Add X-Requested-With header to prevent CSRF

server/api/api.go

@@ -18,6 +18,11 @@ import (
 	"github.com/mattermost/focalboard/server/utils"
 )
 
+const (
+	HEADER_REQUESTED_WITH     = "X-Requested-With"
+	HEADER_REQUESTED_WITH_XML = "XMLHttpRequest"
+)
+
 // ----------------------------------------------------------------------------------------------------
 // REST APIs
 
@@ -35,35 +40,65 @@ func (a *API) app() *app.App {
 }
 
 func (a *API) RegisterRoutes(r *mux.Router) {
-	r.HandleFunc("/api/v1/blocks", a.sessionRequired(a.handleGetBlocks)).Methods("GET")
-	r.HandleFunc("/api/v1/blocks", a.sessionRequired(a.handlePostBlocks)).Methods("POST")
-	r.HandleFunc("/api/v1/blocks/{blockID}", a.sessionRequired(a.handleDeleteBlock)).Methods("DELETE")
-	r.HandleFunc("/api/v1/blocks/{blockID}/subtree", a.attachSession(a.handleGetSubTree, false)).Methods("GET")
+	apiv1 := r.PathPrefix("/api/v1").Subrouter()
+	apiv1.Use(a.requireCSRFToken)
+
+	apiv1.HandleFunc("/blocks", a.sessionRequired(a.handleGetBlocks)).Methods("GET")
+	apiv1.HandleFunc("/blocks", a.sessionRequired(a.handlePostBlocks)).Methods("POST")
+	apiv1.HandleFunc("/blocks/{blockID}", a.sessionRequired(a.handleDeleteBlock)).Methods("DELETE")
+	apiv1.HandleFunc("/blocks/{blockID}/subtree", a.attachSession(a.handleGetSubTree, false)).Methods("GET")
+
+	apiv1.HandleFunc("/users/me", a.sessionRequired(a.handleGetMe)).Methods("GET")
+	apiv1.HandleFunc("/users/{userID}", a.sessionRequired(a.handleGetUser)).Methods("GET")
+	apiv1.HandleFunc("/users/{userID}/changepassword", a.sessionRequired(a.handleChangePassword)).Methods("POST")
 
-	r.HandleFunc("/api/v1/users/me", a.sessionRequired(a.handleGetMe)).Methods("GET")
-	r.HandleFunc("/api/v1/users/{userID}", a.sessionRequired(a.handleGetUser)).Methods("GET")
-	r.HandleFunc("/api/v1/users/{userID}/changepassword", a.sessionRequired(a.handleChangePassword)).Methods("POST")
+	apiv1.HandleFunc("/#", a.handleLogin).Methods("POST")
+	apiv1.HandleFunc("/register", a.handleRegister).Methods("POST")
 
-	r.HandleFunc("/api/v1/#", a.handleLogin).Methods("POST")
-	r.HandleFunc("/api/v1/register", a.handleRegister).Methods("POST")
+	apiv1.HandleFunc("/blocks/export", a.sessionRequired(a.handleExport)).Methods("GET")
+	apiv1.HandleFunc("/blocks/import", a.sessionRequired(a.handleImport)).Methods("POST")
 
-	r.HandleFunc("/api/v1/files", a.sessionRequired(a.handleUploadFile)).Methods("POST")
-	r.HandleFunc("/files/{filename}", a.sessionRequired(a.handleServeFile)).Methods("GET")
+	apiv1.HandleFunc("/sharing/{rootID}", a.sessionRequired(a.handlePostSharing)).Methods("POST")
+	apiv1.HandleFunc("/sharing/{rootID}", a.sessionRequired(a.handleGetSharing)).Methods("GET")
 
-	r.HandleFunc("/api/v1/blocks/export", a.sessionRequired(a.handleExport)).Methods("GET")
-	r.HandleFunc("/api/v1/blocks/import", a.sessionRequired(a.handleImport)).Methods("POST")
+	apiv1.HandleFunc("/workspace", a.sessionRequired(a.handleGetWorkspace)).Methods("GET")
+	apiv1.HandleFunc("/workspace/regenerate_#_token", a.sessionRequired(a.handlePostWorkspaceRegenerate#Token)).Methods("POST")
 
-	r.HandleFunc("/api/v1/sharing/{rootID}", a.sessionRequired(a.handlePostSharing)).Methods("POST")
-	r.HandleFunc("/api/v1/sharing/{rootID}", a.sessionRequired(a.handleGetSharing)).Methods("GET")
+	// Files API
 
-	r.HandleFunc("/api/v1/workspace", a.sessionRequired(a.handleGetWorkspace)).Methods("GET")
-	r.HandleFunc("/api/v1/workspace/regenerate_#_token", a.sessionRequired(a.handlePostWorkspaceRegenerate#Token)).Methods("POST")
+	files := r.PathPrefix("/files/").Subrouter()
+	files.Use(a.requireCSRFToken)
+
+	files.HandleFunc("/", a.sessionRequired(a.handleUploadFile)).Methods("POST")
+	files.HandleFunc("/{filename}", a.sessionRequired(a.handleServeFile)).Methods("GET")
 }
 
 func (a *API) RegisterAdminRoutes(r *mux.Router) {
 	r.HandleFunc("/api/v1/admin/users/{username}/password", a.adminRequired(a.handleAdminSetPassword)).Methods("POST")
 }
 
+func (a *API) requireCSRFToken(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !a.checkCSRFToken(r) {
+			log.Println("checkCSRFToken FAILED")
+			errorResponse(w, http.StatusBadRequest, nil, nil)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
+func (a *API) checkCSRFToken(r *http.Request) bool {
+	token := r.Header.Get(HEADER_REQUESTED_WITH)
+
+	if token == HEADER_REQUESTED_WITH_XML {
+		return true
+	}
+
+	return false
+}
+
 func (a *API) handleGetBlocks(w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
 	parentID := query.Get("parent_id")

server/client/client.go

@@ -65,7 +65,10 @@ type Client struct {
 
 func NewClient(url string) *Client {
 	url = strings.TrimRight(url, "/")
-	return &Client{url, url + API_URL_SUFFIX, &http.Client{}, map[string]string{}}
+	headers := map[string]string{
+		"X-Requested-With": "XMLHttpRequest",
+	}
+	return &Client{url, url + API_URL_SUFFIX, &http.Client{}, headers}
 }
 
 func (c *Client) DoApiGet(url string, etag string) (*http.Response, error) {

webapp/src/octoClient.ts

@@ -87,6 +87,7 @@ class OctoClient {
             Accept: 'application/json',
             'Content-Type': 'application/json',
             Authorization: this.token ? 'Bearer ' + this.token : '',
+            'X-Requested-With': 'XMLHttpRequest',
         }
     }