cutelyst 4.4.0
A C++ Web Framework built on top of Qt, using the simple approach of Catalyst (Perl) framework.
csrfprotection.cpp
1/*
2 * SPDX-FileCopyrightText: (C) 2017-2022 Matthias Fehring <mf@huessenbergnetz.de>
3 * SPDX-License-Identifier: BSD-3-Clause
4 */
5
6#include "csrfprotection_p.h"
7
8#include <Cutelyst/Action>
9#include <Cutelyst/Application>
10#include <Cutelyst/Context>
11#include <Cutelyst/Controller>
12#include <Cutelyst/Dispatcher>
13#include <Cutelyst/Engine>
14#include <Cutelyst/Headers>
15#include <Cutelyst/Plugins/Session/Session>
16#include <Cutelyst/Request>
17#include <Cutelyst/Response>
18#include <Cutelyst/Upload>
19#include <Cutelyst/utils.h>
20#include <algorithm>
21#include <utility>
22#include <vector>
23
24#include <QLoggingCategory>
25#include <QNetworkCookie>
26#include <QUrl>
27#include <QUuid>
28
29Q_LOGGING_CATEGORY(C_CSRFPROTECTION, "cutelyst.plugin.csrfprotection", QtWarningMsg)
30
31using namespace Cutelyst;
32
33// NOLINTNEXTLINE(cppcoreguidelines-avoid-non-const-global-variables)
34static thread_local CSRFProtection *csrf = nullptr;
35const QRegularExpression CSRFProtectionPrivate::sanitizeRe{u"[^a-zA-Z0-9\\-_]"_qs};
36// Assume that anything not defined as 'safe' by RFC7231 needs protection
37const QByteArrayList CSRFProtectionPrivate::secureMethods = QByteArrayList({
38 "GET",
39 "HEAD",
40 "OPTIONS",
41 "TRACE",
42});
43const QByteArray CSRFProtectionPrivate::allowedChars{
44 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_"_qba};
45const QString CSRFProtectionPrivate::sessionKey{u"_csrftoken"_qs};
46const QString CSRFProtectionPrivate::stashKeyCookie{u"_c_csrfcookie"_qs};
47const QString CSRFProtectionPrivate::stashKeyCookieUsed{u"_c_csrfcookieused"_qs};
48const QString CSRFProtectionPrivate::stashKeyCookieNeedsReset{u"_c_csrfcookieneedsreset"_qs};
49const QString CSRFProtectionPrivate::stashKeyCookieSet{u"_c_csrfcookieset"_qs};
50const QString CSRFProtectionPrivate::stashKeyProcessingDone{u"_c_csrfprocessingdone"_qs};
51const QString CSRFProtectionPrivate::stashKeyCheckPassed{u"_c_csrfcheckpassed"_qs};
52
53CSRFProtection::CSRFProtection(Application *parent)
54 : Plugin(parent)
55 , d_ptr(new CSRFProtectionPrivate)
56{
57}
58
59CSRFProtection::CSRFProtection(Application *parent, const QVariantMap &defaultConfig)
60 : Plugin(parent)
61 , d_ptr(new CSRFProtectionPrivate)
62{
63 Q_D(CSRFProtection);
64 d->defaultConfig = defaultConfig;
65}
66
67CSRFProtection::~CSRFProtection() = default;
68
69bool CSRFProtection::setup(Application *app)
70{
71 Q_D(CSRFProtection);
72
73 app->loadTranslations(u"plugin_csrfprotection"_qs);
74
75 const QVariantMap config = app->engine()->config(u"Cutelyst_CSRFProtection_Plugin"_qs);
76
77 bool cookieExpirationOk = false;
78 const QString cookieExpireStr =
79 config
80 .value(u"cookie_expiration"_qs,
81 config.value(
82 u"cookie_age"_qs,
83 d->defaultConfig.value(
84 u"cookie_expiration"_qs,
85 static_cast<qint64>(std::chrono::duration_cast<std::chrono::seconds>(
86 CSRFProtectionPrivate::cookieDefaultExpiration)
87 .count()))))
88 .toString();
89 d->cookieExpiration = std::chrono::duration_cast<std::chrono::seconds>(
90 Utils::durationFromString(cookieExpireStr, &cookieExpirationOk));
91 if (!cookieExpirationOk) {
92 qCWarning(C_CSRFPROTECTION).nospace() << "Invalid value set for cookie_expiration. "
93 "Using default value "
94#if QT_VERSION >= QT_VERSION_CHECK(6, 6, 0)
95 << CSRFProtectionPrivate::cookieDefaultExpiration;
96#else
97 << "1 year";
98#endif
99 d->cookieExpiration = CSRFProtectionPrivate::cookieDefaultExpiration;
100 }
101
102 d->cookieDomain =
103 config.value(u"cookie_domain"_qs, d->defaultConfig.value(u"cookie_domain"_qs)).toString();
104 if (d->cookieName.isEmpty()) {
105 d->cookieName = "csrftoken";
106 }
107 d->cookiePath = u"/"_qs;
108
