-
Notifications
You must be signed in to change notification settings - Fork 8
/
CSRFProtections.swift
36 lines (32 loc) · 1.31 KB
/
CSRFProtections.swift
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
//
// CSRFProtections.swift
// pioneer
//
// Created by d-exclaimation on 13:02.
//
import struct NIOHTTP1.HTTPHeaders
public extension Pioneer {
/// Check the headers show signs of CSRF vunerabilities
/// - Parameter headers: HTTP Headers by NIO standard
/// - Returns: True if vulnerable
func csrfVulnerable(given headers: HTTPHeaders) -> Bool {
// If CSRF Prevention is disabled, it is deemed not vulnerable
guard case .csrfPrevention = httpStrategy else {
return false
}
// If any of these two header is given, ignore all other headers and deemed non-vulnerable
let hasPreflight = !headers[HTTPHeaders.Name("Apollo-Require-Preflight")].isEmpty
let hasOperationName = !headers[HTTPHeaders.Name("X-Apollo-Operation-Name")].isEmpty
if hasPreflight || hasOperationName {
return false
}
// CSRF and XS-Search attacks take advantage of simple HTTP request which uses these content-types
let restrictedHeaders = ["text/plain", "application/x-www-form-urlencoded", "multipart/form-data"]
let contentTypes = headers[.contentType]
return contentTypes.contains { contentType in
restrictedHeaders.contains {
contentType.lowercased().contains($0)
}
}
}
}