenting bad page (#14937)

The current CSRF handler is a bit harsh with bad CSRF tokens on webpages
I think we can be a little kinder and redirect to base page with a flash error

Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath 2021-07-08 14:57:24 +01:00 committed by GitHub
parent fc1607b368
commit d06f9ce274
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 5 deletions

View file

@ -11,6 +11,7 @@ import (
"strings" "strings"
"testing" "testing"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/test" "code.gitea.io/gitea/modules/test"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
@ -134,5 +135,13 @@ func TestCreateBranchInvalidCSRF(t *testing.T) {
"_csrf": "fake_csrf", "_csrf": "fake_csrf",
"new_branch_name": "test", "new_branch_name": "test",
}) })
session.MakeRequest(t, req, http.StatusBadRequest) resp := session.MakeRequest(t, req, http.StatusFound)
loc := resp.Header().Get("Location")
assert.Equal(t, setting.AppSubURL+"/", loc)
resp = session.MakeRequest(t, NewRequest(t, "GET", loc), http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
assert.Equal(t,
"Bad Request: Invalid CSRF token",
strings.TrimSpace(htmlDoc.doc.Find(".ui.message").Text()),
)
} }

View file

@ -22,6 +22,7 @@ import (
"net/http" "net/http"
"time" "time"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/web/middleware" "code.gitea.io/gitea/modules/web/middleware"
"github.com/unknwon/com" "github.com/unknwon/com"
@ -266,7 +267,12 @@ func Validate(ctx *Context, x CSRF) {
-1, -1,
x.GetCookiePath(), x.GetCookiePath(),
x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too? x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
x.Error(ctx.Resp) if middleware.IsAPIPath(ctx.Req) {
x.Error(ctx.Resp)
return
}
ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))
ctx.Redirect(setting.AppSubURL + "/")
} }
return return
} }
@ -277,10 +283,19 @@ func Validate(ctx *Context, x CSRF) {
-1, -1,
x.GetCookiePath(), x.GetCookiePath(),
x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too? x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
x.Error(ctx.Resp) if middleware.IsAPIPath(ctx.Req) {
x.Error(ctx.Resp)
return
}
ctx.Flash.Error(ctx.Tr("error.invalid_csrf"))
ctx.Redirect(setting.AppSubURL + "/")
} }
return return
} }
if middleware.IsAPIPath(ctx.Req) {
http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest) http.Error(ctx.Resp, "Bad Request: no CSRF token present", http.StatusBadRequest)
return
}
ctx.Flash.Error(ctx.Tr("error.missing_csrf"))
ctx.Redirect(setting.AppSubURL + "/")
} }

View file

@ -100,6 +100,8 @@ never = Never
[error] [error]
occurred = An error has occurred occurred = An error has occurred
report_message = If you are sure this is a Gitea bug, please search for issue on <a href="https://github.com/go-gitea/gitea/issues">GitHub</a> and open new issue if necessary. report_message = If you are sure this is a Gitea bug, please search for issue on <a href="https://github.com/go-gitea/gitea/issues">GitHub</a> and open new issue if necessary.
missing_csrf = Bad Request: no CSRF token present
invalid_csrf = Bad Request: Invalid CSRF token
[startpage] [startpage]
app_desc = A painless, self-hosted Git service app_desc = A painless, self-hosted Git service