Mirrors/linx-server
1
0
Fork 0
mirror of https://github.com/ZizzyDizzyMC/linx-server.git synced 2026-01-23 02:14:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

add strict referrer check for POST uploads

Browse source 
This should protect against cross-site request forgery without the need
for cookies. It continues to allow requests with Linx-Delete-Key,
Linx-Expiry, or Linx-Randomize headers as these will not be set in the
case of cross-site requests.
This commit is contained in:
mutantmonkey 2015-10-08 20:27:04 -07:00
parent a60a7cc9e6
commit 6ff181facb
4 changed files with 120 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

86
server_test.go
View file

@ -119,6 +119,7 @@ func TestPostCodeUpload(t *testing.T) {
}
req.PostForm = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Referer", Config.siteURL)
goji.DefaultMux.ServeHTTP(w, req)
@ -131,6 +132,84 @@ func TestPostCodeUpload(t *testing.T) {
}
}
func TestPostCodeUploadWhitelistedHeader(t *testing.T) {
w := httptest.NewRecorder()
filename := generateBarename()
extension := "txt"
form := url.Values{}
form.Add("content", "File content")
form.Add("filename", filename)
form.Add("extension", extension)
req, err := http.NewRequest("POST", "/upload/", nil)
if err != nil {
t.Fatal(err)
}
req.PostForm = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Linx-Expiry", "0")
goji.DefaultMux.ServeHTTP(w, req)
if w.Code != 301 {
t.Fatalf("Status code is not 301, but %d", w.Code)
}
}
func TestPostCodeUploadNoReferrer(t *testing.T) {
w := httptest.NewRecorder()
filename := generateBarename()
extension := "txt"
form := url.Values{}
form.Add("content", "File content")
form.Add("filename", filename)
form.Add("extension", extension)
req, err := http.NewRequest("POST", "/upload/", nil)
if err != nil {
t.Fatal(err)
}
req.PostForm = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
goji.DefaultMux.ServeHTTP(w, req)
if w.Code != 400 {
t.Fatalf("Status code is not 400, but %d", w.Code)
}
}
func TestPostCodeUploadBadOrigin(t *testing.T) {
w := httptest.NewRecorder()
filename := generateBarename()
extension := "txt"
form := url.Values{}
form.Add("content", "File content")
form.Add("filename", filename)
form.Add("extension", extension)
req, err := http.NewRequest("POST", "/upload/", nil)
if err != nil {
t.Fatal(err)
}
req.PostForm = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Referer", Config.siteURL)
req.Header.Set("Origin", "http://example.com/")
goji.DefaultMux.ServeHTTP(w, req)
if w.Code != 400 {
t.Fatalf("Status code is not 400, but %d", w.Code)
}
}
func TestPostCodeExpiryJSONUpload(t *testing.T) {
w := httptest.NewRecorder()
@ -146,6 +225,7 @@ func TestPostCodeExpiryJSONUpload(t *testing.T) {
req.PostForm = form
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Accept", "application/json")
req.Header.Set("Referer", Config.siteURL)
goji.DefaultMux.ServeHTTP(w, req)
@ -192,6 +272,7 @@ func TestPostUpload(t *testing.T) {
req, err := http.NewRequest("POST", "/upload/", &b)
req.Header.Set("Content-Type", mw.FormDataContentType())
req.Header.Set("Referer", Config.siteURL)
if err != nil {
t.Fatal(err)
}
@ -225,6 +306,7 @@ func TestPostJSONUpload(t *testing.T) {
req, err := http.NewRequest("POST", "/upload/", &b)
req.Header.Set("Content-Type", mw.FormDataContentType())
req.Header.Set("Accept", "application/json")
req.Header.Set("Referer", Config.siteURL)
if err != nil {
t.Fatal(err)
}
@ -279,6 +361,7 @@ func TestPostExpiresJSONUpload(t *testing.T) {
req, err := http.NewRequest("POST", "/upload/", &b)
req.Header.Set("Content-Type", mw.FormDataContentType())
req.Header.Set("Accept", "application/json")
req.Header.Set("Referer", Config.siteURL)
if err != nil {
t.Fatal(err)
}
@ -339,6 +422,7 @@ func TestPostRandomizeJSONUpload(t *testing.T) {
req, err := http.NewRequest("POST", "/upload/", &b)
req.Header.Set("Content-Type", mw.FormDataContentType())
req.Header.Set("Accept", "application/json")
req.Header.Set("Referer", Config.siteURL)
if err != nil {
t.Fatal(err)
}
@ -382,6 +466,7 @@ func TestPostEmptyUpload(t *testing.T) {
req, err := http.NewRequest("POST", "/upload/", &b)
req.Header.Set("Content-Type", mw.FormDataContentType())
req.Header.Set("Referer", Config.siteURL)
if err != nil {
t.Fatal(err)
}
@ -416,6 +501,7 @@ func TestPostEmptyJSONUpload(t *testing.T) {
req, err := http.NewRequest("POST", "/upload/", &b)
req.Header.Set("Content-Type", mw.FormDataContentType())
req.Header.Set("Accept", "application/json")
req.Header.Set("Referer", Config.siteURL)
if err != nil {
t.Fatal(err)
}