add CSRF protection

2024-11-01 01:29:26 +01:00 · 2022-01-22 18:21:59 -05:00 · 2022-01-22 18:21:59 -05:00 · 5052b491f6
commit 5052b491f6
parent 315759fd52
11 changed files with 102 additions and 63 deletions
--- a/README.md
+++ b/README.md
@ -43,7 +43,7 @@ Most icons were provided by [fontawesome](https://fontawesome.com/) under this [

 ## Installation

-1. Install the [go](https://go.dev/) compiler. __Make sure your have go 1.17 or higher.__ 
+1. Install the [go](https://go.dev/) compiler. __Make sure you have go 1.17 or higher.__ 
 2. Download the release and unzip it, or clone the repo
   
   ```git clone https://github.com/syssecfsu/witty.git```
@ -76,11 +76,15 @@ Most icons were provided by [fontawesome](https://fontawesome.com/) under this [

   ```./witty run -naked htop```    

-7. Connect to the server, for example
+   You can also specify the port number WiTTY listens on with ```-p/port```. For example:
+
+   ```./witty run -p 9090 ssh 192.168.1.2```
+
+7. Connect to the server with your browser, using port 8080 or the one specified in step 6, for example

   ```https://<witty_server_ip>:8080```

-8. You can also replay the recorded sessions with witty
+8. You can also replay the recorded sessions with witty. Set your terminal window to 120x36 before using this. 

