kallithea Changeset - a545d2274120

Changeset - a545d2274120

Parent rev.

Child rev.

[Not reviewed]

default

0 7 0

Mads Kiilerich - 6 years ago 2019-07-22 03:29:45
mads@kiilerich.com

helpers: rename internal names of authentication_token to clarify that secure_form is about session CSRF secrets - not authentication

7 files changed with 16 insertions and 15 deletions:

kallithea/controllers/login.py

kallithea/lib/base.py

kallithea/lib/helpers.py

kallithea/model/user.py

kallithea/public/js/base.js

kallithea/templates/admin/gists/edit.html

kallithea/templates/base/root.html

0 comments (0 inline, 0 general)

kallithea/controllers/login.py

➞

Show inline comments

@@ @@ -246,13 +246,13 @@ class LoginController(BaseController): @@
     def logout(self):
         session.delete()
         log.info('Logging out and deleting session for user')
         raise HTTPFound(location=url('home'))
     def authentication_token(self):
         """Return the CSRF protection token for the session - just like it
         could have been screen scraped from a page with a form.
         Only intended for testing but might also be useful for other kinds
         of automation.
         """
-        return h.authentication_token()
+        return h.session_csrf_secret_token()

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -357,26 +357,26 @@ class BaseController(TGController): @@
     def _before(self, *args, **kwargs):
         """
         _before is called before controller methods and after __call__
         """
         if request.needs_csrf_check:
             # CSRF protection: Whenever a request has ambient authority (whether
             # through a session cookie or its origin IP address), it must include
             # the correct token, unless the HTTP method is GET or HEAD (and thus
             # guaranteed to be side effect free. In practice, the only situation
             # where we allow side effects without ambient authority is when the
             # authority comes from an API key; and that is handled above.
             from kallithea.lib import helpers as h
             token = request.POST.get(h.token_key)
             if not token or token != h.authentication_token():
             token = request.POST.get(h.session_csrf_secret_name)
             if not token or token != h.session_csrf_secret_token():
                 log.error('CSRF check failed')
                 raise webob.exc.HTTPForbidden()
         c.kallithea_version = __version__
         rc_config = Setting.get_app_settings()
         # Visual options
         c.visual = AttributeDict({})
         ## DB stored
         c.visual.show_public_icon = str2bool(rc_config.get('show_public_icon'))
         c.visual.show_private_icon = str2bool(rc_config.get('show_private_icon'))
@@ @@ -470,27 +470,27 @@ class BaseController(TGController): @@
         # Only allow the following HTTP request methods.
         if request.method not in ['GET', 'HEAD', 'POST']:
             raise webob.exc.HTTPMethodNotAllowed()
         # Also verify the _method override - no longer allowed.
         if request.params.get('_method') is None:
             pass # no override, no problem
         else:
             raise webob.exc.HTTPMethodNotAllowed()
         # Make sure CSRF token never appears in the URL. If so, invalidate it.
         from kallithea.lib import helpers as h
-        if h.token_key in request.GET:
+        if h.session_csrf_secret_name in request.GET:
             log.error('CSRF key leak detected')
-            session.pop(h.token_key, None)
+            session.pop(h.session_csrf_secret_name, None)
             session.save()
             h.flash(_('CSRF token leak has been detected - all form tokens have been expired'),
                     category='error')
         # WebOb already ignores request payload parameters for anything other
         # than POST/PUT, but double-check since other Kallithea code relies on
         # this assumption.
         if request.method not in ['POST', 'PUT'] and request.POST:
             log.error('%r request with payload parameters; WebOb should have stopped this', request.method)
             raise webob.exc.HTTPBadRequest()
     def __call__(self, environ, context):

