From 8671702cd7c7c1d207a014f242bdfcdca5f3a16c Mon Sep 17 00:00:00 2001
From: Greg Guthe <gguthe@mozilla.com>
Date: Thu, 31 Aug 2017 15:25:35 -0400
Subject: [PATCH] validate csrf headers

---
 server/src/middleware/csrf.js | 62 ++++++++++++++++++++++++++++++++++-
 server/src/server.js          |  4 +--
 test/server/test_csrf.py      | 55 +++++++++++++++++++++++--------
 3 files changed, 105 insertions(+), 16 deletions(-)

diff --git a/server/src/middleware/csrf.js b/server/src/middleware/csrf.js
index 029e3bbbeb..3e2e5ff03b 100644
--- a/server/src/middleware/csrf.js
+++ b/server/src/middleware/csrf.js
@@ -8,7 +8,67 @@ const config = require("../config").getProperties();
 
 const useSecureCsrfCookie = (config.expectProtocol && /^https$/.test(config.expectProtocol));
 
-exports.csrfProtection = csrf({cookie: {httpOnly: true, secure: useSecureCsrfCookie}});
+const csrfMiddleware = csrf({
+  cookie: {httpOnly: true, secure: useSecureCsrfCookie}
+});
+
+const csrfExemptMiddleware = csrf({
+  ignoreMethods: ["PATCH", "POST", "PUT"],
+  cookie: {httpOnly: true, secure: useSecureCsrfCookie}
+});
+
+
+function isAuthPath(path) {
+  return path === "/api/register" || path === "/api/login";
+}
+
+function isCsrfExemptPath(path) {
+  return isAuthPath(path)
+    || path.startsWith("/data")
+    || path === "/event"
+    || path === "/error";
+}
+
+function csrfHeadersValid(req) {
+  const origin = req.headers.origin;
+  const referer = req.headers.referer;
+
+  if (isAuthPath(req.path)) {
+    // web ext background scripts don't send headers
+    return origin === undefined && referer === undefined;
+  }
+
+  return true;
+}
+
+function csrfInvalidHeaderResponse(req, res) {
+  mozlog.warn("bad-csrf-headers", {ip: req.ip, url: req.url, origin: req.headers.origin, referer: req.headers.referer});
+  res.status(403);
+  res.type("text");
+  res.send("Invalid CSRF Headers");
+}
+
+const ignoreMethods = {
+  "GET": true,
+  "HEAD": true,
+  "OPTIONS": true
+};
+
+exports.csrfProtection = function(req, res, next) {
+  // check origin and referer headers
+  if (!(ignoreMethods[req.method.toUpperCase()] || csrfHeadersValid(req))) {
+    csrfInvalidHeaderResponse(req, res);
+    return;
+  }
+
+  if (isCsrfExemptPath(req.path)) {
+    // just set csrf cookie and attach req.csrfToken
+    csrfExemptMiddleware(req, res, next);
+    return;
+  }
+  // also validate csrf token for unignored http methods
+  csrfMiddleware(req, res, next);
+};
 
 exports.csrf = function(req, res, next) {
   // The cookies library doesn't detect duplicates; check manually
diff --git a/server/src/server.js b/server/src/server.js
index b49f2cfbc6..aed85226d6 100644
--- a/server/src/server.js
+++ b/server/src/server.js
@@ -449,7 +449,7 @@ app.post("/event", function(req, res) {
   });
 });
 
-app.post("/api/register", function(req, res) {
+app.post("/api/register", csrfProtection, function(req, res) {
   let vars = req.body;
   let canUpdate = vars.deviceId === req.deviceId;
   if (!vars.deviceId) {
@@ -516,7 +516,7 @@ function sendAuthInfo(req, res, params) {
 }
 
 
-app.post("/api/login", function(req, res) {
+app.post("/api/login", csrfProtection, function(req, res) {
   let vars = req.body;
   let deviceInfo = {};
   try {
diff --git a/test/server/test_csrf.py b/test/server/test_csrf.py
index aef95f1260..aa3a80017b 100644
--- a/test/server/test_csrf.py
+++ b/test/server/test_csrf.py
@@ -1,5 +1,6 @@
-from clientlib import screenshots_session
+from clientlib import ScreenshotsClient, screenshots_session
 from urlparse import urljoin, urlsplit
+import json
 import random
 import re
 
@@ -10,7 +11,7 @@
 
 def assert_httponly_csrf_cookie(response, cookie_name='_csrf'):
     "Test helper"
-    assert response.cookies.get(cookie_name)  # cookie exits
+    assert response.cookies.get(cookie_name)  # cookie exists
     csrf_cookie = [c for c in response.cookies if c.name == cookie_name][0]
     assert csrf_cookie.has_nonstandard_attr('HttpOnly')  # is HttpOnly
 