   ```./witty replay -w 500 records/<recorded file>.scr```

--- a/assets/template/index.html
+++ b/assets/template/index.html
@ -28,10 +28,11 @@
          WiTTY: Web-based interactive TTY
        </a>
        <div class="btn-toolbar float-end" role="toolbar" aria-label="top buttons">
-          <a class="btn btn-primary btn-sm  m-1" href="/new" onClick="setTimeout(function(){refresh(true)}, 1000)"
-            target="_blank" role="button">
-            New Session
-          </a>
+          <form action="/new" method="post" target="_blank" onsubmit="setTimeout(function(){refresh(true)}, 1000)">
+            {{.csrfField}}
+            <button class="btn btn-primary btn-sm  m-1" type="submit">New Session</button>
+          </form>
+
          <a class="btn btn-primary btn-sm  m-1 {{.disabled}}" href="/logout" role="button">
            Logout
          </a>
@ -65,7 +66,13 @@
    var active_tab = 0

    function del_btn(path) {
-      fetch("/delete/" + path)
+      let formData = new FormData()
+      formData.append('gorilla.csrf.Token', {{.csrfToken}})
+
+      fetch("/delete/" + path, {
+        method: "POST",
+        body: formData,
+      })
      setTimeout(function () {
        refresh(true)
      }, 20);
--- a/assets/template/login.html
+++ b/assets/template/login.html
@ -38,6 +38,9 @@
                <label for="passwd">Password</label>
            </div>

+            <div class="form-floating">
+            {{.csrfField}}
+            </div>
            <button class="w-100 btn btn-lg btn-primary mt-5" type="submit">Sign in</button>
            <p class="mt-5 mb-3 text-muted">WiTTY: Web-based Interactive TTY</p>
        </form>
--- a/assets/template/term.html
+++ b/assets/template/term.html
@ -23,7 +23,8 @@
    <nav class="navbar navbar-light bg-light shadow-sm navbar-xs">
      <div class="container-fluid">
        <a class="navbar-brand mx-auto" href="https://github.com/syssecfsu/witty" target="_blank">
-          <img src="/assets/img/{{.logo}}.svg" style="margin-right: 0.5rem;" height="32" class="d-inline-block align-text-top">
+          <img src="/assets/img/{{.logo}}.svg" style="margin-right: 0.5rem;" height="32"
+            class="d-inline-block align-text-top">
          {{.title}}
        </a>
        <button type="button" id="record_onoff" class="btn btn-primary btn-sm float-end" value="Record"
@ -41,15 +42,24 @@

  <script>
    function recordOnOff(on) {
+      let formData = new FormData()
+      formData.append('gorilla.csrf.Token', {{.csrfToken}})
+
      var btn = document.getElementById("record_onoff");
      if (btn.value == "Record") {
        btn.value = "Stop";
        btn.innerHTML = btn.value
-        fetch("/record/{{.id}}")
+        fetch("/record/{{.id}}", {
+          method: "POST",
+          body: formData,
+        })
      } else {
        btn.value = "Record";
        btn.innerHTML = btn.value
-        fetch("/stop/{{.id}}")
+        fetch("/stop/{{.id}}", {
+          method: "POST",
+          body: formData,
+        })
      }
    }

--- a/go.mod
+++ b/go.mod
@ -15,6 +15,7 @@ require (
 	github.com/gorilla/context v1.1.1 // indirect
 	github.com/gorilla/securecookie v1.1.1 // indirect
 	github.com/gorilla/sessions v1.2.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 )

 require (
@ -24,6 +25,8 @@ require (
 	github.com/go-playground/universal-translator v0.17.0 // indirect
 	github.com/go-playground/validator/v10 v10.4.1 // indirect
 	github.com/golang/protobuf v1.3.3 // indirect
+	github.com/gorilla/csrf v1.7.1
+	github.com/gwatts/gin-adapter v0.0.0-20170508204228-c44433c485ad
 	github.com/json-iterator/go v1.1.9 // indirect
 	github.com/leodido/go-urn v1.2.0 // indirect
 	github.com/mattn/go-isatty v0.0.12 // indirect
--- a/go.sum
+++ b/go.sum
@ -28,6 +28,8 @@ github.com/gomodule/redigo v2.0.0+incompatible/go.mod h1:B4C85qUVwatsJoIUNIfCRsp
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
+github.com/gorilla/csrf v1.7.1 h1:Ir3o2c1/Uzj6FBxMlAUB6SivgVMy1ONXwYgXn+/aHPE=
+github.com/gorilla/csrf v1.7.1/go.mod h1:+a/4tCmqhG6/w4oafeAZ9pEa3/NZOWYVbD9fV0FwIQA=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.1.1/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w=
@ -35,6 +37,8 @@ github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7Fsg
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gwatts/gin-adapter v0.0.0-20170508204228-c44433c485ad h1:eGCbPkMnsg02jXBIxxXn1Fxep9dAuTUvEi6UdJsbOhg=
+github.com/gwatts/gin-adapter v0.0.0-20170508204228-c44433c485ad/go.mod h1:XywyZk8euPjg6CVt44eMyHjv0sZUiHbHtBnFKgmvj8I=
 github.com/json-iterator/go v1.1.9 h1:9yzud/Ht36ygwatGx56VwCZtlI/2AD15T1X2sjSuGns=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y=
@ -45,6 +49,8 @@ github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421 h1:ZqeYNhU3OH
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742 h1:Esafd1046DLDQ0W1YjYsBW+p8U2u7vzgW2SQVmlNazg=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
--- a/main.go
+++ b/main.go
@ -17,9 +17,12 @@ func main() {
 	}

 	var naked bool
+	var port uint
 	runCmd := flag.NewFlagSet("run", flag.ExitOnError)
 	runCmd.BoolVar(&naked, "n", false, "Run WiTTY without user authentication")
 	runCmd.BoolVar(&naked, "naked", false, "Run WiTTY without user authentication")
+	runCmd.UintVar(&port, "p", 8080, "Port number to listen on")
+	runCmd.UintVar(&port, "port", 8080, "Port number to listen on")

 	var wait uint
