Adding XSRF prevention for Ajax calls

pieman72 · Jul 22, 2014 · 927f2c6 · 927f2c6
1 parent 645170a
commit 927f2c6
Show file tree

Hide file tree

Showing 5 changed files with 131 additions and 67 deletions.
diff --git a/adhoc.js b/adhoc.js
@@ -3384,6 +3384,7 @@ Event.observe(window, 'load', function(){
 				binary: adhoc.serialize(adhoc.rootNode)
 				,projectid: adhoc.setting('projectId')
 				,projectname: adhoc.setting('projectName')
+				,xsrftoken: $('xsrfToken').innerHTML
 			}
 			,onFailure: function(t){
 				adhoc.error(t.responseText);
@@ -3400,6 +3401,7 @@ Event.observe(window, 'load', function(){
 		new Ajax.Request('load/', {
 			parameters: {
 				projectid: projectId
+				,xsrftoken: $('xsrfToken').innerHTML
 			}
 			,onSuccess: function(t){
 				adhoc.selectedNode = null;
@@ -3431,6 +3433,7 @@ Event.observe(window, 'load', function(){
 				,language: $F('languageChoice_input')
 				,executable: 1
 				,dbg: (adhoc.setting('dbg') ? 1 : 0)
+				,xsrftoken: $('xsrfToken').innerHTML
 			}
 			,onFailure: function(){
 				adhoc.error("Unable to send request to server. Make sure you're online.");

diff --git a/generate/index.php b/generate/index.php
@@ -1,57 +1,96 @@
-<?
-// File extensions for different languages
-$extensions = array(
-	'asp.net'		=> 'aspnet'
-	,'c'			=> 'c'
-	,'c++'			=> 'cpp'
-	,'c#'			=> 'cs'
-	,'clike'		=> 'c'
-	,'coffeescript'	=> 'coffee'
-	,'golang'		=> 'go'
-	,'html'			=> 'html'
-	,'http'			=> 'http'
-	,'java'			=> 'java'
-	,'javascript'	=> 'js'
-	,'markup'		=> 'ml'
-	,'php'			=> 'php'
-	,'python'		=> 'py'
-	,'ruby'			=> 'rb'
-	,'sass'			=> 'sass'
-	,'scala'		=> 'scala'
-	,'shell'		=> 'sh'
-	,'sql'			=> 'sql'
-);
-
-// Get parameters from request
-$binary = str_replace(
-	array(
-		'\0'
-		,"\r\n"
-	)
-	,array(
-		"\0"
-		,"\n"
-	)
-	,$_POST['binary']
-);
-$language = $_POST['language'];
-$executable = (boolean) $_POST['executable'];
-$dbg = (boolean) $_POST['dbg'];
-$hash = md5($binary);
-$ext = isset($extensions[$language]) ? $extensions[$language] : $language;
-
-// Put the binary to a file
-file_put_contents("$hash.adh", $binary);
-
-// Execute ADHOC!
-$command = "timeout --preserve-status 2 adhoc -l $language -o ../download/$hash.$ext ".($executable ? '-e ' : '').($dbg ? '-d ' : '')."$hash.adh 2>&1";
-exec($command, $error_output, $return_var);
-
-// Determine if it was successful
-echo json_encode((object) array(
-	'error' => $error_output
-	,'nodeId' => $return_var
-	,'hash'	=> $hash
-	,'ext' => $ext
-	,'code' => htmlspecialchars(file_get_contents("../download/$hash.$ext"))
-));
+<? // Load application config
+$conf = parse_ini_file('../config.ini');
+$host = $_SERVER['HTTP_HOST'];
+$server = $_SERVER['SERVER_ADDR'];
+$remote = $_SERVER['REMOTE_ADDR'];
+$remote = (substr($server,0,strrpos($server,'.')) == substr($remote,0,strrpos($remote,'.')))
+	? gethostbyname($host)
+	: $remote;
+
+// Load user settings
+$settings = (isset($_COOKIE)&&isset($_COOKIE['adhocSettings']) ? json_decode(urldecode($_COOKIE['adhocSettings'])) : (object)array());
+
+// Start collecting errors
+$errors = array();
+
+// Start the session
+if(session_status()==PHP_SESSION_NONE){
+    session_set_cookie_params(
+        0
+        ,dirname(dirname($_SERVER['PHP_SELF'])).'/'
+        ,$host
+    );
+    session_start();
+}
+if(!isset($_POST['xsrftoken'])
+		|| !isset($_SESSION['xsrftoken'])
+		|| $_POST['xsrftoken']!=$_SESSION['xsrftoken']
+	){
+	$errors[] = "XSRF Token mismatch. If this persists, try logging out and back in.";
+}
+
+// Continue with generation only if no errors
+if(!count($errors)){
+	// File extensions for different languages
+	$extensions = array(
+		'asp.net'		=> 'aspnet'
+		,'c'			=> 'c'
+		,'c++'			=> 'cpp'
+		,'c#'			=> 'cs'
+		,'clike'		=> 'c'
+		,'coffeescript'	=> 'coffee'
+		,'golang'		=> 'go'
+		,'html'			=> 'html'
+		,'http'			=> 'http'
+		,'java'			=> 'java'
+		,'javascript'	=> 'js'
+		,'markup'		=> 'ml'
+		,'php'			=> 'php'
+		,'python'		=> 'py'
+		,'ruby'			=> 'rb'
+		,'sass'			=> 'sass'
+		,'scala'		=> 'scala'
+		,'shell'		=> 'sh'
+		,'sql'			=> 'sql'
+	);
+
+	// Get parameters from request
+	$binary = str_replace(
+		array(
+			'\0'
+			,"\r\n"
+		)
+		,array(
+			"\0"
+			,"\n"
+		)
+		,$_POST['binary']
+	);
+	$language = $_POST['language'];
+	$executable = (boolean) $_POST['executable'];
+	$dbg = (boolean) $_POST['dbg'];
+	$hash = md5($binary);
+	$ext = isset($extensions[$language]) ? $extensions[$language] : $language;
+
+	// Put the binary to a file
+	file_put_contents("$hash.adh", $binary);
+
+	// Execute ADHOC!
+	$command = "timeout --preserve-status 2 adhoc -l $language -o ../download/$hash.$ext ".($executable ? '-e ' : '').($dbg ? '-d ' : '')."$hash.adh 2>&1";
+	exec($command, $error_output, $return_var);
+
+	// Determine if it was successful
+	echo json_encode((object) array(
+		'error' => $error_output
+		,'nodeId' => $return_var
+		,'hash'	=> $hash
+		,'ext' => $ext
+		,'code' => htmlspecialchars(file_get_contents("../download/$hash.$ext"))
+	));
+}
+
+// Handle any errors
+if(count($errors)){
+	header('HTTP/1.0 400 Bad Request');
+	echo implode('<br/>\n', $errors);
+}
diff --git a/index.php b/index.php
@@ -101,6 +101,10 @@
 		,''
 	);
 	$settings = (object) array();
+
+// If the username was loaded, set a token for XSRF
+}else if(!isset($_SESSION['xsrftoken'])){
+	$_SESSION['xsrftoken'] = sha1(rand().$_SESSION['username']);
 }
 