109 const QString _sameSite =
110 config
111 .value(u"cookie_same_site"_qs,
112 d->defaultConfig.value(u"cookie_same_site"_qs, u"strict"_qs))
113 .toString();
114 if (_sameSite.compare(u"default", Qt::CaseInsensitive) == 0) {
115 d->cookieSameSite = QNetworkCookie::SameSite::Default;
116 } else if (_sameSite.compare(u"none", Qt::CaseInsensitive) == 0) {
117 d->cookieSameSite = QNetworkCookie::SameSite::None;
118 } else if (_sameSite.compare(u"lax", Qt::CaseInsensitive) == 0) {
119 d->cookieSameSite = QNetworkCookie::SameSite::Lax;
120 } else if (_sameSite.compare(u"strict", Qt::CaseInsensitive) == 0) {
121 d->cookieSameSite = QNetworkCookie::SameSite::Strict;
122 } else {
123 qCWarning(C_CSRFPROTECTION).nospace() << "Invalid value set for cookie_same_site. "
124 "Using default value "
125 << QNetworkCookie::SameSite::Strict;
126 d->cookieSameSite = QNetworkCookie::SameSite::Strict;
127 }
128
129 d->cookieSecure =
130 config.value(u"cookie_secure"_qs, d->defaultConfig.value(u"cookie_secure"_qs, false))
131 .toBool();
132
133 if ((d->cookieSameSite == QNetworkCookie::SameSite::None) && !d->cookieSecure) {
134 qCWarning(C_CSRFPROTECTION)
135 << "cookie_same_site has been set to None but cookie_secure is "
136 "not set to true. Implicitely setting cookie_secure to true. "
137 "Please check your configuration.";
138 d->cookieSecure = true;
139 }
140
141 if (d->headerName.isEmpty()) {
142 d->headerName = "X_CSRFTOKEN";
143 }
144
145 d->trustedOrigins =
146 config.value(u"trusted_origins"_qs, d->defaultConfig.value(u"trusted_origins"_qs))
147 .toString()
148 .split(u',', Qt::SkipEmptyParts);
149 if (d->formInputName.isEmpty()) {
150 d->formInputName = "csrfprotectiontoken";
151 }
152 d->logFailedIp =
153 config.value(u"log_failed_ip"_qs, d->defaultConfig.value(u"log_failed_ip"_qs, false))
154 .toBool();
155 if (d->errorMsgStashKey.isEmpty()) {
156 d->errorMsgStashKey = u"error_msg"_qs;
157 }
158
159 connect(app, &Application::postForked, this, [](Application *app) {
160 csrf = app->plugin<CSRFProtection *>();
161 });
162
163 connect(app, &Application::beforeDispatch, this, [d](Context *c) { d->beforeDispatch(c); });
164
165 return true;
166}
167
168void CSRFProtection::setDefaultDetachTo(const QString &actionNameOrPath)
169{
170 Q_D(CSRFProtection);
171 d->defaultDetachTo = actionNameOrPath;
172}
173
174void CSRFProtection::setFormFieldName(const QByteArray &fieldName)
175{
176 Q_D(CSRFProtection);
177 d->formInputName = fieldName;
178}
179
180QByteArray CSRFProtection::formFieldName() noexcept
181{
182 if (!csrf) {
183 qCCritical(C_CSRFPROTECTION) << "CSRFProtection plugin not registered";
184 return {};
185 }
186
187 return csrf->d_ptr->formInputName;
188}
189
190void CSRFProtection::setErrorMsgStashKey(const QString &keyName)
191{
192 Q_D(CSRFProtection);
193 d->errorMsgStashKey = keyName;
194}
195
196void CSRFProtection::setIgnoredNamespaces(const QStringList &namespaces)
197{
198 Q_D(CSRFProtection);
199 d->ignoredNamespaces = namespaces;
200}
201
202void CSRFProtection::setUseSessions(bool useSessions)
203{
204 Q_D(CSRFProtection);
205 d->useSessions = useSessions;
206}
207
208void CSRFProtection::setCookieHttpOnly(bool httpOnly)
209{
210 Q_D(CSRFProtection);
211 d->cookieHttpOnly = httpOnly;
212}
213
214void CSRFProtection::setCookieName(const QByteArray &cookieName)
215{
216 Q_D(CSRFProtection);
217 d->cookieName = cookieName;
218}
219
220void CSRFProtection::setHeaderName(const QByteArray &headerName)
221{
222 Q_D(CSRFProtection);
223 d->headerName = headerName;
224}
225
226void CSRFProtection::setGenericErrorMessage(const QString &message)
227{
228 Q_D(CSRFProtection);
229 d->genericErrorMessage = message;
230}
231
232void CSRFProtection::setGenericErrorContentType(const QByteArray &type)
233{
234 Q_D(CSRFProtection);
235 d->genericContentType = type;
