From 49f834ade0b881aec2a0ad8759f9954a843b0f08 Mon Sep 17 00:00:00 2001 From: midchildan Date: Thu, 12 Nov 2020 02:53:46 +0900 Subject: [PATCH] fix: prevent unrelated websites from modifying shortlinks via CSRF Added two mitigations for this issue: - Attach an 'X-Requested-With' header in client requests - Make sure client POST requests have a content type of "application/json" --- web/assets/lib/xhr.ts | 4 +++- web/bindata.go | 20 ++++++++++---------- web/web.go | 35 ++++++++++++++++++++++++++++++++++- 3 files changed, 47 insertions(+), 12 deletions(-) diff --git a/web/assets/lib/xhr.ts b/web/assets/lib/xhr.ts index 38dcffe..8419986 100644 --- a/web/assets/lib/xhr.ts +++ b/web/assets/lib/xhr.ts @@ -48,7 +48,9 @@ namespace xhr { export var create = (method: string, url: string) => { var xhr = new XMLHttpRequest(); xhr.open(method, url, true); - return new Req(xhr); + + var req = new Req(xhr); + return req.withHeader('X-Requested-With', 'XMLHttpRequest'); }; export var get = (url: string) => { diff --git a/web/bindata.go b/web/bindata.go index 78c813d..0925a2a 100644 --- a/web/bindata.go +++ b/web/bindata.go @@ -89,12 +89,12 @@ func closeSvg() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "close.svg", size: 216, mode: os.FileMode(420), modTime: time.Unix(1588282052, 0)} + info := bindataFileInfo{name: "close.svg", size: 216, mode: os.FileMode(420), modTime: time.Unix(1605116866, 0)} a := &asset{bytes: bytes, info: info} return a, nil } -var _editCss = "\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x94\x93\xdf\x8e\xda\x3c\x10\xc5\xef\xbf\xa7\xb0\xe0\x06\x24\x9c\x35\xec\xc2\x7e\xd8\x52\x1f\xa2\x77\xbd\x74\xec\x49\x62\xad\xe3\xb1\x6c\x07\xc2\x46\xbc\x7b\x95\x3f\x40\x5a\xb6\xaa\xaa\x08\x14\xec\x1f\x9e\x99\x73\x8e\x73\xd4\x97\x2e\x97\xea\xa3\x0c\xd8\x38\xcd\x97\x45\x51\x88\x02\x5d\xa2\x85\xac\x8d\xbd\xf0\xc5\x77\x69\xe1\x2c\x2f\x8b\x4d\x94\x2e\xd2\x08\xc1\x4c\x40\x34\x9f\xc0\xdf\x76\xbe\x1d\x7f\x9e\xc1\x94\x55\xe2\xaf\x8c\x5d\x0b\x0c\x75\x97\xa0\x4d\x54\x5a\x53\x3a\xae\xc0\x25\x08\xd7\x65\x2e\x43\x77\x36\x3a\x55\xfc\xb0\xef\xff\x57\xcb\x50\x1a\xc7\x19\x91\x4d\x42\xe1\x31\x9a\x64\xd0\xf1\x00\x56\x26\x73\x82\xeb\xb2\x09\xb6\xfb\x87\x66\x5e\xbf\x68\x46\x4c\x05\x19\xf3\xad\xf0\x52\x6b\xe3\x4a\xbe\xdb\xfb\x56\x28\xb4\x18\xf8\xf2\x78\x3c\x8a\x1c\x83\x86\x40\x83\xd4\xa6\x89\xfc\xcd\xb7\xd3\x0a\xdf\xfa\x96\x44\xb4\x46\x93\xa5\x52\x4a\x60\x93\xac\x71\xc0\x1d\x3a\x10\x39\xb6\x34\x56\x52\xe3\x99\x33\xb2\xf3\x2d\x39\xf8\x96\x84\x32\x97\x2b\xb6\xe9\x9f\x6c\xb7\x1e\x26\xe0\x05\xaa\x26\x76\xcf\x27\xb2\x63\x31\x02\x9c\x9e\x21\xff\x30\x89\x1a\xe7\x9b\x44\xbd\x95\x0a\x2a\xb4\x1a\x42\x37\x35\xa9\xb5\xbe\xa1\x35\x7e\xfe\x91\x50\xb5\xef\x7e\x99\x71\x1c\x7e\x7f\x60\x4f\x6a\xcf\xec\xb1\x50\xa4\x99\x8a\xbb\xad\x6f\x45\x0a\xd2\x4d\x76\x0c\xaf\xbd\xa5\x64\xc7\x58\x1d\x09\xc8\x08\xd4\x38\x8a\x4d\x12\xf7\x3d\x1e\x95\xb4\xf0\x63\xc5\xd6\x8f\x35\x8a\xc1\xf4\x15\x13\x7a\x32\x46\xe0\x26\x74\x8e\x29\x61\x4d\xfb\xc2\xcf\xa2\xdf\x76\x43\x6f\xe1\x5f\x3d\x19\x86\xce\xac\x71\x1f\xb3\x18\xd3\x49\x94\xe2\xd0\x3f\x23\x52\x34\xea\x4b\x04\x60\x96\x84\x01\xfd\x26\x6f\xa2\xb2\x63\x31\x0a\xa5\x41\x61\x90\x83\x1c\xbd\xf7\x23\x96\x55\x2e\xcd\xe4\x1f\xc9\x29\x11\x7d\x93\xfd\x87\x91\xfe\x46\xcd\xf8\xc2\xa2\x4c\x7c\x98\xed\xba\x54\x36\x76\xf7\xd8\xcb\x3c\xa2\x6d\x12\x88\x84\x9e\x33\x31\x20\x9c\x89\x51\x0d\x7e\x0f\xf2\xa0\xc4\x63\x0c\x53\xcb\x12\x78\x13\xec\x6a\xf1\x12\x5f\x94\xc5\x08\x59\x3c\x95\x8b\xf5\x1c\xba\xd7\x18\x6d\xb8\xbb\xf1\x20\x02\x78\x90\x89\x3b\x9c\xde\xe6\x7b\xe3\x45\xff\xdf\xb7\xa4\xff\x12\xaa\x09\x11\x03\xf7\x68\x86\x43\x66\x49\x41\x2f\x95\x49\x97\x29\x27\xaa\xc9\x8d\xa2\x39\x7c\x1a\x08\x2b\x96\xbd\xbf\x6f\x08\xdb\x10\x96\x6d\xdf\xf7\x1b\xb2\x5d\x8b\x89\xe6\x4c\x4c\x47\x51\x38\x81\x4b\xf1\xa6\xb0\x8d\xd9\xc9\xc4\xee\x86\x65\xaf\xbf\x73\xc6\x55\x10\xcc\x28\x23\xaf\xf0\x04\xe1\x01\x1f\xae\xff\xfd\x0c\x00\x00\xff\xff\xd0\xd6\xde\x37\xdb\x04\x00\x00" +var _editCss = "\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x94\x93\xdf\x6e\xe2\x3c\x10\xc5\xef\xbf\xa7\xb0\xca\x45\x41\xc2\xa9\xa1\x85\x7e\xd8\xd2\x3e\xc4\xde\xed\xa5\xe3\x4c\xc2\xa8\x8e\xc7\xb2\x1d\x08\x8d\x78\xf7\x55\xfe\x40\xb3\xdb\xae\x56\xab\x08\x14\xec\x1f\x9e\x99\x73\x8e\x73\x2a\x2e\x5d\xae\xcd\x5b\x15\xa8\x71\x85\x5c\x94\x65\xa9\x4a\x72\x89\x97\xba\x46\x7b\x91\x8f\xdf\xb5\x85\xb3\xbe\x3c\xae\x59\xd4\x2e\xf2\x08\x01\x27\x22\xe2\x3b\xc8\x97\xad\x6f\xc7\x9f\x67\xc0\xea\x98\xe4\xb3\x10\xd7\x92\x42\xdd\x25\x68\x13\xd7\x16\x2b\x27\x0d\xb8\x04\xe1\xba\xc8\x75\xe8\xce\x58\xa4\xa3\xdc\xef\xfa\xff\xd5\x3a\x54\xe8\xa4\x60\xba\x49\xa4\x3c\x45\x4c\x48\x4e\x06\xb0\x3a\xe1\x09\xae\x8b\x26\xd8\xee\x5f\xba\x79\xfe\xa2\x1b\x35\x55\x14\xc2\xb7\xca\xeb\xa2\x40\x57\xc9\xed\xce\xb7\xca\x90\xa5\x20\x17\x87\xc3\x41\xe5\x14\x0a\x08\x3c\xe8\x02\x9b\x28\x5f\x7c\x3b\xad\xc8\x8d\x6f\x59\x24\x8b\x05\x5b\x18\x63\x14\x35\xc9\xa2\x03\xe9\xc8\x81\xca\xa9\xe5\xf1\xa8\x0b\x3a\x4b\xc1\xb6\xbe\x65\x7b\xdf\xb2\x50\xe5\x7a\x29\xd6\xc3\x93\x6d\x57\xc3\x0c\xb2\x24\xd3\xc4\xee\xf3\x91\xe2\x50\x8e\x80\xe4\x67\xc8\xdf\x30\x71\x74\xbe\x49\xdc\x5b\x6d\xe0\x48\xb6\x80\xd0\x4d\x5d\x16\x45\x71\x43\x6b\x7a\xff\x23\x61\x6a\xdf\xfd\x32\xe4\x38\xfd\x6e\x2f\x3e\xe9\x3d\x33\xc8\x42\x99\x66\x32\x6e\x37\xbe\x55\x29\x68\x37\x19\x32\xbc\xf6\xa6\xb2\xad\x10\x75\x64\xa0\x23\x70\x74\x9c\x9a\xa4\xee\x7b\x32\x1a\x6d\xe1\xc7\x52\xac\x3e\xd6\x38\x05\xec\x2b\x26\xf2\x6c\x0c\xc1\x4d\xe9\x9c\x52\xa2\x9a\xf7\x85\x3f\xab\x7e\xdb\x0d\xbd\x87\x7f\x35\x65\x18\x3a\xb3\xe8\xde\x66\x49\xe6\x93\x28\xe5\xbe\x7f\x46\xa4\x6c\xcc\x97\x08\xc0\x2c\x0a\x03\xfa\x4d\xdf\x44\x15\x87\x72\x14\xaa\x00\x43\x41\x