diff options
| author | James Feist <james.feist@linux.intel.com> | 2020-04-09 04:32:33 +0300 |
|---|---|---|
| committer | James Feist <james.feist@linux.intel.com> | 2020-04-15 19:17:29 +0300 |
| commit | f8aa3d2704d3897eb724dab9ac596af8b1f0e33e (patch) | |
| tree | c2e3a2017b70cae0c6e139276e91afda0fe9dfcc | |
| parent | 043a05366c1fe54d7b9ef883292d0cd2d01c66b2 (diff) | |
| download | bmcweb-f8aa3d2704d3897eb724dab9ac596af8b1f0e33e.tar.xz | |
Add CSRF check into websockets
This adds CSRF check into websockets to avoid
attacks on websockets.
Tested: Could no longer use crosssite scripting to
open websocket. KVM and SOL still work once web-ui
changes are updated
Change-Id: I325079ae3d4db2701671564dff733e034d2670d6
Signed-off-by: James Feist <james.feist@linux.intel.com>
| -rw-r--r-- | http/websocket.h | 17 | ||||
| -rw-r--r-- | include/sessions.hpp | 1 | ||||
| -rw-r--r-- | include/token_authorization_middleware.hpp | 1 |
3 files changed, 17 insertions, 2 deletions
diff --git a/http/websocket.h b/http/websocket.h index c467d25594..ad090e086c 100644 --- a/http/websocket.h +++ b/http/websocket.h @@ -72,7 +72,7 @@ template <typename Adaptor> class ConnectionImpl : public Connection openHandler(std::move(open_handler)), messageHandler(std::move(message_handler)), closeHandler(std::move(close_handler)), - errorHandler(std::move(error_handler)) + errorHandler(std::move(error_handler)), session(reqIn.session) { BMCWEB_LOG_DEBUG << "Creating new connection " << this; } @@ -94,8 +94,20 @@ template <typename Adaptor> class ConnectionImpl : public Connection // Perform the websocket upgrade ws.async_accept_ex( req, - [protocol{std::string(protocol)}]( + [session{session}, protocol{std::string(protocol)}]( boost::beast::websocket::response_type& m) { + +#ifndef BMCWEB_INSECURE_DISABLE_CSRF_PREVENTION + // use protocol for csrf checking + if (session->cookieAuth && + !crow::utility::constantTimeStringCompare( + protocol, session->csrfToken)) + { + BMCWEB_LOG_ERROR << "Websocket CSRF error"; + m.result(boost::beast::http::status::unauthorized); + return; + } +#endif if (!protocol.empty()) { m.insert(bf::sec_websocket_protocol, protocol); @@ -262,6 +274,7 @@ template <typename Adaptor> class ConnectionImpl : public Connection std::function<void(Connection&, const std::string&, bool)> messageHandler; std::function<void(Connection&, const std::string&)> closeHandler; std::function<void(Connection&)> errorHandler; + std::shared_ptr<crow::persistent_data::UserSession> session; }; } // namespace websocket } // namespace crow diff --git a/include/sessions.hpp b/include/sessions.hpp index 4144705776..8ff903a439 100644 --- a/include/sessions.hpp +++ b/include/sessions.hpp @@ -39,6 +39,7 @@ struct UserSession std::string csrfToken; std::chrono::time_point<std::chrono::steady_clock> lastUpdated; PersistenceType persistence; + bool cookieAuth = false; /** * @brief Fills object with data from UserSession's JSON representation diff --git a/include/token_authorization_middleware.hpp b/include/token_authorization_middleware.hpp index efa691c111..aaa1325b7a 100644 --- a/include/token_authorization_middleware.hpp +++ b/include/token_authorization_middleware.hpp @@ -236,6 +236,7 @@ class Middleware } } #endif + session->cookieAuth = true; return session; } |