236}
237
238QByteArray CSRFProtection::getToken(Context *c)
239{
240 QByteArray token;
241
242 const QByteArray contextCookie = c->stash(CSRFProtectionPrivate::stashKeyCookie).toByteArray();
243 QByteArray secret;
244 if (contextCookie.isEmpty()) {
245 secret = CSRFProtectionPrivate::getNewCsrfString();
246 token = CSRFProtectionPrivate::saltCipherSecret(secret);
247 c->setStash(CSRFProtectionPrivate::stashKeyCookie, token);
248 } else {
249 secret = CSRFProtectionPrivate::unsaltCipherToken(contextCookie);
250 token = CSRFProtectionPrivate::saltCipherSecret(secret);
251 }
252
253 c->setStash(CSRFProtectionPrivate::stashKeyCookieUsed, true);
254
255 return token;
256}
257
258QString CSRFProtection::getTokenFormField(Context *c)
259{
260 QString form;
261
262 if (!csrf) {
263 qCCritical(C_CSRFPROTECTION) << "CSRFProtection plugin not registered";
264 return form;
265 }
266
267 form = QStringLiteral("<input type=\"hidden\" name=\"%1\" value=\"%2\" />")
268 .arg(QString::fromLatin1(CSRFProtection::formFieldName()),
269 QString::fromLatin1(CSRFProtection::getToken(c)));
270
271 return form;
272}
273
274bool CSRFProtection::checkPassed(Context *c)
275{
276 if (CSRFProtectionPrivate::secureMethods.contains(c->req()->method())) {
277 return true;
278 } else {
279 return c->stash(CSRFProtectionPrivate::stashKeyCheckPassed).toBool();
280 }
281}
282
283// void CSRFProtection::rotateToken(Context *c)
284//{
285// c->setStash(CSRFProtectionPrivate::stashKeyCookieUsed, true);
286// c->setStash(QString CSRFProtectionPrivate::stashKeyCookie,
287// CSRFProtectionPrivate::getNewCsrfToken());
288// c->setStash(CSRFProtectionPrivate::stashKeyCookieNeedsReset, true);
289// }
290
295QByteArray CSRFProtectionPrivate::getNewCsrfString()
296{
297 QByteArray csrfString;
298
299 while (csrfString.size() < CSRFProtectionPrivate::secretLength) {
300 csrfString.append(QUuid::createUuid().toRfc4122().toBase64(QByteArray::Base64UrlEncoding |
301 QByteArray::OmitTrailingEquals));
302 }
303
304 csrfString.resize(CSRFProtectionPrivate::secretLength);
305
306 return csrfString;
307}
308
314QByteArray CSRFProtectionPrivate::saltCipherSecret(const QByteArray &secret)
315{
316 QByteArray salted;
317 salted.reserve(CSRFProtectionPrivate::tokenLength);
318
319 const QByteArray salt = CSRFProtectionPrivate::getNewCsrfString();
320 std::vector<std::pair<int, int>> pairs;
321 pairs.reserve(std::min(secret.size(), salt.size()));
322 for (int i = 0; i < std::min(secret.size(), salt.size()); ++i) {
323 pairs.emplace_back(CSRFProtectionPrivate::allowedChars.indexOf(secret.at(i)),
324 CSRFProtectionPrivate::allowedChars.indexOf(salt.at(i)));
325 }
326
327 QByteArray cipher;
328 cipher.reserve(CSRFProtectionPrivate::secretLength);
329 for (const auto &p : std::as_const(pairs)) {
330 cipher.append(
331 CSRFProtectionPrivate::allowedChars[(p.first + p.second) %
332 CSRFProtectionPrivate::allowedChars.size()]);
333 }
334
335 salted = salt + cipher;
336
337 return salted;
338}
339
346QByteArray CSRFProtectionPrivate::unsaltCipherToken(const QByteArray &token)
347{
348 QByteArray secret;
349 secret.reserve(CSRFProtectionPrivate::secretLength);
350
351 const QByteArray salt = token.left(CSRFProtectionPrivate::secretLength);
352 const QByteArray _token = token.mid(CSRFProtectionPrivate::secretLength);
353
354 std::vector<std::pair<int, int>> pairs;
355 pairs.reserve(std::min(salt.size(), _token.size()));
356 for (int i = 0; i < std::min(salt.size(), _token.size()); ++i) {
357 pairs.emplace_back(CSRFProtectionPrivate::allowedChars.indexOf(_token.at(i)),
358 CSRFProtectionPrivate::allowedChars.indexOf(salt.at(i)));
359 }
360
361 for (const auto &p : std::as_const(pairs)) {
362 QByteArray::size_type idx = p.first - p.second;
363 if (idx < 0) {
364 idx = CSRFProtectionPrivate::allowedChars.size() + idx;