0f\x72\xf4\xe6\x8f\x58\x76\x74\x69\x26\xff\x48\x4e\x91\xe8\x9b\xec\x3f\x82\xf5\x97\x6a\xc6\x97\x96\x74\x92\xc3\x6c\xd7\x85\xb1\xb1\xbb\x07\x5f\xe7\x91\x6c\x93\x40\x25\xf2\x52\xa8\x01\x91\x42\x8d\x6a\xc8\x7b\x92\x07\x25\x3e\xc6\xc0\x5a\x57\x20\x9b\x60\x97\x0f\x4f\xf1\xc9\x58\x8a\x90\xc5\x53\xf5\xb0\x9a\x43\xf7\x1a\xa3\x0d\x77\x37\x3e\x88\x00\x1e\x74\x92\x8e\xa6\xb7\xf9\xde\x78\xd5\xff\xf7\x2d\xeb\xbf\x94\x69\x42\xa4\x20\x3d\xe1\x70\xc8\x2c\x29\xe4\xb5\xc1\x74\x99\x72\x62\x9a\x1c\x0d\xcf\xe1\x1d\x21\x2c\x45\xf6\xfa\xba\x66\x62\xcd\x44\xb6\x79\xdd\xad\xd9\x66\xa5\x26\x5a\x0a\x35\x1d\xc5\xe1\x04\x2e\xc5\x9b\xc2\x36\x66\x27\x8c\xdd\x1d\xcb\x9e\x7f\x07\xd1\x1d\x21\xe0\xa8\xa3\x3c\xd2\x09\xc2\x8c\xde\x5f\xff\xfb\x19\x00\x00\xff\xff\x56\xb7\x20\x4a\xe0\x04\x00\x00" func editCssBytes() ([]byte, error) { return bindataRead( @@ -109,7 +109,7 @@ func editCss() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "edit.css", size: 1243, mode: os.FileMode(420), modTime: time.Unix(1588282081, 0)} + info := bindataFileInfo{name: "edit.css", size: 1248, mode: os.FileMode(420), modTime: time.Unix(1605116867, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -129,12 +129,12 @@ func editHtml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "edit.html", size: 622, mode: os.FileMode(420), modTime: time.Unix(1588282052, 0)} + info := bindataFileInfo{name: "edit.html", size: 622, mode: os.FileMode(420), modTime: time.Unix(1605116866, 0)} a := &asset{bytes: bytes, info: info} return a, nil } -var _editJs = "\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x94\x96\x6f\x4f\xdc\xb8\x13\xc7\x9f\xf3\x2a\xc0\x3f\x09\xd9\xc2\x78\xa1\x7d\x52\x91\x5f\x54\x51\xba\x77\xd5\xa9\x3d\x2a\xe0\xc1\x9d\x7a\xd5\x69\xec\x4c\x12\x1f\x59\x3b\xd8\x0e\xec\xde\x6e\xde\xfb\xc9\x49\x76\xc9\xc2\xb6\xb4\x0f\x08\xfe\x33\xfe\xce\xd8\xfe\xcc\x78\xef\xc1\xed\x67\x76\x96\xd0\xbc\x31\x2a\x68\x6b\xa8\x62\x4b\x25\xee\xd2\x4d\x5f\xb2\xa5\xc3\xd0\x38\xb3\x9f\x59\xd5\xcc\xd0\x04\x71\xd7\xa0\x5b\x5c\x63\x85\x2a\x58\x47\x25\x6b\x13\x25\xee\xe0\xc7\x97\x9c\x57\xd5\xb0\x4a\x7d\x77\x91\x72\x08\x01\xa7\x15\xc6\xde\x7a\x85\xf7\xa3\x35\x1c\x78\xc6\x96\x52\xf8\xb0\xa8\x50\x78\x0c\x9f\x9d\xad\xd1\x85\x05\x05\x9e\x71\x42\x58\xdb\x32\x9a\xd9\xd9\x6a\x15\xbf\xe9\xb2\x65\x2c\x89\x5b\x9e\x97\x2e\xd9\xdb\xda\x73\x1c\x95\x8f\xca\x6c\xb9\x6e\xee\x03\xcd\xfa\x69\x48\x43\xa9\x7d\x12\x3f\x62\x5e\xba\x34\xeb\x9b\x99\x35\xf8\x8b\xf1\xe9\x97\xaf\x7d\x1f\x9d\xb3\x6e\x18\xc8\x84\x35\x95\x85\x6c\x2c\xdc\x7b\xca\x84\x43\x5f\x5b\xe3\xf1\x06\xe7\x81\xab\x34\x13\x3e\x40\x68\x7c\x02\x6b\x45\x91\x5b\x37\x05\x55\x3e\xc6\x09\x6c\x09\x54\x72\xc5\x5a\xd6\x76\xda\x9d\xaf\xb1\x38\x6c\xdc\xef\x5c\x3d\x9c\x30\xd0\xa8\xd0\x82\xa8\x9d\x0d\x36\x2c\x6a\x14\xd6\xbc\xb7\x06\xd3\xb1\xf1\x78\x77\xa2\x6e\x7c\x49\x81\x25\x83\x42\x9c\x6