fix #22: check cookie flags

octopot · May 11, 2018 · 2eb7ea5 · 2eb7ea5
1 parent d91eea3
commit 2eb7ea5
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/server/server.go b/server/server.go
@@ -38,8 +38,8 @@ type Server struct {
 // GetTrackerInstructionV1 is responsible for `GET /api/v1/tracker/instruction` request handling.
 func (s *Server) GetTrackerInstructionV1(rw http.ResponseWriter, req *http.Request) {
 	cookie, err := req.Cookie(MarkerKey)
-	if err != nil {
-		cookie = &http.Cookie{Name: MarkerKey}
+	if err != nil || !cookie.HttpOnly || !cookie.Secure {
+		cookie = &http.Cookie{Name: MarkerKey, Secure: true, HttpOnly: true}
 	}
 
 	response := s.service.HandleTrackerInstructionV1(tracker.InstructionRequest{EncryptedMarker: cookie.Value})
@@ -49,7 +49,6 @@ func (s *Server) GetTrackerInstructionV1(rw http.ResponseWriter, req *http.Reque
 	}
 
 	cookie.MaxAge, cookie.Path, cookie.Value = 0, "/", response.EncryptedMarker
-	cookie.Secure, cookie.HttpOnly = true, true
 	http.SetCookie(rw, cookie)
 	rw.Header().Set("Content-Type", "application/javascript")
 	rw.WriteHeader(http.StatusOK)
@@ -82,6 +81,13 @@ func (s *Server) PostTrackerFingerprintV1(rw http.ResponseWriter, req *http.Requ
 		req.Body.Close()
 		return
 	}
+	if !cookie.HttpOnly || !cookie.Secure {
+		// issue #22: prevent cookie manipulation
+		log.Printf("\n\n[CRITICAL] cookie is not safe, skip this request (%+v)\n\n", *cookie)
+		io.Copy(ioutil.Discard, req.Body)
+		req.Body.Close()
+		return
+	}
 
 	defer req.Body.Close()
 	request := tracker.FingerprintRequest{EncryptedMarker: cookie.Value, Header: req.Header}