365 }
366 secret.append(CSRFProtectionPrivate::allowedChars.at(idx));
367 }
368
369 return secret;
370}
371
377QByteArray CSRFProtectionPrivate::getNewCsrfToken()
378{
379 return CSRFProtectionPrivate::saltCipherSecret(CSRFProtectionPrivate::getNewCsrfString());
380}
381
387QByteArray CSRFProtectionPrivate::sanitizeToken(const QByteArray &token)
388{
389 QByteArray sanitized;
390
391 const QString tokenString = QString::fromLatin1(token);
392 if (tokenString.contains(CSRFProtectionPrivate::sanitizeRe) ||
393 token.size() != CSRFProtectionPrivate::tokenLength) {
394 sanitized = CSRFProtectionPrivate::getNewCsrfToken();
395 } else {
396 sanitized = token;
397 }
398
399 return sanitized;
400}
401
406QByteArray CSRFProtectionPrivate::getToken(Context *c)
407{
408 QByteArray token;
409
410 if (!csrf) {
411 qCCritical(C_CSRFPROTECTION) << "CSRFProtection plugin not registered";
412 return token;
413 }
414
415 if (csrf->d_ptr->useSessions) {
416 token = Session::value(c, CSRFProtectionPrivate::sessionKey).toByteArray();
417 } else {
418 QByteArray cookieToken = c->req()->cookie(csrf->d_ptr->cookieName);
419 if (cookieToken.isEmpty()) {
420 return token;
421 }
422
423 token = CSRFProtectionPrivate::sanitizeToken(cookieToken);
424 if (token != cookieToken) {
425 c->setStash(CSRFProtectionPrivate::stashKeyCookieNeedsReset, true);
426 }
427 }
428
429 qCDebug(C_CSRFPROTECTION) << "Got token" << token << "from"
430 << (csrf->d_ptr->useSessions ? "sessions" : "cookie");
431
432 return token;
433}
434
439void CSRFProtectionPrivate::setToken(Context *c)
440{
441 if (!csrf) {
442 qCCritical(C_CSRFPROTECTION) << "CSRFProtection plugin not registered";
443 return;
444 }
445
446 if (csrf->d_ptr->useSessions) {
447 Session::setValue(c,
448 CSRFProtectionPrivate::sessionKey,
449 c->stash(CSRFProtectionPrivate::stashKeyCookie).toByteArray());
450 } else {
451 QNetworkCookie cookie(csrf->d_ptr->cookieName,
452 c->stash(CSRFProtectionPrivate::stashKeyCookie).toByteArray());
453 if (!csrf->d_ptr->cookieDomain.isEmpty()) {
454 cookie.setDomain(csrf->d_ptr->cookieDomain);
455 }
456 if (csrf->d_ptr->cookieExpiration.count() == 0) {
457 cookie.setExpirationDate(QDateTime());
458 } else {
459#if QT_VERSION >= QT_VERSION_CHECK(6, 4, 0)
460 cookie.setExpirationDate(
461 QDateTime::currentDateTime().addDuration(csrf->d_ptr->cookieExpiration));
462#else
463 cookie.setExpirationDate(
464 QDateTime::currentDateTime().addSecs(csrf->d_ptr->cookieExpiration.count()));
465#endif
466 }
467 cookie.setHttpOnly(csrf->d_ptr->cookieHttpOnly);
468 cookie.setPath(csrf->d_ptr->cookiePath);
469 cookie.setSecure(csrf->d_ptr->cookieSecure);
470 cookie.setSameSitePolicy(csrf->d_ptr->cookieSameSite);
471 c->res()->setCookie(cookie);
472 c->res()->headers().pushHeader("Vary"_qba, "Cookie"_qba);
473 }
474
475 qCDebug(C_CSRFPROTECTION) << "Set token"
476 << c->stash(CSRFProtectionPrivate::stashKeyCookie).toByteArray()
477 << "to" << (csrf->d_ptr->useSessions ? "session" : "cookie");
478}
479
485void CSRFProtectionPrivate::reject(Context *c,
486 const QString &logReason,
487 const QString &displayReason)
488{
489 c->setStash(CSRFProtectionPrivate::stashKeyCheckPassed, false);
490
491 if (!csrf) {
492 qCCritical(C_CSRFPROTECTION) << "CSRFProtection plugin not registered";
493 return;
494 }
495
496 if (C_CSRFPROTECTION().isWarningEnabled()) {
497 if (csrf->d_ptr->logFailedIp) {
498 qCWarning(C_CSRFPROTECTION).nospace().noquote()
499 << "Forbidden: (" << logReason << "): " << c->req()->path() << " ["
500 << c->req()->addressString() << "]";
501 } else {
502 qCWarning(C_CSRFPROTECTION).nospace().noquote()
503 << "Forbidden: (" << logReason << "): " << c->req()->path()
504 << " [IP logging disabled]";
505 }
506 }
507
508 c->res()->setStatus(Response::Forbidden);
509 c->setStash(csrf->d_ptr->errorMsgStashKey, displayReason);