b\x93\x6d\x81\xe9\x76\x30\x6b\x85\x4d\x40\x2f\x4a\x3c\xe8\x50\x7e\x40\xc8\x70\xac\xc2\xe5\xa0\x33\x2f\x5d\xbc\xe1\x2b\xbc\x6b\xd0\x87\xde\xae\x9b\xfe\xb6\xa0\x47\x93\xfd\x76\x7d\xf9\xfb\xf3\xa0\x1e\x5d\x51\x72\x61\x4d\x40\x13\x8e\x6f\x16\x35\x12\xbe\x47\xa0\xae\x2b\xad\x20\xda\x4f\xfe\xf1\xd6\x24\xaa\x04\xe7\x31\xa4\x4d\xc8\xdf\x10\x96\x8c\xa2\x31\x19\x8d\xfa\xc2\x07\xa7\x4d\xa1\xf3\x05\x05\xf6\x42\x3c\xcf\x63\xd9\x48\x3d\x3d\x9b\xf5\x6d\xb5\x94\x25\x4a\x5c\xe1\x5d\x2a\x63\x06\x74\x59\x31\x3e\xa1\x01\xdf\x2c\x35\xf8\xb0\xff\xc7\xa7\x8f\x1f\x42\xa8\x87\x63\x8a\x94\xd4\xd8\x19\xf1\x83\x93\x8d\x7e\x34\x94\x34\xeb\x32\xaa\xc0\x90\xee\x60\x64\xed\x88\x92\x5f\xa7\x37\x84\x43\x67\x5b\x5b\xff\x82\xf1\xe7\xcb\xeb\xde\xba\x65\x74\x5e\xba\xd5\x2a\x7e\x1f\x13\xaf\xb0\x2f\xe5\x5d\x9f\x69\x45\x0c\xeb\x9d\x6d\x4c\xa6\x4d\x71\x51\x69\x34\xe1\x0a\x55\xa0\x2c\xc9\xec\x2c\x16\x01\x5a\x70\x32\x03\x57\x68\x73\x1c\x6c\x4d\xf8\x83\x36\x99\x7d\x10\xda\x18\x74\x1f\x50\x17\x65\x98\xbc\x3e\x06\x51\xf6\xcd\x57\x47\xa4\x9e\x13\xd6\x72\x78\xee\x8a\xe6\xe2\x1e\xaa\x06\x57\x2b\x42\x98\x08\x4e\xcf\x28\x4b\xe0\x20\x9d\x1d\x1e\xd2\x59\x0a\xfc\x96\x32\x0e\x6f\x4b\xa1\x2a\xf0\xfe\xa3\xf6\x41\x40\x96\x51\x72\xaf\x3d\x61\x67\xe3\x61\x87\x33\x7b\x8f\xc3\x0c\x6b\xf9\xf6\x55\x47\x0e\xf0\x1e\x4d\x78\x8f\x39\x34\x55\xdc\x0a\xa4\x95\xed\x39\x13\x35\x84\xd2\xc0\x0c\x85\x6f\x64\x0f\x13\x3d\x65\xc2\xd7\x95\x0e\x94\x4c\x08\xfb\x72\xfa\x35\xe9\x8f\x6a\x67\xb8\x11\xa1\x78\x37\x94\x4c\xa0\xd6\x93\xc6\x55\x13\x72\x04\x6c\x93\x00\x74\xd9\xb8\xea\x4c\xb6\x6c\xc8\x73\xba\x9d\x5f\x90\x76\x14\xd7\x11\xf3\x48\xa1\xce\x29\x08\x7b\xcb\x74\x4e\x65\x0a\xc2\xd9\x26\x60\x7f\x5c\x2a\x95\x22\xc6\x19\xbd\x27\x90\x4a\xe1\x6d\xe3\x14\xfe\x5d\x5a\x1f\xba\x31\x29\x1a\x57\x1d\x1e\xd2\x52\xfb\x60\xdd\x42\x38\xac\x2b\x50\x78\x1d\x22\x1d\xcb\x96\xef\x99\xa6\xaa\x38\x99\x60\xa6\xc3\x84\x1c\x29\xc6\x65\x4a\x62\x23\xfe\x27\x07\x29\xbc\x85\x23\x79\xb6\x39\x17\xeb\x74\xa1\xcd\x91\xe4\x28\x02\xce\xc3\x90\xaa\x29\x21\x1c\x77\x9c\x7c\xde\xa8\x5b\xc2\xb6\xa6\xba\xbb\xaa\xb4\x89\xe3\x90\x76\xf0\x50\x02\xb1\x13\x8b\xc9\x79\x08\x4e\xcb\x26\x82\x5b\x3a\xcc\x09\x97\x71\x62\xec\x29\x7a\x86\xba\x46\x93\x5d\x94\xba\x8a\x39\xca\xe5\x5a\xc6\xd7\x60\x08\xe3\xf2\xa9\xbb\xd2\x84\x6e\x78\xac\x73\xf2\xff\xd4\xc0\xbd\x2e\x20\x58\x27\x1a\x8f\xee\xbc\x88\x4f\x9c\x36\x19\xce\x2f\x73\x4a\x3e\x81\xd2\x26\x58\x5f\x12\xf6\x96\xfc\xd5\xbc\x7a\x7d\xfa\xe6\xf8\x82\x9c\x91\x8b\xe0\xaa\xe3\x0b\xf2\x24\x0a\xc9\xf8\x3a\x0f\x90\x93\xe0\xc0\xf8\xdc\xba\x19\xe1\xc4\x2b\xa8\xf0\x4f\x7a\xca\x08\xe3\x05\x86\xfe\xc9\xed\x70\x8f\xfb\x7d\x07\x1e\xcf\x4d\x36\x9d\xc7\x98\x28\xf0\x13\x0e\xfc\x94\xb1\x16\x2b\x8f\xfb\xb7\x94\x25\x5d\xa3\xa2\xc3\x33\x12\x5f\x09\x6e\x9e\x3f\x5e\x3f\x85\xed\x23\xb0\x7b\x23\x62\x87\xc1\x34\x62\x44\x3b\xe2\x24\x8b\x14\xaf\xeb\xc