Skip to content

Code to stop CSRF attacks.#1

Open
surferjeff wants to merge 31 commits into
mainfrom
csrf
Open

Code to stop CSRF attacks.#1
surferjeff wants to merge 31 commits into
mainfrom
csrf

Conversation

@surferjeff
Copy link
Copy Markdown
Owner

@surferjeff surferjeff commented Oct 28, 2023

No description provided.

@jeffrennie
Attemt to stop CSRF attacks.
392fdd4
@jeffrennie
I fail to functional.
8c9c72b
@jeffrennie
counterHandler embeds csrf token.
6e9a55b 
But doesn't yet verify it.
@jeffrennie
403 forbidden for Giraffe.
f88a1dc
@jeffrennie
ASP.NET requires the csrf token in the headers AND in the form.
0035947
@jeffrennie
Yet another opaque error from F#.
2b1f220 
I think it's because Giraffe.Antiforgery is built against an older version of Giraffe.
@jeffrennie
OMG. CSRF in Fiber is a mess!
1f66097 
Two CSRF vulnerabilities patched between versions 2.49 and 2.50.

https://pkg.go.dev/vuln/GO-2023-2115
https://pkg.go.dev/vuln/GO-2023-2116

Conclusion, Fiber was written by amateurs.
@jeffrennie
Revert "Yet another opaque error from F#."
a5e8997 
This reverts commit 2b1f220.
@jeffrennie
Copy and paste anti-forgery code from https://github.com/pimbrouwers/…
2e01459 
…Giraffe.Antiforgery
@jeffrennie
handleContext() may be the missing piece I've been looking for.
5223c08
@jeffrennie
Revert handleContext to match htmlView and htmlNodes
3f195f5
@jeffrennie
Merge branch 'main' into csrf
f7a73b9
surferjeff
surferjeff commented Oct 28, 2023
View reviewed changes
Comment thread GiraffeApp/Antiforgery.fs Outdated
open Giraffe
open Giraffe.ViewEngine

// Generates a CSRF token using the Microsoft.AspNetCore.Antiforgery package,
Copy link
Copy Markdown
Owner Author

@surferjeff surferjeff Oct 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Teerawat, I copied this code from https://github.com/pimbrouwers/Giraffe.Antiforgery. The main code doesn't call it yet. It doesn't seem to fit.

Comment thread GiraffeApp/Program.fs Outdated
bindQuery<CountPayload> (Some culture) (fun payload ->
htmlNodes (Views.counter payload.Count)
)
let incrementHandler(next: HttpFunc)(ctx: HttpContext): HttpFuncResult =
Copy link
Copy Markdown
Owner Author

@surferjeff surferjeff Oct 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Teerawat, please review lines 20 through 60 in this file. incrementHandler correctly validates the antiforgery token, and embeds the token in the form, but not in a way that's convenient to re-use in another handler.

I wish to refactor the code so the logic between lines 42 through 51 (minus the call to Views.counter) is easily reusable.

twuttiwat
twuttiwat reviewed Oct 29, 2023
View reviewed changes
Comment thread GiraffeApp/Program.fs
[<CLIMutable>]
type CountPayload = { Count: int }
type IncrementForm = { Count: int }

Copy link
Copy Markdown

@twuttiwat twuttiwat Oct 29, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
let requiresCsrfToken (invalidTokenHandler : HttpHandler) : HttpHandler =
fun (next: HttpFunc) (ctx : HttpContext) ->
let antiFrg = ctx.GetService<IAntiforgery>()
(match antiFrg.IsRequestValidAsync(ctx) |> Async.AwaitTask |> Async.RunSynchronously with
| true -> next
| false -> invalidTokenHandler earlyReturn) ctx