510
511 QString detachToCsrf = c->action()->attribute(u"CSRFDetachTo"_qs);
512 if (detachToCsrf.isEmpty()) {
513 detachToCsrf = csrf->d_ptr->defaultDetachTo;
514 }
515
516 Action *detachToAction = nullptr;
517
518 if (!detachToCsrf.isEmpty()) {
519 detachToAction = c->controller()->actionFor(detachToCsrf);
520 if (!detachToAction) {
521 detachToAction = c->dispatcher()->getActionByPath(detachToCsrf);
522 }
523 if (!detachToAction) {
524 qCWarning(C_CSRFPROTECTION)
525 << "Can not find action for" << detachToCsrf << "to detach to";
526 }
527 }
528
529 if (detachToAction) {
530 c->detach(detachToAction);
531 } else {
532 c->res()->setStatus(Response::Forbidden);
533 if (!csrf->d_ptr->genericErrorMessage.isEmpty()) {
534 c->res()->setBody(csrf->d_ptr->genericErrorMessage);
535 c->res()->setContentType(csrf->d_ptr->genericContentType);
536 } else {
537 //% "403 Forbidden - CSRF protection check failed"
538 const QString title = c->qtTrId("cutelyst-csrf-generic-error-page-title");
539 c->res()->setBody(QStringLiteral("<!DOCTYPE html>\n"
540 "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n"
541 " <head>\n"
542 " <title>") +
543 title +
544 QStringLiteral("</title>\n"
545 " </head>\n"
546 " <body>\n"
547 " <h1>") +
548 title +
549 QStringLiteral("</h1>\n"
550 " <p>") +
551 displayReason +
552 QStringLiteral("</p>\n"
553 " </body>\n"
554 "</html>\n"));
555 c->res()->setContentType("text/html; charset=utf-8"_qba);
556 }
557 c->finalize();
558 }
559}
560
561void CSRFProtectionPrivate::accept(Context *c)
562{
563 c->setStash(CSRFProtectionPrivate::stashKeyCheckPassed, true);
564 c->setStash(CSRFProtectionPrivate::stashKeyProcessingDone, true);
565}
566
571bool CSRFProtectionPrivate::compareSaltedTokens(const QByteArray &t1, const QByteArray &t2)
572{
573 const QByteArray _t1 = CSRFProtectionPrivate::unsaltCipherToken(t1);
574 const QByteArray _t2 = CSRFProtectionPrivate::unsaltCipherToken(t2);
575
576 // to avoid timing attack
577 QByteArray::size_type diff = _t1.size() ^ _t2.size();
578 for (QByteArray::size_type i = 0; i < _t1.size() && i < _t2.size(); i++) {
579 diff |= _t1[i] ^ _t2[i];
580 }
581 return diff == 0;
582}
583
588void CSRFProtectionPrivate::beforeDispatch(Context *c)
589{
590 if (!csrf) {
591 CSRFProtectionPrivate::reject(c,
592 u"CSRFProtection plugin not registered"_qs,
593 //% "The CSRF protection plugin has not been registered."
594 c->qtTrId("cutelyst-csrf-reject-not-registered"));
595 return;
596 }
597
598 const QByteArray csrfToken = CSRFProtectionPrivate::getToken(c);
599 if (!csrfToken.isNull()) {
600 c->setStash(CSRFProtectionPrivate::stashKeyCookie, csrfToken);
601 } else {
602 CSRFProtection::getToken(c);
603 }
604
605 if (c->stash(CSRFProtectionPrivate::stashKeyProcessingDone).toBool()) {
606 return;
607 }
608
609 if (c->action()->attributes().contains(u"CSRFIgnore"_qs)) {
610 qCDebug(C_CSRFPROTECTION).noquote().nospace()
611 << "Action " << c->action()->className() << "::" << c->action()->reverse()
612 << " is ignored by the CSRF protection";
613 return;
614 }
615
616 if (csrf->d_ptr->ignoredNamespaces.contains(c->action()->ns())) {
617 if (!c->action()->attributes().contains(u"CSRFRequire"_qs)) {
618 qCDebug(C_CSRFPROTECTION)
619 << "Namespace" << c->action()->ns() << "is ignored by the CSRF protection";
620 return;
621 }
622 }
623
624 // only check the tokens if the method is not secure, e.g. POST
625 // the following methods are secure according to RFC 7231: GET, HEAD, OPTIONS and TRACE
626 if (!CSRFProtectionPrivate::secureMethods.contains(c->req()->method())) {
627
628 bool ok = true;
629
630 // Suppose user visits http://example.com/
631 // An active network attacker (man-in-the-middle, MITM) sends a POST form that targets
632 // https://example.com/detonate-bomb/ and submits it via JavaScript.