8\xfb\xe9\xc7\xe9\xcd\x94\xf0\x31\xd0\xb2\x07\x9a\xfe\x20\xc5\x11\xe1\xd5\x6a\x7b\x33\xb7\xe3\xcd\x7c\xff\x08\x4f\x58\x2c\x18\xd5\x56\x12\x3f\xa5\x30\xd9\x45\x61\x4f\x5b\xf2\x8c\xc2\x9e\xce\x21\x8d\xb7\x10\x4a\xb6\x59\x21\xd3\xab\xab\xcb\xab\xb3\x7d\x72\x04\xc9\xd3\x7b\x4f\x5e\xbe\xf7\x96\x17\x9d\xfc\x1d\x25\xdd\x24\xe3\xb8\xee\xff\x4f\xcd\x6a\xc2\x78\xf9\xd8\xaf\x3c\x61\x3c\xdf\xf4\x1b\x57\x11\xc6\xc7\xbf\x07\xd9\x52\x52\x96\x0c\xe5\x15\xb2\x6c\x1a\x6b\x58\xdc\x14\x9a\xf8\x78\x3a\xf4\xfa\x5f\x24\x5c\xf2\x83\x53\x96\x14\x3b\x2c\x7c\x23\x67\x3a\x10\xbe\x97\x75\x26\xf9\x0e\x93\x5b\x5c\x34\x35\xe1\xf0\x4d\x83\x1a\x7c\xc0\xef\x19\xa8\x12\x4c\xb1\xb1\x28\x77\x59\x54\x5a\xdd\x12\x6e\x3a\x83\xbe\x94\xfd\x14\xc6\x3a\xa7\xaa\x23\xb4\xc0\xed\x32\xab\xbe\x49\x65\xfc\xa5\xb6\x94\x63\x2a\x25\x4b\x5e\x9d\x9c\xa4\xa9\x3a\x3c\x5c\xa7\x45\x2a\xfb\xfa\x1a\xeb\x66\xac\xa0\x3c\x17\xb9\x55\x8d\x8f\xaf\x0e\x65\xac\x1d\x72\x72\x33\xda\xb2\xee\xaf\xb0\xab\x15\x2d\x6c\xff\xb2\xee\xfd\x17\x00\x00\xff\xff\xa0\x37\xb8\x86\xc7\x0b\x00\x00" +var _editJs = "\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x9c\x56\x5f\x6f\xdb\x38\x12\x7f\xcf\xa7\x48\x78\x40\x40\x22\x0c\x9d\xb4\x2f\x45\x74\x42\x91\xa6\xbe\x2b\x0e\xed\xa5\x48\x02\x6c\x17\xdd\x62\x41\x8b\x23\x89\x6b\x8a\xa4\x49\x2a\xb1\xd7\xd6\x77\x5f\x50\x92\x6d\x39\x76\x9b\xee\x3e\x44\xe1\x0c\x87\xbf\xf9\xc3\xdf\x0c\xfd\xc8\xdd\xb1\x30\x55\x82\xf3\x5a\x67\x41\x1a\x8d\x4b\xb2\x2c\xd9\x2c\xdd\xc8\x39\x59\x3a\x08\xb5\xd3\xc7\xc2\x64\x75\x05\x3a\xb0\x59\x0d\x6e\x71\x0f\x0a\xb2\x60\x1c\xce\x49\x93\x94\x6c\xc6\x7f\xfe\xc8\xb5\x52\xfd\xa9\xec\x87\x87\x32\x07\x3c\xc0\x58\x41\x94\xd6\x27\xbc\x1f\x9c\xa1\x13\xca\xc9\x32\x67\x3e\x2c\x14\x30\x0f\xe1\xb3\x33\x16\x5c\x58\xe0\x09\xe5\x14\x21\xd2\x34\x04\x0b\x53\xad\x56\xf1\x9b\x2e\x1b\x42\x92\x98\xf2\xbc\x74\xc9\xd1\x4e\xce\x51\x9b\x6f\x91\xc9\x72\xbd\x3c\x9e\x60\xde\x6d\x57\x69\x28\xa5\x4f\xe2\x87\xcd\x4b\x97\xf2\x6e\x29\x8c\x86\xff\x68\x9f\x7e\xfd\xd6\xc9\xe0\x9c\x71\xbd\x82\x33\xa3\x95\xe1\x62\x08\x1c\xa1\x74\xca\x99\x03\x6f\x8d\xf6\xf0\x00\xf3\x40\x67\x29\x67\x3e\xf0\x50\xfb\xa4\x5a\x23\xb2\xdc\xb8\x31\xcf\xca\x6d\x9c\x96\x2c\x2d\xd6\x74\x46\x1a\xd2\xb4\xd8\xad\xaf\x21\x78\xb5\x71\xbf\x7f\x5a\x6f\x2a\xac\x71\x44\x68\x26\xcc\x3a\x13\x4c\x58\x58\x60\x46\xbf\x37\x1a\xb6\x50\x9c\x2c\x87\xd9\x31\x5b\xfb\x12\x73\x92\xf4\x08\x71\xaf\x49\x76\x01\xc6\xbb\xc1\xac\x11\x36\x01\xbd\x08\xf1\x24\x43\xf9\x01\xb8\x80\x21\x0a\xad\x7a\x9c\x79\xe9\xe2\x0d\xdf\xc1\xac\x06\x1f\x3a\xbb\x76\xfb\xfb\x80\x1e\xb4\xf8\xdf\xfd\xed\xff\xf7\x83\xda\xba\xc2\xe8\xc6\xe8\x00\x3a\x9c\x3f\x2c\x2c\x20\x7a\x84\xb8\xb5\x4a\x66\x3c\xda\x8f\xfe\xf0\x46\x27\x59\xc9\x9d\x87\x90\xd6\x21\x7f\x83\x48\x32\x88\x46\x0b\x1c\xf1\x99\x0f\x4e\xea\x42\xe6\x0b\xcc\xc9\x0b\xf1\xec\xc7\xb2\x81\x7a\x5e\x9b\x5e\x98\x34\x98\x24