kallithea/lib/helpers.py

➞

Show inline comments

@@ @@ -26,25 +26,25 @@ import urlparse @@
 import textwrap
 from beaker.cache import cache_region
 from pygments.formatters.html import HtmlFormatter
 from pygments import highlight as code_highlight
 from tg.i18n import ugettext as _
 from webhelpers.html import literal, HTML, escape
 from webhelpers.html.tags import checkbox, end_form, hidden, link_to, \
     select, submit, text, password, textarea, radio, form as insecure_form
 from webhelpers.number import format_byte_size
 from webhelpers.pylonslib import Flash as _Flash
 from webhelpers.pylonslib.secure_form import secure_form, authentication_token, token_key
+from webhelpers.pylonslib.secure_form import secure_form, authentication_token as session_csrf_secret_token, token_key as session_csrf_secret_name
 from webhelpers.text import chop_at, truncate, wrap_paragraphs
 from webhelpers.html.tags import _set_input_attrs, _set_id_attr, \
     convert_boolean_attrs, NotGiven, _make_safe_id_component
 from kallithea.config.routing import url
 from kallithea.lib.annotate import annotate_highlight
 from kallithea.lib.pygmentsutils import get_custom_lexer
 from kallithea.lib.utils2 import str2bool, safe_unicode, safe_str, \
     time_to_datetime, AttributeDict, safe_int, MENTIONS_REGEX
 from kallithea.lib.markup_renderer import url_re
 from kallithea.lib.vcs.exceptions import ChangesetDoesNotExistError
 from kallithea.lib.vcs.backends.base import BaseChangeset, EmptyChangeset
@@ @@ -1266,18 +1266,19 @@ def not_mapped_error(repo_name): @@
             ' please run the application again'
             ' in order to rescan repositories') % repo_name, category='error')
 def ip_range(ip_addr):
     from kallithea.model.db import UserIpMap
     s, e = UserIpMap._get_ip_range(ip_addr)
     return '%s - %s' % (s, e)
 def form(url, method="post", **attrs):
     """Like webhelpers.html.tags.form but automatically using secure_form with
     authentication_token for POST. authentication_token is thus never leaked
     in the URL."""
     session_csrf_secret_token for POST. The secret is thus never leaked in
     URLs.
     """
     if method.lower() == 'get':
         return insecure_form(url, method=method, **attrs)
     # webhelpers will turn everything but GET into POST
     return secure_form(url, method=method, **attrs)

kallithea/model/user.py

➞

Show inline comments

@@ @@ -329,25 +329,25 @@ class UserModel(object): @@
         from kallithea.lib.celerylib import tasks
         from kallithea.model.notification import EmailNotificationModel
         import kallithea.lib.helpers as h
         user_email = data['email']
         user = User.get_by_email(user_email)
         timestamp = int(time.time())
         if user is not None:
             if self.can_change_password(user):
                 log.debug('password reset user %s found', user)
                 token = self.get_reset_password_token(user,
                                                       timestamp,
-                                                      h.authentication_token())
+                                                      h.session_csrf_secret_token())
                 # URL must be fully qualified; but since the token is locked to
                 # the current browser session, we must provide a URL with the
                 # current scheme and hostname, rather than the canonical_url.
                 link = h.url('reset_password_confirmation', qualified=True,
                              email=user_email,
                              timestamp=timestamp,
                              token=token)
             else:
                 log.debug('password reset user %s found but was managed', user)
                 token = link = None
             reg_type = EmailNotificationModel.TYPE_PASSWORD_RESET
             body = EmailNotificationModel().get_email_tmpl(
@@ @@ -382,25 +382,25 @@ class UserModel(object): @@
         token_age = int(time.time()) - int(timestamp)
         if token_age < 0:
             log.debug('timestamp is from the future')
             return False
         if token_age > UserModel.password_reset_token_lifetime:
             log.debug('password reset token expired')
             return False
         expected_token = self.get_reset_password_token(user,
                                                        timestamp,
-                                                       h.authentication_token())
+                                                       h.session_csrf_secret_token())
         log.debug('computed password reset token: %s', expected_token)
         log.debug('received password reset token: %s', token)
         return expected_token == token
     def reset_password(self, user_email, new_passwd):
         from kallithea.lib.celerylib import tasks
         from kallithea.lib import auth
         user = User.get_by_email(user_email)
         if user is not None:
             if not self.can_change_password(user):
                 raise Exception('trying to change password for external user')
             user.password = auth.get_crypt_password(new_passwd)