633 //
634 // The attacker will need to provide a CSRF cookie and token, but that's no problem for a
635 // MITM and the session-independent secret we're using. So the MITM can circumvent the CSRF
636 // protection. This is true for any HTTP connection, but anyone using HTTPS expects better!
637 // For this reason, for https://example.com/ we need additional protection that treats
638 // http://example.com/ as completely untrusted. Under HTTPS, Barth et al. found that the
639 // Referer header is missing for same-domain requests in only about 0.2% of cases or less,
640 // so we can use strict Referer checking.
641 if (c->req()->secure()) {
642 const auto referer = c->req()->headers().referer();
643
644 if (Q_UNLIKELY(referer.isEmpty())) {
645 CSRFProtectionPrivate::reject(c,
646 u"Referer checking failed - no Referer"_qs,
647 //% "Referrer checking failed - no Referrer."
648 c->qtTrId("cutelyst-csrf-reject-no-referer"));
649 ok = false;
650 } else {
651 const QUrl refererUrl(QString::fromLatin1(referer));
652 if (Q_UNLIKELY(!refererUrl.isValid())) {
653 CSRFProtectionPrivate::reject(
654 c,
655 u"Referer checking failed - Referer is malformed"_qs,
656 //% "Referrer checking failed - Referrer is malformed."
657 c->qtTrId("cutelyst-csrf-reject-referer-malformed"));
658 ok = false;
659 } else {
660 if (Q_UNLIKELY(refererUrl.scheme() != QLatin1String("https"))) {
661 CSRFProtectionPrivate::reject(
662 c,
663 u"Referer checking failed - Referer is insecure while "
664 "host is secure"_qs,
665 //% "Referrer checking failed - Referrer is insecure while host "
666 //% "is secure."
667 c->qtTrId("cutelyst-csrf-reject-refer-insecure"));
668 ok = false;
669 } else {
670 // If there isn't a CSRF_COOKIE_DOMAIN, require an exact match on host:port.
671 // If not, obey the cookie rules (or those for the session cookie, if we
672 // use sessions
673 constexpr int httpPort = 80;
674 constexpr int httpsPort = 443;
675
676 const QUrl uri = c->req()->uri();
677 QString goodReferer;
678 if (!csrf->d_ptr->useSessions) {
679 goodReferer = csrf->d_ptr->cookieDomain;
680 }
681 if (goodReferer.isEmpty()) {
682 goodReferer = uri.host();
683 }
684 const int serverPort = uri.port(c->req()->secure() ? httpsPort : httpPort);
685 if ((serverPort != httpPort) && (serverPort != httpsPort)) {
686 goodReferer += u':' + QString::number(serverPort);
687 }
688
689 QStringList goodHosts = csrf->d_ptr->trustedOrigins;
690 goodHosts.append(goodReferer);
691
692 QString refererHost = refererUrl.host();
693 const int refererPort = refererUrl.port(
694 refererUrl.scheme().compare(u"https") == 0 ? httpsPort : httpPort);
695 if ((refererPort != httpPort) && (refererPort != httpsPort)) {
696 refererHost += u':' + QString::number(refererPort);
697 }
698
699 bool refererCheck = false;
700 for (const auto &host : std::as_const(goodHosts)) {
701 if ((host.startsWith(u'.') &&
702 (refererHost.endsWith(host) || (refererHost == host.mid(1)))) ||
703 host == refererHost) {
704 refererCheck = true;
705 break;
706 }
707 }
708
709 if (Q_UNLIKELY(!refererCheck)) {
710 ok = false;
711 CSRFProtectionPrivate::reject(
712 c,
713 u"Referer checking failed - %1 does not match any "
714 "trusted origins"_qs.arg(QString::fromLatin1(referer)),
715 //% "Referrer checking failed - %1 does not match any "
716 //% "trusted origin."
717 c->qtTrId("cutelyst-csrf-reject-referer-no-trust")
718 .arg(QString::fromLatin1(referer)));
719 }
720 }
721 }
722 }
723 }
724
725 if (Q_LIKELY(ok)) {
726 if (Q_UNLIKELY(csrfToken.isEmpty())) {
727 CSRFProtectionPrivate::reject(c,
728 u"CSRF cookie not set"_qs,
729 //% "CSRF cookie not set."