\x25\xbb\x83\x59\x9a\xc7\x0e\x68\xbb\x62\x0b\xd3\xb6\x40\xc7\x4f\x0d\x4f\xc7\x5f\x3e\x7d\xfc\x10\x82\xed\xcb\x94\x54\xcc\x58\x68\x8d\xe8\xc9\xc5\x1a\x1f\x47\xc3\x1c\x57\x84\xec\x14\xe2\xcb\x79\x7f\x0a\xc4\xf9\x2f\x32\x94\x88\xa2\x5d\x34\xd4\xb6\x60\x01\x61\xe0\x7d\x43\xaa\x75\x64\x18\xfd\x77\xfc\x80\xe8\xa4\xb5\xb5\xc6\xbf\x60\xfc\xf9\xf6\xbe\xb3\x6e\x08\x9e\x97\x6e\xb5\x8a\xdf\x6d\xa7\x16\xe6\xa5\x46\x8d\x8a\x2c\xb5\x31\xac\x77\xa6\xd6\x42\xea\xe2\x46\x49\xd0\xe1\x0e\xb2\x80\x49\x22\x4c\x15\xa7\x06\xb6\x14\x55\xdc\x15\x52\x9f\x07\x63\x11\x7d\x92\x5a\x98\x27\x26\xb5\x06\xf7\x01\x64\x51\x86\xd1\xeb\xf3\x8c\x95\xdd\xf2\xd5\x19\xb2\x73\x44\x1a\x3a\xd9\x77\x85\x15\x7b\xe4\xaa\x86\xd5\x0a\x21\xc2\x82\x93\x15\x26\x49\x76\x92\x86\xd3\x53\x1c\xd2\x8c\x6a\x4c\x68\xf6\xd6\xb1\x4c\x71\xef\x3f\x4a\x1f\x18\x17\x02\xa3\x47\xe9\x11\xb9\x1a\xaa\x1d\x54\xe6\x11\xfa\x1d\xd2\xd0\xc1\x08\xcd\xc8\x32\x63\xd6\xc1\x23\xe8\xf0\x1e\x72\x5e\xab\x98\x4a\x96\x2a\xd3\x11\x93\x59\x1e\x4a\xcd\x2b\x60\xbe\x9e\x74\xec\xc3\x97\x84\x79\xab\x64\xc0\x68\x84\xc8\xd7\xcb\x6f\x5d\xfd\x0e\x87\x1b\x39\x17\xef\x06\xa3\x11\xb7\x72\x54\x3b\x35\x42\x67\x19\xd9\x74\x0c\x5e\xd6\x4e\x5d\x15\x0d\xe9\x07\xc3\xf6\x0a\x04\x05\xb2\x14\x69\x4b\x7b\x1b\xfb\x02\x0b\x92\xc8\x1c\x0b\x66\xa6\x44\xe6\x18\x52\xc1\x9c\xa9\x03\x74\xe5\xaa\x53\x60\x31\xce\xe8\x3d\x11\x29\x30\x6f\x6a\x97\xc1\xef\xa5\xf1\xa1\xd5\x01\xab\x9d\x3a\x3d\xc5\xa5\xf4\xc1\xb8\x05\x73\x60\x15\xcf\xe0\x3e\x44\x76\x2c\x1b\x7a\xa4\x6b\xa5\x28\x1a\x81\x90\x61\x84\xce\x6a\x42\x21\x45\x71\x11\xff\xa3\x93\x54\xbc\x15\x67\x70\xb5\xa9\x8b\x71\xb2\x90\xfa\x0c\xe8\x94\x05\x98\x87\xbe\xb7\x53\x84\xe8\xf4\x40\xe5\xf3\x3a\x9b\x22\xb2\xb3\xd5\xde\x95\x92\x3a\xea\x45\xda\x92\x07\x23\x1e\x85\x38\x7d\xae\x43\x70\x72\x52\x47\xe2\x96\x0e\x72\x44\x21\x6e\x0c\x3d\x45\xcf\xdc\x5a\xd0\xe2\xa6\x94\x4a\x60\x11\x03\xee\x61\xbc\xe5\x1a\x11\x0a\xcf\xdd\x95\x3a\xb4\xea\x21\xce\xc5\xbf\x53\xcd\x1f\x65\xc1\x83\x71\xac\xf6\xe0\xae\x8b\xf8\x26\x4a\x2d\x60\x7e\x9b\x63\xf4\x89\x67\x52\x07\xe3\x4b\x44\xde\xa2\xdf\xea\x57\xaf\x2f\xdf\x9c\xdf\xa0\x2b\x74\x13\x9c\x3a\xbf\x41\xcf\xa2\x88\x61\xf6\x7d\x30\xa5\x28\x38\xae\x7d\x6e\x5c\x85\x28\xf2\x19\x57\xf0\x2b\xbe\x24\x88\xd0\x02\x42\xf7\x46\xb7\x74\x8f\xf9\xbe\xe3\x1e\xae\xb5\x18\xcf\x63\x4c\x58\xd0\x0b\x2a\xe8\x25\x21\x0d\x28\x0f\xf1\x19\x49\xda\xc5\x0c\x8b\x6e\xcc\xc7\x67\x85\x56\xfb\x2d\xf3\xb7\x68\xbb\x25\xec\xd1\x80\xb1\xbd\x32\x45\x28\x99\xe0\x96\x71\x19\x89\x2c\x5e\xcf\x91\xf7\xe3\x8f\xe3\x87\x31\xa2\x07\x08\x8d\xf7\x59\x5c\x50\x41\x96\xc5\x90\xc5\x05\x49\x0a\x66\xa6\xab\xd5\x0c\x17\x83\x64\xf4\x30\x99\x1f\x97\xf0\x82\xc4\x81\x31\xdb\x69\xe2\xe7\x2c\x4c\x0e\xb1\xb0\x63\x5b\xb2\xc7\xc2\x8e\x9d\x7d\x1b\xef\x50\x28\x29\x76\x71\xc7\x77\x77\xb7\x77\x57\xc7\xe8\x2c\x4b\x76\xef\xbd\xd8\xce\xbf\xef\xdf\x7b\x43\x6d