From fd7dd7390fca86d4ec4e8879f2cb0dccc0652c2b Mon Sep 17 00:00:00 2001
From: forest <forest.n.johnson@gmail.com>
Date: Fri, 22 May 2020 16:04:47 -0500
Subject: [PATCH] implement anti-csrf measures in all posted forms

---
 capsulflask/auth.py                        |  6 ++++-
 capsulflask/console.py                     | 30 ++++++++++++++++++----
 capsulflask/templates/capsul-detail.html   |  2 ++
 capsulflask/templates/create-capsul.html   |  1 +
 capsulflask/templates/ssh-public-keys.html |  2 ++
 5 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/capsulflask/auth.py b/capsulflask/auth.py
index 5509702..038b692 100644
--- a/capsulflask/auth.py
+++ b/capsulflask/auth.py
@@ -1,6 +1,8 @@
 import functools
 import re
 
+from nanoid import generate
+
 from flask import Blueprint
 from flask import flash
 from flask import current_app
@@ -22,7 +24,7 @@ def account_required(view):
 
     @functools.wraps(view)
     def wrapped_view(**kwargs):
-        if session.get("account") is None:
+        if session.get("account") is None or session.get("csrf-token") is None :
             return redirect(url_for("auth.login"))
 
         return view(**kwargs)
@@ -69,6 +71,8 @@ def magiclink(token):
     if email is not None:
         session.clear()
         session["account"] = email
+        session["csrf-token"] = generate()
+        
         return redirect(url_for("console.index"))
     else:
         # this is here to prevent xss
diff --git a/capsulflask/console.py b/capsulflask/console.py
index 75e8500..edc67f1 100644
--- a/capsulflask/console.py
+++ b/capsulflask/console.py
@@ -85,9 +85,17 @@ def detail(id):
     return render_template("capsul-detail.html", vm=vm, delete=True, deleted=True)
 
   if request.method == "POST":
-    if 'are_you_sure' not in request.form or not request.form['are_you_sure']:
+    if "csrf-token" not in request.form or request.form['csrf-token'] != session['csrf-token']:
+      return abort(418, f"u want tea")
 
-      return render_template("capsul-detail.html", vm=vm, delete=True, deleted=False)
+    if 'are_you_sure' not in request.form or not request.form['are_you_sure']:
+      return render_template(
+        "capsul-detail.html", 
+        csrf_token = session["csrf-token"],
+        vm=vm, 
+        delete=True, 
+        deleted=False
+      )
     else:
       current_app.logger.info(f"deleting {vm['id']} per user request ({session['account']})")
       current_app.config["VIRTUALIZATION_MODEL"].destroy(email=session['account'], id=id)
@@ -102,7 +110,9 @@ def detail(id):
 
     return render_template(
       "capsul-detail.html", 
-      vm=vm, delete=False,
+      csrf_token = session["csrf-token"],
+      vm=vm, 
+      delete=False,
       durations=list(map(lambda x: x.strip("_"), metric_durations.keys())),
       duration=duration
     )
@@ -119,6 +129,8 @@ def create():
   errors = list()
 
   if request.method == "POST":
+    if "csrf-token" not in request.form or request.form['csrf-token'] != session['csrf-token']:
+      return abort(418, f"u want tea")
 
     size = request.form["size"]
     os = request.form["os"]
@@ -193,6 +205,7 @@ def create():
 
   return render_template(
     "create-capsul.html",
+    csrf_token = session["csrf-token"],
     capacity_avaliable=capacity_avaliable,
     account_balance=format(account_balance, '.2f'),
     ssh_public_keys=ssh_public_keys,
@@ -209,6 +222,9 @@ def ssh_public_keys():
   errors = list()
 
   if request.method == "POST":
+    if "csrf-token" not in request.form or request.form['csrf-token'] != session['csrf-token']:
+      return abort(418, f"u want tea")
+      
     method = request.form["method"]
     content = None
 
@@ -223,7 +239,6 @@ def ssh_public_keys():
       else:
         errors.append("Name is required")
     if not re.match(r"^[0-9A-Za-z_@. -]+$", name):
-      print(name)
       errors.append("Name must match \"^[0-9A-Za-z_@. -]+$\"")
 
     if method == "POST":
@@ -254,7 +269,12 @@ def ssh_public_keys():
     get_model().list_ssh_public_keys_for_account(session["account"])
   ))
 
-  return render_template("ssh-public-keys.html", ssh_public_keys=keys_list, has_ssh_public_keys=len(keys_list) > 0)
+  return render_template(
+    "ssh-public-keys.html", 
+    csrf_token = session["csrf-token"],
+    ssh_public_keys=keys_list, 
+    has_ssh_public_keys=len(keys_list) > 0
+  )
 
 def get_vms():
   if 'user_vms' not in g:
diff --git a/capsulflask/templates/capsul-detail.html b/capsulflask/templates/capsul-detail.html
index 8df6cd3..8636ef2 100644
--- a/capsulflask/templates/capsul-detail.html
+++ b/capsulflask/templates/capsul-detail.html
@@ -24,6 +24,7 @@
       <form id="delete_action" method="post">
         <input type="hidden" name="delete" value="True"/>
         <input type="hidden" name="are_you_sure" value="True"/>
+        <input type="hidden" name="csrf-token" value="{{ csrf_token }}"/>
         <input type="submit" class="form-submit-link" value="Yes, Delete">
       </form>
     </div>
@@ -79,6 +80,7 @@
       <label class="align" for="delete_action">Actions</label>
       <form id="delete_action" method="post">
         <input type="hidden" name="delete" value="True"/>
+        <input type="hidden" name="csrf-token" value="{{ csrf_token }}"/>
         <input type="submit" class="form-submit-link" value="Delete...">
       </form>
     </div>
diff --git a/capsulflask/templates/create-capsul.html b/capsulflask/templates/create-capsul.html
index c736101..298763c 100644
--- a/capsulflask/templates/create-capsul.html
+++ b/capsulflask/templates/create-capsul.html
@@ -37,6 +37,7 @@
   {% else %}
 
     <form method="post">
+      <input type="hidden" name="csrf-token" value="{{ csrf_token }}"/>
       <div class="row justify-start">
         <label class="align"  for="size">Capsul Size</label>
         <select id="size" name="size">
diff --git a/capsulflask/templates/ssh-public-keys.html b/capsulflask/templates/ssh-public-keys.html
index 4941196..3a98e67 100644
--- a/capsulflask/templates/ssh-public-keys.html
+++ b/capsulflask/templates/ssh-public-keys.html
@@ -13,6 +13,7 @@
     <form method="post">
       <input type="hidden" name="method" value="DELETE"></input> 
       <input type="hidden" name="name" value="{{ ssh_public_key['name'] }}"></input> 
+      <input type="hidden" name="csrf-token" value="{{ csrf_token }}"/>
       <div class="row">
         <span class="code">{{ ssh_public_key['name'] }}</span>
         <span class="dim">{{ ssh_public_key['content'] }}</span>
@@ -28,6 +29,7 @@
   </div>
   <form method="post">
     <input type="hidden" name="method" value="POST"></input>
+    <input type="hidden" name="csrf-token" value="{{ csrf_token }}"/>
     <div class="row justify-start">
       <label class="align" for="content">File Contents</label>
       <textarea class="expand" id="content" name="content"></textarea>