@@ -19,7 +20,7 @@ def test_leave_screenshots_with_valid_csrftoken_ok():
     with screenshots_session() as user:
         leave_resp = user.session.get(user.backend + "/leave-screenshots/")
         assert leave_resp.status_code == 200
-        assert_httponly_csrf_cookie(leave_resp)
+        assert_httponly_csrf_cookie(user.session)
 
         page = leave_resp.text
         csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page)
@@ -34,7 +35,7 @@ def test_leave_screenshots_with_invalid_csrftoken_fails():
     with screenshots_session() as user:
         leave_resp = user.session.get(user.backend + "/leave-screenshots/")
         assert leave_resp.status_code == 200
-        assert_httponly_csrf_cookie(leave_resp)
+        assert_httponly_csrf_cookie(user.session)
 
         resp = user.session.post(
             urljoin(user.backend, "/leave-screenshots/leave"),
@@ -48,7 +49,7 @@ def test_leave_screenshots_without_csrftoken_fails():
     with screenshots_session() as user:
         leave_resp = user.session.get(user.backend + "/leave-screenshots/")
         assert leave_resp.status_code == 200
-        assert_httponly_csrf_cookie(leave_resp)
+        assert_httponly_csrf_cookie(user.session)
 
         resp = user.session.post(
             urljoin(user.backend, "/leave-screenshots/leave"))
@@ -61,7 +62,7 @@ def test_leave_screenshots_with_get_fails():
     with screenshots_session() as user:
         leave_resp = user.session.get(user.backend + "/leave-screenshots/")
         assert leave_resp.status_code == 200
-        assert_httponly_csrf_cookie(leave_resp)
+        assert_httponly_csrf_cookie(user.session)
 
         page = leave_resp.text
         csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page)
@@ -76,17 +77,16 @@ def test_leave_screenshots_with_get_fails():
 def test_leave_screenshots_with_duplicate_csrf_cookies_fails():
     with screenshots_session() as user:
         leave_resp = user.session.get(user.backend + "/leave-screenshots/")
-        print(leave_resp.cookies.get('_csrf'))
         assert leave_resp.status_code == 200
-        assert_httponly_csrf_cookie(leave_resp)
+        assert_httponly_csrf_cookie(user.session)
 
         page = leave_resp.text
         csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page)
         csrf = csrf_match.group(1)
         resp = user.session.post(
             urljoin(user.backend, "/leave-screenshots/leave"),
-            cookies={'_csrf': leave_resp.cookies.get('_csrf'),   # noqa: F601
-                         '_csrf': leave_resp.cookies.get('_csrf')},  # noqa: F601
+            cookies={'_csrf': user.session.cookies.get('_csrf'),   # noqa: F601
+                     '_csrf': user.session.cookies.get('_csrf')},  # noqa: F601
             json={"_csrf": csrf})
         assert resp.status_code == 400
 
@@ -113,13 +113,13 @@ def test_get_shot_sets_csrf_cookie():
 
         resp = user.session.get(shot_url)
         resp.raise_for_status()
-        assert_httponly_csrf_cookie(resp)
+        assert_httponly_csrf_cookie(user.session)
 
 
 def test_get_my_shots_sets_csrf_cookie():
     with screenshots_session() as user:
-        resp = user.read_my_shots()  # raises on error
-        assert_httponly_csrf_cookie(resp)
+        user.read_my_shots()  # raises on error
+        assert_httponly_csrf_cookie(user.session)
 
 
 def test_delete_shot_with_valid_csrftoken_ok():
@@ -293,6 +293,33 @@ def test_disconnect_device_without_csrftoken_fails():
         assert resp.status_code == 403  # Bad CSRF Token
 
 
+def test_login_with_invalid_headers():
+    # might belong in test_auth.py instead
+    unauthed_user = ScreenshotsClient()
+    resp = unauthed_user.session.post(
+        urljoin(unauthed_user.backend, "/api/login"),
+        headers=dict(origin="https://localhost:8080"),
+        data=dict(secret=unauthed_user.secret,
+                  deviceInfo=json.dumps(unauthed_user.deviceInfo)))
+
+    print resp.text
+    assert resp.status_code == 403  # Invalid CSRF Headers
+
+
+def test_register_with_invalid_headers():
+    # might belong in test_auth.py instead
+    unauthed_user = ScreenshotsClient()
+    resp = unauthed_user.session.post(
+        urljoin(unauthed_user.backend, "/api/register"),
+        headers=dict(referer="https://localhost:8080/1Zv4srJfp50f5LaJ/localhost"),
+        data=dict(deviceId=unauthed_user.deviceId,
+                  secret=unauthed_user.secret,
+                  deviceInfo=json.dumps(unauthed_user.deviceInfo)))
+
+    print resp.text
+    assert resp.status_code == 403  # Invalid CSRF Headers
+
+
 if __name__ == "__main__":
     test_leave_screenshots_with_valid_csrftoken_ok()
     test_leave_screenshots_with_invalid_csrftoken_fails()
@@ -317,3 +344,5 @@ def test_disconnect_device_without_csrftoken_fails():
     test_disconnect_device_with_valid_csrftoken_ok()
     test_disconnect_device_with_invalid_csrftoken_fails()
     test_disconnect_device_without_csrftoken_fails()
+    test_login_with_invalid_headers()
+    test_register_with_invalid_headers()