\x0b\x3f\xc3\xa8\xdd\x24\x74\xba\x96\xff\x95\x55\x16\x11\xea\xb6\xb2\xf2\x88\x50\xb5\x91\x6b\xa7\x10\xa1\x61\xf0\x03\x92\x2c\x73\x4c\x92\x7e\xbc\x72\x21\xc6\x71\x86\xc5\xa4\x40\xc7\x47\xc6\x81\x97\x7f\x02\xa2\x39\x3d\xb9\x24\x89\x3d\x60\xe1\xeb\x49\x25\x03\xa2\x47\xbc\x35\x51\x07\x4c\xa6\xb0\xa8\x2d\xa2\x93\xef\x1a\x58\xee\x03\xfc\xc8\x20\x2b\xb9\x2e\x36\x16\xee\x90\x85\x92\xd9\x14\xd1\xaa\x35\xf8\x07\x34\xde\x30\xb4\x80\x83\x63\xf6\x67\x59\xf9\xea\xe2\x22\x4d\xc5\xe9\xe9\xba\x2d\xd2\xa2\x9b\xaf\x71\x6e\xc6\x09\x4a\x15\xcb\x4d\x56\x7b\x4c\xe8\x04\x13\xd2\xf4\x3d\xb9\xd1\x36\xa4\xfd\x2b\xcc\x6a\x85\x0b\xd3\xbd\xac\x47\x7f\x05\x00\x00\xff\xff\xb1\x60\xc0\x25\xf8\x0b\x00\x00" func editJsBytes() ([]byte, error) { return bindataRead( @@ -149,7 +149,7 @@ func editJs() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "edit.js", size: 3015, mode: os.FileMode(420), modTime: time.Unix(1588282081, 0)} + info := bindataFileInfo{name: "edit.js", size: 3064, mode: os.FileMode(420), modTime: time.Unix(1605116871, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -169,12 +169,12 @@ func indexJs() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "index.js", size: 2803, mode: os.FileMode(420), modTime: time.Unix(1588282052, 0)} + info := bindataFileInfo{name: "index.js", size: 2803, mode: os.FileMode(420), modTime: time.Unix(1605116866, 0)} a := &asset{bytes: bytes, info: info} return a, nil } -var _linksCss = "\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x54\x8f\x41\x6e\xe3\x30\x0c\x45\xf7\x73\x0a\x23\xd9\x8e\x02\x25\x0e\x8a\x96\xbe\x45\x6f\xc0\x58\x92\x4d\x84\x11\x05\x89\xae\xed\x0a\xbd\x7b\x11\x24\x2e\x90\x05\x17\x04\x1f\x1f\xfe\xbf\x88\x5b\xeb\x05\xfb\xeb\x90\x65\x8a\x0e\xf6\x21\x84\x2e\x48\x54\x13\xf0\x46\xbc\xc2\xee\x13\xd9\xcf\xb8\xee\xfe\x17\x8c\xc5\x14\x9f\xe9\x09\x14\xfa\xf6\x70\x3e\xa5\xe5\xb1\xce\x9e\x86\x51\xa1\xb5\xf6\xe7\xc0\x14\xaf\xa5\xce\xe4\x74\x84\x77\x6b\xd3\xd2\xdd\x30\x0f\x14\xc1\x36\x38\xa9\x3c\x81\x06\x6b\x2f\x2c\x19\xf6\xf6\x23\x74\xea\x17\x35\xce\xf7\x92\x51\x49\x22\x44\x89\xfe\x0f\x84\x51\xbe\x7c\xae\x92\xb0\x27\x5d\xe1\xf0\xb6\x5d\x0e\x61\x62\x36\x53\xe6\x4d\xe5\x9c\x7b\xa8\xca\x88\x4e\x66\x38\xa6\xa5\xb9\x8f\x6d\xee\xd5\xb6\xb7\xf1\xb8\xf1\x6d\xdb\x3e\xc3\x99\x8b\xa8\xca\x0d\xce\x36\x2d\x1b\x37\x71\x4d\xe8\x1c\xc5\x01\x6c\xc7\x54\xd4\x14\x5d\xd9\x1b\x5d\x93\x7f\x49\x38\x71\xc3\x54\x5f\x45\xa7\xbb\xe8\xdf\x6f\x00\x00\x00\xff\xff\xb7\x76\xa3\x2a\x62\x01\x00\x00" +var _linksCss = "\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x54\x8f\x41\x6e\xe3\x30\x0c\x45\xf7\x73\x0a\x03\x59\x64\x33\x0a\x94\x38\x28\x5a\xfa\x16\xbd\x01\x63\x49\x36\x11\x46\x14\x24\xba\xb6\x2b\xf4\xee\x45\x90\xb8\x40\x16\x5c\x10\x7c\x7c\xf8\xff\x22\x6e\xad\x17\xec\xaf\x43\x96\x29\x3a\xd8\x85\x10\xba\x20\x51\x4d\xc0\x1b\xf1\x0a\xfb\x4f\x64\x3f\xe3\xba\xff\xdf\x14\x8c\xc5\x14\x9f\xe9\x49\x14\xfa\xf6\x70\x3e\xa5\xe5\xb1\xce\x9e\x86\x51\xa1\xb5\xf6\xe7\xc0\x14\xaf\xa5\xce\xe4\x74\x84\x77\x6b\xd3\xd2\xdd\x30\x0f\x14\xc1\x36\x38\xa9\x3c\x81\x06\x6b\x2f\x2c\x19\x76\xf6\x23\x74\xea\x17\x35\xce\xf7\x92\x51\x49\x22\x44\x89\xfe\x0f\x84\x51\xbe\x7c\xae\x92\xb0\x27\x5d\xc1\x1e\xde\xb6\xd3\x21\x4c\xcc\x66\xca\xbc\xb9\x9c\x73\x0f\x57\x19\xd1\xc9\x0c\xc7\xb4\x34\xf7\xb1\xcd\xbd\xdc\xf6\x36\x1e\x37\xbe\x6d\xdb\x67\x3a\x73\x11\x55\xb9\xc1\xd9\xa6\x65\xe3\x26\xae\x09\x9d\xa3\x38\x80\xed\x98\x8a\x9a\xa2\x2b\x7b\xa3\x6b\xf2\x2f\x11\x27\x6e\x98\xea\xab\xe8\x74\x17\xfd\xfb\x0d\x00\x00\xff\xff\xb8\xc8\x00\x8a\x64\x01\x00\x00" func linksCssBytes() ([]byte, error) { return bindataRead( @@ -189,7 +189,7 @@ func linksCss() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "links.css", size: 354, mode: os.FileMode(420), modTime: time.Unix(1588282077, 0)} + info := bindataFileInfo{name: "links.css", size: 356, mode: os.FileMode(420), modTime: time.Unix(1605116866, 0)} a := &asset{bytes: bytes, info: info} return a, nil } @@ -209,7 +209,7 @@ func linksHtml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "links.html", size: 666, mode: os.FileMode(420), modTime: time.Unix(1588282081, 0)} + info := bindataFileInfo{name: "links.html", size: 666, mode: os.FileMode(420), modTime: time.Unix(1605116866, 0)} a := &asset{bytes: bytes, info: info} return a, nil } diff --git a/web/web.go b/web/web.go index 6616774..cf47ed6 100644 --- a/web/web.go +++ b/web/web.go @@ -90,6 +90,37 @@ func getLinks(backend backend.Backend, w http.ResponseWriter, r *http.Request) { } } +// Enforces security policies for incoming web requests. +func enforcePolicy(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + switch r.Method { + case http.MethodGet, http.MethodHead, http.MethodOptions: + break + case http.MethodPost: + // prevent CSRF + contentType := r.Header.Get("Content-Type") + if contentType != "application/json;charset=UTF-8" { + http.Error(w, + "Content-Type header for POST requests must be \"application/json;charset=UTF-8\"", + http.StatusForbidden) + return + } + fallthrough + default: + // prevent CSRF + requestedWith := r.Header.Get("X-Requested-With") + if requestedWith == "" { + http.Error(w, + "X-Requested-With header must be non-empty", + http.StatusForbidden) + return + } + } + + next.ServeHTTP(w, r) + }) +} + // ListenAndServe sets up all web routes, binds the port and handles incoming // web requests. func ListenAndServe(backend backend.Backend) error { @@ -138,5 +169,7 @@ func ListenAndServe(backend backend.Backend) error { mux.Handle("/admin/", &adminHandler{backend}) } - return http.ListenAndServe(addr, mux) + handler := enforcePolicy(mux) + + return http.ListenAndServe(addr, handler) }