kallithea/public/js/base.js

➞

Show inline comments

@@ @@ -399,25 +399,25 @@ var ajaxGET = function(url, success, fai @@
     if(failure === undefined) {
         failure = function(jqXHR, textStatus, errorThrown) {
                 if (textStatus != "abort")
                     alert("Ajax GET error: " + textStatus);
             };
+    }
     return $.ajax({url: url, headers: {'X-PARTIAL-XHR': '1'}, cache: false})
         .done(success)
         .fail(failure);
 };
 var ajaxPOST = function(url, postData, success, failure) {
-    postData['_authentication_token'] = _authentication_token;
+    postData['_authentication_token'] = _session_csrf_secret_token;
     var postData = _toQueryString(postData);
     if(failure === undefined) {
         failure = function(jqXHR, textStatus, errorThrown) {
                 if (textStatus != "abort")
                     alert("Error posting to server: " + textStatus);
             };
+    }
     return $.ajax({url: url, data: postData, type: 'POST', headers: {'X-PARTIAL-XHR': '1'}, cache: false})
         .done(success)
         .fail(failure);
 };
@@ @@ -449,33 +449,33 @@ var _onSuccessFollow = function(target){ @@
     } else {
         $target.removeClass('following').addClass('follow');
         $target.prop('title', _TM['Start following this repository']);
         if ($f_cnt.html()) {
             var cnt = Number($f_cnt.html())-1;
             $f_cnt.html(cnt);
+        }
+    }
+}
 var toggleFollowingRepo = function(target, follows_repository_id){
     var args = 'follows_repository_id=' + follows_repository_id;
-    args += '&amp;_authentication_token=' + _authentication_token;
+    args += '&amp;_authentication_token=' + _session_csrf_secret_token;
     $.post(TOGGLE_FOLLOW_URL, args, function(data){
             _onSuccessFollow(target);
         });
     return false;
 };
 var showRepoSize = function(target, repo_name){
-    var args = '_authentication_token=' + _authentication_token;
+    var args = '_authentication_token=' + _session_csrf_secret_token;
     if(!$("#" + target).hasClass('loaded')){
         $("#" + target).html(_TM['Loading ...']);
         var url = pyroutes.url('repo_size', {"repo_name":repo_name});
         $.post(url, args, function(data) {
             $("#" + target).html(data);
             $("#" + target).addClass('loaded');
         });
+    }
     return false;
 };

kallithea/templates/admin/gists/edit.html

➞

Show inline comments

@@ @@ -144,25 +144,25 @@ @@
             <div>
             ${h.submit('update',_('Update Gist'),class_="btn btn-success")}
             <a class="btn btn-default" href="${h.url('gist', gist_id=c.gist.gist_access_id)}">${_('Cancel')}</a>
             </div>
           ${h.end_form()}
           <script>
               $('#update').on('click', function(e){
                   e.preventDefault();
                   // check for newer version.
                   $.ajax({
                     url: ${h.js(h.url('edit_gist_check_revision', gist_id=c.gist.gist_access_id))},
-                    data: {'revision': ${h.js(c.file_changeset.raw_id)}, '_authentication_token': _authentication_token},
+                    data: {'revision': ${h.js(c.file_changeset.raw_id)}, '_authentication_token': _session_csrf_secret_token},
                     dataType: 'json',
                     type: 'POST',
                     success: function(data) {
                       if(data.success == false){
                           $('#edit_error').show();
+                      }
                       else{
                         $('#eform').submit();
+                      }
+                    }
                   });
               });

kallithea/templates/base/root.html

➞

Show inline comments

@@ @@ -56,25 +56,25 @@ @@
                 'MSG_ERROR': ${h.jshtml(_('Data error.'))},
                 'MSG_LOADING': ${h.jshtml(_('Loading...'))}
             };
             var _TM = TRANSLATION_MAP;
             var TOGGLE_FOLLOW_URL  = ${h.js(h.url('toggle_following'))};
             var REPO_NAME = "";
             %if hasattr(c, 'repo_name'):
                 var REPO_NAME = ${h.js(c.repo_name)};
             %endif
-            var _authentication_token = ${h.js(h.authentication_token())};
+            var _session_csrf_secret_token = ${h.js(h.session_csrf_secret_token())};
         </script>
         <script type="text/javascript" src="${h.url('/js/jquery.min.js', ver=c.kallithea_version)}"></script>
         <script type="text/javascript" src="${h.url('/js/jquery.dataTables.js', ver=c.kallithea_version)}"></script>
         <script type="text/javascript" src="${h.url('/js/dataTables.bootstrap.js', ver=c.kallithea_version)}"></script>
         <script type="text/javascript" src="${h.url('/js/bootstrap.js', ver=c.kallithea_version)}"></script>
         <script type="text/javascript" src="${h.url('/js/select2.js', ver=c.kallithea_version)}"></script>
         <script type="text/javascript" src="${h.url('/js/jquery.caret.min.js', ver=c.kallithea_version)}"></script>
         <script type="text/javascript" src="${h.url('/js/jquery.atwho.min.js', ver=c.kallithea_version)}"></script>
         <script type="text/javascript" src="${h.url('/js/base.js', ver=c.kallithea_version)}"></script>
         ## EXTRA FOR JS
         <%block name="js_extra"/>
         <script type="text/javascript">

0 comments (0 inline, 0 general)