Switch csrf token check to use compare_digest to prevent timing attacks
Also adds some additional tests for CSRF tokens
This commit is contained in:
Joseph Schorr
parent
dbdcb802b1
commit
1302fd2fbd
2 changed files with 36 additions and 12 deletions
|
|
@ -1,9 +1,10 @@
|
|||
import logging
|
||||
import os
|
||||
import base64
|
||||
import hmac
|
||||
|
||||
from flask import session, request
|
||||
from functools import wraps
|
||||
from flask import session, request
|
||||
|
||||
from app import app
|
||||
from auth.auth_context import get_validated_oauth_token
|
||||
|
|
@ -30,9 +31,10 @@ def verify_csrf(session_token_name=_QUAY_CSRF_TOKEN_NAME,
|
|||
""" Verifies that the CSRF token with the given name is found in the session and
|
||||
that the matching token is found in the request args or values.
|
||||
"""
|
||||
token = session.get(session_token_name, None)
|
||||
found_token = request.values.get(request_token_name, None)
|
||||
if not token or token != found_token:
|
||||
token = str(session.get(session_token_name, ''))
|
||||
found_token = str(request.values.get(request_token_name, ''))
|
||||
|
||||
if not token or not found_token or not hmac.compare_digest(token, found_token):
|
||||
msg = 'CSRF Failure. Session token (%s) was %s and request token (%s) was %s'
|
||||
logger.error(msg, session_token_name, token, request_token_name, found_token)
|
||||
abort(403, message='CSRF token was invalid or missing.')
|
||||
|
|
|
|||
Reference in a new issue