v1.0.7: Fix broken CSRF protection

Neztore · Aug 2, 2020 · 05409a7 · 05409a7
1 parent ab7f29a
commit 05409a7
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 8 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "save-server",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "description": "A ShareX server built on Express, Bulma and SQLite with User support.",
   "main": "index.js",
   "scripts": {

diff --git a/server/api/files.js b/server/api/files.js
@@ -4,6 +4,7 @@ const { errorCatch, generateFileName, errorGenerator, dest, prettyError, validFi
 const multer = require("multer");
 const db = require("../util/db");
 const auth = require("../middleware/auth");
+const csrf = require("../middleware/csrf");
 const fs = require("fs");
 const path = require("path");
 const { isAlphanumeric, isLength, isAscii } = require("validator");
@@ -83,7 +84,7 @@ async function getFile (req, res, next) {
 }
 files.get("/:id", errorCatch(getFile));
 
-files.use(auth);
+files.use(auth.header);
 
 // Supports uploading multiple files, even though ShareX doesn't.
 files.post("/", upload.array("files", 10), errorCatch(async function (req, res) {
@@ -104,7 +105,7 @@ files.post("/", upload.array("files", 10), errorCatch(async function (req, res)
 		res.status(400).send(errorGenerator(400, "No file upload detected!"));
 	}
 }));
-
+files.use(csrf);
 files.delete("/:id", errorCatch(async function (req, res, next) {
 	if (req.params.id && validFile(req.params.id)) {
 		const without = removeExt(req.params.id);

diff --git a/server/index.js b/server/index.js
@@ -21,7 +21,6 @@ app.set("view engine", "ejs");
 app.enable("trust proxy");
 app.use(bodyParser.json());
 app.use(cookie());
-app.use(csrf)
 app.set("x-powered-by", "false");
 
 
@@ -34,6 +33,7 @@ app.use("/favicon.ico", express.static(path.join(client, "favicon.ico")));
 
 // Routes
 app.use("/api/files", files.router);
+app.use(csrf)
 app.use("/api/users", users);
 app.use("/api/links", links);
 app.use("/api/links", links);

diff --git a/server/middleware/auth.js b/server/middleware/auth.js
@@ -3,8 +3,8 @@ const { errors, adminUser } = require("../util");
 const db = require("../util/db");
 const { isLength, isAscii } = require("validator");
 
-async function checkToken (req) {
-	let authorization = req.headers.authorization ? req.headers.authorization : req.cookies.authorization;
+async function checkToken (req, useCookie) {
+	let authorization = useCookie ? req.cookies.authorization : req.headers.authorization;
 	if (!authorization || !isAscii(authorization)) {
 		return false;
 	} else {
@@ -29,8 +29,10 @@ async function checkToken (req) {
 		}
 	}
 }
+
+// Defaults to cookie
 module.exports = async function checkAuth (req, res, next) {
-	if (await checkToken(req)) {
+	if (await checkToken(req, true)) {
 		next();
 	} else {
 		res.status(errors.unauthorized.error.status);
@@ -39,6 +41,14 @@ module.exports = async function checkAuth (req, res, next) {
 };
 // Redirect version
 module.exports.redirect = async function checkAuth (req, res, next) {
+	if (await checkToken(req, true)) {
+		next();
+	} else {
+		res.redirect("/login");
+	}
+};
+
+module.exports.header = async function checkAuth (req, res, next) {
 	if (await checkToken(req)) {
 		next();
 	} else {