Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add CSRF plugin #5727

Merged
merged 29 commits into from
Jan 18, 2022
Merged
Changes from 2 commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
ad8c54d
feat: add csrf plugin
Baoyuantop Dec 7, 2021
843a6ff
fix: format code
Baoyuantop Dec 8, 2021
e40347b
feat: add plugin docs
Baoyuantop Dec 13, 2021
af25b19
fix: adjust code
Baoyuantop Dec 14, 2021
b1032e7
fix: add docs in config.json
Baoyuantop Dec 20, 2021
0ea8477
Merge branch 'master' into feat-csrf
Baoyuantop Dec 20, 2021
2a52163
fix: add plugin in plugins.t
Baoyuantop Dec 22, 2021
55d656f
fix: format code
Baoyuantop Dec 28, 2021
7a61185
Update apisix/plugins/csrf.lua
Baoyuantop Dec 29, 2021
a03da0a
docs: modify inappropriate descriptions
Baoyuantop Dec 29, 2021
7d14375
Merge branch 'feat-csrf' of github.com:Baoyuantop/apisix into feat-csrf
Baoyuantop Dec 29, 2021
6413427
fix: change read cookie method
Baoyuantop Dec 30, 2021
15c9802
fix: change variable name and add two blank lines
Baoyuantop Dec 30, 2021
b52d042
Update docs/en/latest/plugins/csrf.md
Baoyuantop Dec 30, 2021
9c42231
fix: add SameSite for cookie
Baoyuantop Dec 31, 2021
45065bb
fix: move plugin name
Baoyuantop Dec 31, 2021
a4b284e
test: fix plugins test
Baoyuantop Dec 31, 2021
6c999e6
Update docs/zh/latest/plugins/csrf.md
Baoyuantop Dec 31, 2021
165b8ad
fix: improved documentation
Baoyuantop Jan 5, 2022
2e3dd65
Merge branch 'feat-csrf' of github.com:Baoyuantop/apisix into feat-csrf
Baoyuantop Jan 5, 2022
d05242e
docs: optimize documents
Baoyuantop Jan 6, 2022
a219794
test: add some tests
Baoyuantop Jan 10, 2022
7eb2e9f
fix: lint test code
Baoyuantop Jan 10, 2022
7eb2524
test: perfect test
Baoyuantop Jan 12, 2022
2454909
fix: lint code
Baoyuantop Jan 12, 2022
d439243
fix: update test
Baoyuantop Jan 14, 2022
d0f1f71
test: add space before number
Baoyuantop Jan 14, 2022
cfff42a
fix: optimization code
Baoyuantop Jan 16, 2022
9305e2b
Update apisix/plugins/csrf.lua
Baoyuantop Jan 18, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
169 changes: 169 additions & 0 deletions apisix/plugins/csrf.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,169 @@
--
-- Licensed to the Apache Software Foundation (ASF) under one or more
-- contributor license agreements. See the NOTICE file distributed with
-- this work for additional information regarding copyright ownership.
-- The ASF licenses this file to You under the Apache License, Version 2.0
-- (the "License"); you may not use this file except in compliance with
-- the License. You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
local core = require("apisix.core")
local ngx = ngx
local plugin_name = "csrf"
local ngx_encode_base64 = ngx.encode_base64
local ngx_decode_base64 = ngx.decode_base64
local request_method = ngx.var.request_method
local timer = ngx.time
local cookie_time = ngx.cookie_time
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For code style consistency can we use ngx_cookie_time instead of cookie_time?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree

local ck = require "resty.cookie"
local math = math

local schema = {
type = "object",
properties = {
key = {
description = "use to generate csrf token",
type = "string",
},
expires = {
description = "expires time for csrf token",
type = "integer",
default = 7200
},
name = {
description = "the csrf token name",
type = "string",
default = "apisix_csrf_token"
}
},
required = {"key"}
}

local _M = {
version = 0.1,
priority = 3500,
name = plugin_name,
schema = schema,
}

function _M.check_schema(conf)
return core.schema.check(schema, conf)
end


local function gen_sign(random, expires, key)
local resty_sha256 = require "resty.sha256"
local sha256 = resty_sha256:new()

local sign = {
random = random,
expires = expires,
key = key,
}

sha256:update(core.json.encode(sign))
local digest = sha256:final()

return ngx_encode_base64(digest)
end


local function gen_csrf_token(conf)
local random = math.random();
local sign = gen_sign(random, conf.expires, conf.key)

local token = {
random = random,
expires = conf.expires,
sign = sign,
}

local cookie = ngx_encode_base64(core.json.encode(token))
return cookie
end


local function check_csrf_token(conf, ctx, token)
local _token = ngx_decode_base64(token)
local _token_table, err = core.json.decode(_token)
if err then
core.log.error("decode token error: ", err)
return false
end

local random = _token_table["random"]
if not random then
core.log.warn("no random in token")
return false
end

local expires = _token_table["expires"]
if not expires then
core.log.warn("no expires in token")
return false
end

local sign = gen_sign(random, expires, conf.key)
if _token_table["sign"] ~= sign then
return false
end

return true
end


function _M.access(conf, ctx)
local method = request_method
if method == 'GET' then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why skip GET?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here a port is needed for getting the csrf token, and if all of them are blocked, the cookie may not be placed. Therefore, CORS on this port should be configured carefully, as I will explain in the documentation.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This type of request has no side effects and does not need to accept protection, but of course, I will add the corresponding instructions in the documentation.

return
end

local token = core.request.header(ctx, conf.name)
if not token then
return 401, {error_msg = "no csrf token in request header"}
end

local cookie, err = ck:new()
if not cookie then
return nil, err
end

local field_cookie, err = cookie:get(conf.name)
if not field_cookie then
return 401, {error_msg = "no csrf cookie"}
end

if err then
core.log.error(err)
return 500, {error_msg = "read csrf cookie failed"}
end

if token ~= field_cookie then
return 401, {error_msg = "csrf token mismatch"}
end

local result = check_csrf_token(conf, ctx, token)
if not result then
return 401, {error_msg = "Failed to verify the csrf token signature"}
end
end


function _M.header_filter(conf, ctx)
local method = request_method
if method == 'GET' then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why only set cookie for GET?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OPTIONS has been added to take into account cross-domain requests.

local csrf_token = gen_csrf_token(conf)
core.response.add_header("Set-Cookie", {conf.name .. "=" .. csrf_token
.. ";path=/;Expires="
.. cookie_time(timer() + conf.expires)})
end
end

return _M
1 change: 1 addition & 0 deletions conf/config-default.yaml
Original file line number Diff line number Diff line change
@@ -309,6 +309,7 @@ plugins: # plugin list (sorted by priority)
- serverless-pre-function # priority: 10000
- batch-requests # priority: 4010
- cors # priority: 4000
- csrf # priority: 3500
- ip-restriction # priority: 3000
- ua-restriction # priority: 2999
- referer-restriction # priority: 2990