fix: Add basic CSRF protection

Closes #12
2021-11-16 19:29:22 +08:00 · 2021-11-16 19:29:22 +08:00 · 4852c95ab7
parent 050c15dd29
commit 4852c95ab7
4 changed files with 49 additions and 5 deletions
--- a/.github/workflows/code-quality.yml
+++ b/.github/workflows/code-quality.yml
@ -0,0 +1,26 @@
+name: Deploy
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  format:
+    name: Format
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Use Node.js 16.x
+        uses: actions/setup-node@v2
+        with:
+          node-version: 16.x
+          cache: "npm"
+
+      - run: npm ci
+
+      - run: npx prettier --check .
+# vim: set et ts=2 sw=2:
--- a/index.js
+++ b/index.js
@ -27,8 +27,8 @@ const handlebars = require("handlebars");

 const port = +process.env.PORT || 8080;

-let app = express();
-let http = app.listen(port);
+const app = express();
+const http = app.listen(port);

 app.set("views", path.join(__dirname, "views"));
 app.engine(
@ -175,6 +175,24 @@ function flashify(req, obj) {
  return obj;
 }

+app.use((req, res, next) => {
+  if (req.method === "GET") {
+    return next();
+  }
+  let sourceHost = null;
+  if (req.headers.origin) {
+    sourceHost = new URL(req.headers.origin).host;
+  } else if (req.headers.referer) {
+    sourceHost = new URL(req.headers.referer).host;
+  }
+  if (sourceHost !== req.headers.host) {
+    throw new Error(
+      "Origin or Referer header does not match or is missing. Request has been blocked to prevent CSRF"
+    );
+  }
+  next();
+});
+
 app.all("/*", (req, res, next) => {
  res.filename = req.params[0];

--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
  "name": "file-manager",
-  "version": "0.1.0",
+  "version": "0.2.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "file-manager",
-      "version": "0.1.0",
+      "version": "0.2.0",
      "dependencies": {
        "@primer/octicons": "^16.1.1",
        "archiver": "^5.3.0",
--- a/package.json
+++ b/package.json
@ -10,6 +10,7 @@
    "file-manager": "index.js"
  },
  "dependencies": {
+    "@primer/octicons": "^16.1.1",
    "archiver": "^5.3.0",
    "body-parser": "^1.19.0",
    "bootstrap": "^5.0.0",
@ -22,7 +23,6 @@
    "jquery": "^3.6.0",
    "node-pty": "^0.10.1",
    "notp": "^2.0.3",
-    "@primer/octicons": "^16.1.1",
    "rimraf": "^3.0.2",
    "thirty-two": "^1.0.2",
    "ws": "^8.2.3",