I think this handler can be used for validate Csrf Token. I copied this one from https://github.dev/pimbrouwers/Giraffe.Antiforgery

twuttiwat
twuttiwat reviewed Oct 29, 2023
View reviewed changes
Comment thread GiraffeApp/Program.fs Outdated
twuttiwat
twuttiwat reviewed Oct 29, 2023
View reviewed changes
Comment thread GiraffeApp/Program.fs Outdated
htmlNodes (Views.counter payload.Count (af.GetAndStoreTokens ctx))) next ctx
| false -> RequestErrors.FORBIDDEN "forbidden" next ctx)

let counterHandler(next: HttpFunc)(ctx: HttpContext): HttpFuncResult =
Copy link
Copy Markdown

@twuttiwat twuttiwat Oct 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need this any more if you use csrfHtmlView function below

twuttiwat
twuttiwat reviewed Oct 29, 2023
View reviewed changes
Comment thread GiraffeApp/Program.fs Outdated
surferjeff and others added 2 commits October 30, 2023 19:06
@surferjeff @twuttiwat
Apply suggestions from code review
be0d191 
Teerawat's suggestions.

Co-authored-by: Teerawat Wuttiwat <781147+twuttiwat@users.noreply.github.com>
@jeffrennie
Remove counterHandler.
8bc5e36
@surferjeff
Copy link
Copy Markdown
Owner Author

surferjeff commented Oct 31, 2023
edited
Loading

@twuttiwat, With suggested changes, the code fails to compile with:

/home/jeff/gitrepos/blazor-compared/GiraffeApp/Program.fs(44,49): error FS0039: The value, namespace, type or module 'af' is not defined. [/home/jeff/gitrepos/blazor-compared/GiraffeApp/GiraffeApp.fsproj]
/home/jeff/gitrepos/blazor-compared/GiraffeApp/Program.fs(43,5): warning FS0020: The result of this expression has type 'HttpFuncResult' and is implicitly ignored. Consider using 'ignore' to discard this value explicitly, e.g. 'expr |> ignore', or 'let' to bind the result to a name, e.g. 'let result = expr'. [/home/jeff/gitrepos/blazor-compared/GiraffeApp/GiraffeApp.fsproj]
/home/jeff/gitrepos/blazor-compared/GiraffeApp/Program.fs(45,12): error FS0039: The value, namespace, type or module 'af' is not defined. [/home/jeff/gitrepos/blazor-compared/GiraffeApp/GiraffeApp.fsproj]
/home/jeff/gitrepos/blazor-compared/GiraffeApp/Program.fs(47,49): error FS0039: The value, namespace, type or module 'af' is not defined. [/home/jeff/gitrepos/blazor-compared/GiraffeApp/GiraffeApp.fsproj]
/home/jeff/gitrepos/blazor-compared/GiraffeApp/Program.fs(55,38): error FS0001: The type 'HttpFunc' is not compatible with the type 'HttpContext' [/home/jeff/gitrepos/blazor-compared/GiraffeApp/GiraffeApp.fsproj]
/home/jeff/gitrepos/blazor-compared/GiraffeApp/Program.fs(55,51): error FS0001: The type 'AntiforgeryTokenSet' does not match the type 'int' [/home/jeff/gitrepos/blazor-compared/GiraffeApp/GiraffeApp.fsproj]
/home/jeff/gitrepos/blazor-compared/GiraffeApp/Program.fs(55,65): error FS0001: This expression was expected to have type 'HttpFunc' but here has type 'int' [/home/jeff/gitrepos/blazor-compared/GiraffeApp/GiraffeApp.fsproj]
/home/jeff/gitrepos/blazor-compared/GiraffeApp/Program.fs(55,38): error FS0001: The type 'HttpFunc' does not match the type 'HttpFuncResult' [/home/jeff/gitrepos/blazor-compared/GiraffeApp/GiraffeApp.fsproj]

The build failed. Fix the build errors and run again.

@twuttiwat
Copy link
Copy Markdown

twuttiwat commented Nov 1, 2023

Please check at my recent PR. (Fix AntiForgery) @surferjeff

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@twuttiwat twuttiwat twuttiwat left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@surferjeff @twuttiwat @jeffrennie