730 c->qtTrId("cutelyst-csrf-reject-no-cookie"));
731 ok = false;
732 } else {
733
734 QByteArray requestCsrfToken;
735 // delete does not have body data
736 if (!c->req()->isDelete()) {
737 if (c->req()->contentType().compare("multipart/form-data") == 0) {
738 // everything is an upload, even our token
739 Upload *upload =
740 c->req()->upload(QString::fromLatin1(csrf->d_ptr->formInputName));
741 if (upload && upload->size() < 1024 /*FIXME*/) {
742 requestCsrfToken = upload->readAll();
743 }
744 } else
745 requestCsrfToken =
746 c->req()
747 ->bodyParam(QString::fromLatin1(csrf->d_ptr->formInputName))
748 .toLatin1();
749 }
750
751 if (requestCsrfToken.isEmpty()) {
752 requestCsrfToken = c->req()->header(csrf->d_ptr->headerName);
753 if (Q_LIKELY(!requestCsrfToken.isEmpty())) {
754 qCDebug(C_CSRFPROTECTION) << "Got token" << requestCsrfToken
755 << "from HTTP header" << csrf->d_ptr->headerName;
756 } else {
757 qCDebug(C_CSRFPROTECTION)
758 << "Can not get token from HTTP header or form field.";
759 }
760 } else {
761 qCDebug(C_CSRFPROTECTION) << "Got token" << requestCsrfToken
762 << "from form field" << csrf->d_ptr->formInputName;
763 }
764
765 requestCsrfToken = CSRFProtectionPrivate::sanitizeToken(requestCsrfToken);
766
767 if (Q_UNLIKELY(
768 !CSRFProtectionPrivate::compareSaltedTokens(requestCsrfToken, csrfToken))) {
769 CSRFProtectionPrivate::reject(c,
770 u"CSRF token missing or incorrect"_qs,
771 //% "CSRF token missing or incorrect."
772 c->qtTrId("cutelyst-csrf-reject-token-missin"));
773 ok = false;
774 }
775 }
776 }
777
778 if (Q_LIKELY(ok)) {
779 CSRFProtectionPrivate::accept(c);
780 }
781 }
782
783 // Set the CSRF cookie even if it's already set, so we renew
784 // the expiry timer.
785
786 if (!c->stash(CSRFProtectionPrivate::stashKeyCookieNeedsReset).toBool()) {
787 if (c->stash(CSRFProtectionPrivate::stashKeyCookieSet).toBool()) {
788 return;
789 }
790 }
791
792 if (!c->stash(CSRFProtectionPrivate::stashKeyCookieUsed).toBool()) {
793 return;
794 }
795
796 CSRFProtectionPrivate::setToken(c);
797 c->setStash(CSRFProtectionPrivate::stashKeyCookieSet, true);
798}
799
800#include "moc_csrfprotection.cpp"
Cutelyst::Action
This class represents a Cutelyst Action.
Definition: action.h:35
Cutelyst::Action::ns
QString ns() const noexcept
Definition: action.cpp:118
Cutelyst::Action::className
QString className() const noexcept
Definition: action.cpp:86
Cutelyst::Action::attributes
ParamsMultiMap attributes() const noexcept
Definition: action.cpp:68
Cutelyst::Action::attribute
QString attribute(const QString &name, const QString &defaultValue={}) const
Definition: action.cpp:74
Cutelyst::Application
The Cutelyst application.
Definition: application.h:66
Cutelyst::Application::engine
Engine * engine() const noexcept
Definition: application.cpp:233
Cutelyst::Application::beforeDispatch
void beforeDispatch(Cutelyst::Context *c)
Cutelyst::Application::loadTranslations
void loadTranslations(const QString &filename, const QString &directory={}, const QString &prefix={}, const QString &suffix={})
Definition: application.cpp:523
Cutelyst::Application::postForked
void postForked(Cutelyst::Application *app)
Cutelyst::CSRFProtection
Protect input forms against Cross Site Request Forgery (CSRF/XSRF) attacks.
Definition: csrfprotection.h:235
Cutelyst::CSRFProtection::formFieldName
static QByteArray formFieldName() noexcept
Definition: csrfprotection.cpp:180
Cutelyst::CSRFProtection::checkPassed
static bool checkPassed(Context *c)
Definition: csrfprotection.cpp:274
Cutelyst::CSRFProtection::setUseSessions
void setUseSessions(bool useSessions)
Definition: csrfprotection.cpp:202
Cutelyst::CSRFProtection::setIgnoredNamespaces
void setIgnoredNamespaces(const QStringList &namespaces)
Definition: csrfprotection.cpp:196
Cutelyst::CSRFProtection::setDefaultDetachTo
void setDefaultDetachTo(const QString &actionNameOrPath)
Definition: csrfprotection.cpp:168
Cutelyst::CSRFProtection::setGenericErrorContentType
void setGenericErrorContentType(const QByteArray &type)
Definition: csrfprotection.cpp:232
Cutelyst::CSRFProtection::setHeaderName
void setHeaderName(const QByteArray &headerName)
Definition: csrfprotection.cpp:220
Cutelyst::CSRFProtection::setErrorMsgStashKey
void setErrorMsgStashKey(const QString &keyName)
Definition: csrfprotection.cpp:190
Cutelyst::CSRFProtection::setFormFieldName
void setFormFieldName(const QByteArray &fieldName)
Definition: csrfprotection.cpp:174
Cutelyst::CSRFProtection::setCookieHttpOnly
void setCookieHttpOnly(bool httpOnly)
Definition: csrfprotection.cpp:208
Cutelyst::CSRFProtection::getToken
static QByteArray getToken(Context *c)
Definition: csrfprotection.cpp:238
Cutelyst::CSRFProtection::setGenericErrorMessage
void setGenericErrorMessage(const QString &message)
Definition: csrfprotection.cpp:226
Cutelyst::CSRFProtection::setup
bool setup(Application *app) override
Definition: csrfprotection.cpp:69
Cutelyst::CSRFProtection::setCookieName
void setCookieName(const QByteArray &cookieName)
Definition: csrfprotection.cpp:214
Cutelyst::CSRFProtection::getTokenFormField
static QString getTokenFormField(Context *c)
Definition: csrfprotection.cpp:258
Cutelyst::CSRFProtection::CSRFProtection
CSRFProtection(Application *parent)
Definition: csrfprotection.cpp:53
Cutelyst::Component::reverse
QString reverse() const noexcept
Definition: component.cpp:45
Cutelyst::Context
The Cutelyst Context.