 	replayCmd := flag.NewFlagSet("replay", flag.ExitOnError)
@ -65,7 +68,6 @@ func main() {
 		runCmd.Parse(os.Args[2:])

 		var cmdToExec []string
-
 		args := runCmd.Args()
 		if len(args) > 0 {
 			cmdToExec = args
@ -73,7 +75,7 @@ func main() {
 			cmdToExec = []string{"bash"}
 		}

-		web.StartWeb(fp, cmdToExec, naked)
+		web.StartWeb(fp, cmdToExec, naked, uint16(port))

 	default:
 		fmt.Println("witty (adduser|deluser|replay|run)")
--- a/term_conn/relay.go
+++ b/term_conn/relay.go
@ -36,12 +36,22 @@ const (
 	stopCmd   = 0
 )

+// simple function to check origin
+func checkOrigin(r *http.Request) bool {
+	org := r.Header.Get("Origin")
+
+	if org != "https://"+r.Host {
+		log.Println("Failed origin check of ", org, r.Host)
+		return false
+	}
+
+	return true
+}
+
 var upgrader = websocket.Upgrader{
 	ReadBufferSize:  readBufferSize,
 	WriteBufferSize: WriteBufferSize,
-	CheckOrigin: func(r *http.Request) bool {
-		return true
-	},
+	CheckOrigin:     checkOrigin,
 }

 // TermConn represents the connected websocket and pty.
@ -420,8 +430,7 @@ func ConnectTerm(w http.ResponseWriter, r *http.Request, isViewer bool, name str
 	}
 }

-func Init(checkOrigin func(r *http.Request) bool) {
-	upgrader.CheckOrigin = checkOrigin
+func Init() {
 	registry.init()
 }

--- a/web/auth.go
+++ b/web/auth.go
@ -6,6 +6,7 @@ import (

 	"github.com/gin-gonic/contrib/sessions"
 	"github.com/gin-gonic/gin"
+	"github.com/gorilla/csrf"
 )

 const (
@ -48,7 +49,6 @@ func login(c *gin.Context) {
 		return
 	}

-	host = &c.Request.Host
 	c.Redirect(http.StatusSeeOther, "/")
 }

@ -88,5 +88,10 @@ func loginPage(c *gin.Context) {
 		msg = "Login first"
 	}

-	c.HTML(http.StatusOK, "login.html", gin.H{"msg": msg})
+	c.HTML(http.StatusOK, "login.html",
+		gin.H{
+			"msg":       msg,
+			"csrfField": csrf.TemplateField(c.Request),
+		},
+	)
 }
--- a/web/interactive.go
+++ b/web/interactive.go
@ -5,6 +5,7 @@ import (

 	"github.com/dchest/uniuri"
 	"github.com/gin-gonic/gin"
+	"github.com/gorilla/csrf"
 	"github.com/syssecfsu/witty/term_conn"
 )

@ -27,14 +28,18 @@ func collectSessions(c *gin.Context, cmd string) (players []InteractiveSession)
 }

 func indexPage(c *gin.Context) {
-	host = &c.Request.Host
 	var disabled = ""

 	if noAuth {
 		disabled = "disabled"
 	}

-	c.HTML(http.StatusOK, "index.html", gin.H{"disabled": disabled})
+	c.HTML(http.StatusOK, "index.html",
+		gin.H{
+			"disabled":  disabled,
+			"csrfField": csrf.TemplateField(c.Request),
+			"csrfToken": csrf.Token(c.Request),
+		})
 }

 func updateIndex(c *gin.Context) {
@ -63,10 +68,6 @@ func updateIndex(c *gin.Context) {
 }

 func newInteractive(c *gin.Context) {
-	if host == nil {
-		host = &c.Request.Host
-	}
-
 	id := uniuri.New()

 	c.HTML(http.StatusOK, "term.html", gin.H{
@ -74,6 +75,7 @@ func newInteractive(c *gin.Context) {
 		"path":      "/ws_new/" + id,
 		"id":        id,
 		"logo":      "keyboard",
+		"csrfToken": csrf.Token(c.Request),
 	})
 }

@ -89,6 +91,7 @@ func viewPage(c *gin.Context) {
 		"path":      "/ws_view/" + id,
 		"id":        id,
 		"logo":      "view",
+		"csrfToken": csrf.Token(c.Request),
 	})
 }

--- a/web/routing.go
+++ b/web/routing.go
@ -1,38 +1,21 @@
 package web

 import (
-	"log"
-	"net/http"
-	"net/url"
 	"os"
+	"strconv"

 	"github.com/dchest/uniuri"
 	"github.com/gin-gonic/contrib/sessions"
 	"github.com/gin-gonic/gin"
+	"github.com/gorilla/csrf"
+	adapter "github.com/gwatts/gin-adapter"
 	"github.com/syssecfsu/witty/term_conn"
 )

-var host *string = nil
 var cmdToExec []string
 var noAuth bool

-// simple function to check origin
-func checkOrigin(r *http.Request) bool {
-	org := r.Header.Get("Origin")
-	h, err := url.Parse(org)
-
-	if err != nil {
-		return false
-	}
-
-	if (host == nil) || (*host != h.Host) {
-		log.Println("Failed origin check of ", org)
-	}
-
-	return (host != nil) && (*host == h.Host)
-}
-
-func StartWeb(fp *os.File, cmd []string, naked bool) {
+func StartWeb(fp *os.File, cmd []string, naked bool, port uint16) {
 	cmdToExec = cmd
 	noAuth = naked

@ -47,6 +30,10 @@ func StartWeb(fp *os.File, cmd []string, naked bool) {
 	store := sessions.NewCookieStore([]byte(uniuri.NewLen(32)))
 	rt.Use(sessions.Sessions("witty-session", store))

+	csrfHttp := csrf.Protect([]byte(uniuri.NewLen(32)), csrf.SameSite(csrf.SameSiteStrictMode))
+	csrfGin := adapter.Wrap(csrfHttp)
+	rt.Use(csrfGin)
+
 	rt.SetTrustedProxies(nil)
 	rt.LoadHTMLGlob("./assets/template/*")
 	// handle static files
@ -71,7 +58,7 @@ func StartWeb(fp *os.File, cmd []string, naked bool) {
 	g1.GET("/update/:active", updateIndex)

 	// create a new interactive session
-	g1.GET("/new", newInteractive)
+	g1.POST("/new", newInteractive)
 	g1.GET("/ws_new/:id", newTermConn)

 	// create a viewer of an interactive session
@ -79,15 +66,15 @@ func StartWeb(fp *os.File, cmd []string, naked bool) {
 	g1.GET("/ws_view/:id", newViewWS)

 	// start/stop recording the session
-	g1.GET("/record/:id", startRecord)
-	g1.GET("/stop/:id", stopRecord)
+	g1.POST("/record/:id", startRecord)
+	g1.POST("/stop/:id", stopRecord)

 	// create a viewer of an interactive session
 	g1.GET("/replay/:id", replayPage)

 	// delete a recording
-	g1.GET("/delete/:fname", delRec)
+	g1.POST("/delete/:fname", delRec)

-	term_conn.Init(checkOrigin)
-	rt.RunTLS(":8080", "./tls/cert.pem", "./tls/private-key.pem")
+	term_conn.Init()
+	rt.RunTLS(":"+strconv.FormatUint(uint64(port), 10), "./tls/cert.pem", "./tls/private-key.pem")
 }