 // If the user was found, try to load their projects
@@ -394,6 +398,8 @@ class="floatLeft"
 		</div>
 	</div>
 
+	<div id="xsrfToken"><?=(isset($_SESSION['xsrftoken']) ? $_SESSION['xsrftoken'] : '')?></div>
+
 	<script src="//static.harveyserv.ath.cx/adhoc/js/prototype.js"></script>
 	<script src="//static.harveyserv.ath.cx/adhoc/js/scriptaculous.js"></script>
 	<script src="//static.harveyserv.ath.cx/adhoc/js/ui.js"></script>

diff --git a/load/index.php b/load/index.php
@@ -1,4 +1,4 @@
-<?  // Load application config
+<? // Load application config
 $conf = parse_ini_file('../config.ini');
 $host = $_SERVER['HTTP_HOST'];
 $server = $_SERVER['SERVER_ADDR'];
@@ -22,12 +22,20 @@
     );
     session_start();
 }
+if(!isset($_POST['xsrftoken'])
+		|| !isset($_SESSION['xsrftoken'])
+		|| $_POST['xsrftoken']!=$_SESSION['xsrftoken']
+	){
+	$errors[] = "XSRF Token mismatch. If this persists, try logging out and back in.";
+}
 
 // Initialize a DB connection
-$dbConn = mysqli_connect($conf['mysql_host'], $conf['mysql_user'], $conf['mysql_pass'], $conf['mysql_db']);
-if($dbConn->error){
-	$errors[] = $dbConn->error;
-	$dbConn = null;
+if(!count($errors)){
+	$dbConn = mysqli_connect($conf['mysql_host'], $conf['mysql_user'], $conf['mysql_pass'], $conf['mysql_db']);
+	if($dbConn->error){
+		$errors[] = $dbConn->error;
+		$dbConn = null;
+	}
 }
 
 // If no project id provided, throw an error

diff --git a/save/index.php b/save/index.php
@@ -1,4 +1,4 @@
-<?  // Load application config
+<? // Load application config
 $conf = parse_ini_file('../config.ini');
 $host = $_SERVER['HTTP_HOST'];
 $server = $_SERVER['SERVER_ADDR'];
@@ -22,12 +22,20 @@
     );
     session_start();
 }
+if(!isset($_POST['xsrftoken'])
+		|| !isset($_SESSION['xsrftoken'])
+		|| $_POST['xsrftoken']!=$_SESSION['xsrftoken']
+	){
+	$errors[] = "XSRF Token mismatch. If this persists, try logging out and back in.";
+}
 
 // Initialize a DB connection
-$dbConn = mysqli_connect($conf['mysql_host'], $conf['mysql_user'], $conf['mysql_pass'], $conf['mysql_db']);
-if($dbConn->error){
-	$errors[] = $dbConn->error;
-	$dbConn = null;
+if(!count($errors)){
+	$dbConn = mysqli_connect($conf['mysql_host'], $conf['mysql_user'], $conf['mysql_pass'], $conf['mysql_db']);
+	if($dbConn->error){
+		$errors[] = $dbConn->error;
+		$dbConn = null;
+	}
 }
 
 // Get parameters from request