Definition: context.h:42
Cutelyst::Context::stash
void stash(const QVariantHash &unite)
Definition: context.cpp:562
Cutelyst::Context::detach
void detach(Action *action=nullptr)
Definition: context.cpp:339
Cutelyst::Context::res
Response * res() const noexcept
Definition: context.cpp:103
Cutelyst::Context::setStash
void setStash(const QString &key, const QVariant &value)
Definition: context.cpp:212
Cutelyst::Context::req
Request * req
Definition: context.h:66
Cutelyst::Context::controller
Controller * controller
Definition: context.h:75
Cutelyst::Context::qtTrId
QString qtTrId(const char *id, int n=-1) const
Definition: context.h:656
Cutelyst::Context::action
Action * action
Definition: context.h:47
Cutelyst::Context::dispatcher
Dispatcher * dispatcher() const noexcept
Definition: context.cpp:139
Cutelyst::Controller::actionFor
Action * actionFor(QStringView name) const
Definition: controller.cpp:259
Cutelyst::Dispatcher::getActionByPath
Action * getActionByPath(QStringView path) const
Definition: dispatcher.cpp:232
Cutelyst::Engine::config
QVariantMap config(const QString &entity) const
Definition: engine.cpp:263
Cutelyst::Headers::referer
QByteArray referer() const noexcept
Definition: headers.cpp:310
Cutelyst::Headers::pushHeader
void pushHeader(const QByteArray &key, const QByteArray &value)
Definition: headers.cpp:460
Cutelyst::Plugin
Base class for Cutelyst Plugins.
Definition: plugin.h:25
Cutelyst::Request::addressString
QString addressString() const
Definition: request.cpp:39
Cutelyst::Request::isDelete
bool isDelete() const noexcept
Definition: request.cpp:354
Cutelyst::Request::cookie
QByteArray cookie(QByteArrayView name) const
Definition: request.cpp:277
Cutelyst::Request::upload
Upload * upload(QStringView name) const
Definition: request.h:626
Cutelyst::Request::headers
Headers headers() const noexcept
Definition: request.cpp:312
Cutelyst::Request::bodyParam
QString bodyParam(const QString &key, const QString &defaultValue={}) const
Definition: request.h:571
Cutelyst::Request::header
QByteArray header(QByteArrayView key) const noexcept
Definition: request.h:611
Cutelyst::Response::setContentType
void setContentType(const QByteArray &type)
Definition: response.h:238
Cutelyst::Response::setStatus
void setStatus(quint16 status) noexcept
Definition: response.cpp:72
Cutelyst::Response::setBody
void setBody(QIODevice *body)
Definition: response.cpp:103
Cutelyst::Response::headers
Headers & headers() noexcept
Cutelyst::Response::setCookie
void setCookie(const QNetworkCookie &cookie)
Definition: response.cpp:212
Cutelyst::Session::value
static QVariant value(Context *c, const QString &key, const QVariant &defaultValue=QVariant())
Definition: session.cpp:168
Cutelyst::Session::setValue
static void setValue(Context *c, const QString &key, const QVariant &value)
Definition: session.cpp:183
Cutelyst::Upload
Cutelyst Upload handles file upload requests.
Definition: upload.h:26
Cutelyst::Upload::size
qint64 size() const override
Definition: upload.cpp:138
Cutelyst::Utils::durationFromString
CUTELYST_EXPORT std::chrono::microseconds durationFromString(QStringView str, bool *ok=nullptr)
Definition: utils.cpp:291
Cutelyst
The Cutelyst namespace holds all public Cutelyst API.
Definition: group-core-actions.dox:1