Skip to content

Commit 9345fe3

Browse files
wy65701436wy65701436
authored
update csrf key generation (#21154)
* update csrf key generation Fixes #21060 Do not generate a random key if the provided key has an invalid length. Signed-off-by: wang yan <[email protected]> * fix ut check Signed-off-by: wang yan <[email protected]> --------- Signed-off-by: wang yan <[email protected]>
1 parent bccfd5f commit 9345fe3

File tree

2 files changed

+33
-10
lines changed

2 files changed

+33
-10
lines changed

Diff for: src/server/middleware/csrf/csrf.go

+9-2
Original file line numberDiff line numberDiff line change
@@ -67,9 +67,16 @@ func attach(handler http.Handler) http.Handler {
6767
func Middleware() func(handler http.Handler) http.Handler {
6868
once.Do(func() {
6969
key := os.Getenv(csrfKeyEnv)
70-
if len(key) != 32 {
71-
log.Warningf("Invalid CSRF key from environment: %s, generating random key...", key)
70+
if len(key) == 0 {
7271
key = utils.GenerateRandomString()
72+
} else if len(key) != 32 {
73+
log.Errorf("Invalid CSRF key length from the environment: %s. Please ensure the key length is 32 characters.", key)
74+
protect = func(_ http.Handler) http.Handler {
75+
return http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
76+
lib_http.SendError(w, errors.New("invalid CSRF key length from the environment. Please ensure the key length is 32 characters"))
77+
})
78+
}
79+
return
7380
}
7481
secureFlag = secureCookie()
7582
protect = csrf.Protect([]byte(key), csrf.RequestHeader(tokenHeader),

Diff for: src/server/middleware/csrf/csrf_test.go

+24-8
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import (
44
"net/http"
55
"net/http/httptest"
66
"os"
7+
"sync"
78
"testing"
89

910
"github.com/stretchr/testify/assert"
@@ -14,6 +15,10 @@ import (
1415
_ "github.com/goharbor/harbor/src/pkg/config/inmemory"
1516
)
1617

18+
func resetMiddleware() {
19+
once = sync.Once{}
20+
}
21+
1722
func TestMain(m *testing.M) {
1823
test.InitDatabaseFromEnv()
1924
conf := map[string]interface{}{}
@@ -32,7 +37,6 @@ func (h *handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
3237
}
3338

3439
func TestMiddleware(t *testing.T) {
35-
srv := Middleware()(&handler{})
3640
cases := []struct {
3741
req *http.Request
3842
statusCode int
@@ -60,20 +64,32 @@ func TestMiddleware(t *testing.T) {
6064
},
6165
}
6266
for _, c := range cases {
67+
srv := Middleware()(&handler{})
6368
rec := httptest.NewRecorder()
6469
srv.ServeHTTP(rec, c.req)
6570
assert.Equal(t, c.statusCode, rec.Result().StatusCode)
6671
assert.Equal(t, c.returnToken, rec.Result().Header.Get(tokenHeader) != "")
6772
}
6873
}
6974

70-
func hasCookie(resp *http.Response, name string) bool {
71-
for _, c := range resp.Cookies() {
72-
if c != nil && c.Name == name {
73-
return true
74-
}
75-
}
76-
return false
75+
func TestMiddlewareInvalidKey(t *testing.T) {
76+
originalEnv := os.Getenv(csrfKeyEnv)
77+
defer os.Setenv(csrfKeyEnv, originalEnv)
78+
79+
t.Run("invalid CSRF key", func(t *testing.T) {
80+
os.Setenv(csrfKeyEnv, "invalidkey")
81+
resetMiddleware()
82+
middleware := Middleware()
83+
testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
84+
t.Error("handler should not be reached when CSRF key is invalid")
85+
})
86+
87+
handler := middleware(testHandler)
88+
req := httptest.NewRequest(http.MethodGet, "/", nil)
89+
rec := httptest.NewRecorder()
90+
handler.ServeHTTP(rec, req)
91+
assert.Equal(t, http.StatusInternalServerError, rec.Code)
92+
})
7793
}
7894

7995
func TestSecureCookie(t *testing.T) {

0 commit comments

Comments
 (0)