clawbot
60786c5019
All checks were successful
check / check (push) Successful in 4s
## Security Hardening This PR implements three security hardening issues: ### CSRF Protection (closes #35) - Session-based CSRF tokens with cryptographically random 256-bit generation - Constant-time token comparison to prevent timing attacks - CSRF middleware applied to `/pages`, `/sources`, `/source`, and `/user` routes - Hidden `csrf_token` field added to all 12+ POST forms in templates - Excluded from `/webhook` (inbound webhook POSTs) and `/api` (stateless API) ### SSRF Prevention (closes #36) - `ValidateTargetURL()` blocks private/reserved IP ranges at target creation time - Blocked ranges: `127.0.0.0/8`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `169.254.0.0/16`, `::1`, `fc00::/7`, `fe80::/10`, plus multicast, reserved, test-net, and CGN ranges - SSRF-safe HTTP transport with custom `DialContext` in the delivery engine for defense-in-depth (prevents DNS rebinding attacks) - Only `http` and `https` schemes allowed ### Login Rate Limiting (closes #37) - Per-IP rate limiter using `golang.org/x/time/rate` - 5 attempts per minute per IP on `POST /pages/login` - GET requests (form rendering) pass through unaffected - Automatic cleanup of stale per-IP limiter entries every 5 minutes - `X-Forwarded-For` and `X-Real-IP` header support for reverse proxies ### Files Changed **New files:** - `internal/middleware/csrf.go` + tests — CSRF middleware - `internal/middleware/ratelimit.go` + tests — Login rate limiter - `internal/delivery/ssrf.go` + tests — SSRF validation + safe transport **Modified files:** - `internal/server/routes.go` — Wire CSRF and rate limit middleware - `internal/handlers/handlers.go` — Inject CSRF token into template data - `internal/handlers/source_management.go` — SSRF validation on target creation - `internal/delivery/engine.go` — SSRF-safe HTTP transport for production - All form templates — Added hidden `csrf_token` fields - `README.md` — Updated Security section and TODO checklist `docker build .` passes (lint + tests + build). Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Co-authored-by: clawbot <clawbot@eeqj.de> Co-authored-by: Jeffrey Paul <sneak@noreply.example.org> Reviewed-on: #42 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>
122 lines
4.3 KiB
Go
122 lines
4.3 KiB
Go
package server
|
|
|
|
import (
|
|
"net/http"
|
|
"time"
|
|
|
|
sentryhttp "github.com/getsentry/sentry-go/http"
|
|
"github.com/go-chi/chi"
|
|
"github.com/go-chi/chi/middleware"
|
|
"github.com/prometheus/client_golang/prometheus/promhttp"
|
|
"sneak.berlin/go/webhooker/static"
|
|
)
|
|
|
|
// maxFormBodySize is the maximum allowed request body size (in bytes) for
|
|
// form POST endpoints. 1 MB is generous for any form submission while
|
|
// preventing abuse from oversized payloads.
|
|
const maxFormBodySize int64 = 1 * 1024 * 1024 // 1 MB
|
|
|
|
func (s *Server) SetupRoutes() {
|
|
s.router = chi.NewRouter()
|
|
|
|
// Global middleware stack — applied to every request.
|
|
s.router.Use(middleware.Recoverer)
|
|
s.router.Use(middleware.RequestID)
|
|
s.router.Use(s.mw.SecurityHeaders())
|
|
s.router.Use(s.mw.Logging())
|
|
|
|
// Metrics middleware (only if credentials are configured)
|
|
if s.params.Config.MetricsUsername != "" {
|
|
s.router.Use(s.mw.Metrics())
|
|
}
|
|
|
|
s.router.Use(s.mw.CORS())
|
|
s.router.Use(middleware.Timeout(60 * time.Second))
|
|
|
|
// Sentry error reporting (if SENTRY_DSN is set). Repanic is true
|
|
// so panics still bubble up to the Recoverer middleware above.
|
|
if s.sentryEnabled {
|
|
sentryHandler := sentryhttp.New(sentryhttp.Options{
|
|
Repanic: true,
|
|
})
|
|
s.router.Use(sentryHandler.Handle)
|
|
}
|
|
|
|
// Routes
|
|
s.router.Get("/", s.h.HandleIndex())
|
|
|
|
s.router.Mount("/s", http.StripPrefix("/s", http.FileServer(http.FS(static.Static))))
|
|
|
|
s.router.Route("/api/v1", func(_ chi.Router) {
|
|
// TODO: Add API routes here
|
|
})
|
|
|
|
s.router.Get(
|
|
"/.well-known/healthcheck",
|
|
s.h.HandleHealthCheck(),
|
|
)
|
|
|
|
// set up authenticated /metrics route:
|
|
if s.params.Config.MetricsUsername != "" {
|
|
s.router.Group(func(r chi.Router) {
|
|
r.Use(s.mw.MetricsAuth())
|
|
r.Get("/metrics", http.HandlerFunc(promhttp.Handler().ServeHTTP))
|
|
})
|
|
}
|
|
|
|
// pages that are rendered server-side — CSRF-protected, body-size
|
|
// limited, and with per-IP rate limiting on the login endpoint.
|
|
s.router.Route("/pages", func(r chi.Router) {
|
|
r.Use(s.mw.CSRF())
|
|
r.Use(s.mw.MaxBodySize(maxFormBodySize))
|
|
|
|
// Login page — rate-limited to prevent brute-force attacks
|
|
r.Group(func(r chi.Router) {
|
|
r.Use(s.mw.LoginRateLimit())
|
|
r.Get("/login", s.h.HandleLoginPage())
|
|
r.Post("/login", s.h.HandleLoginSubmit())
|
|
})
|
|
|
|
// Logout (auth required)
|
|
r.Post("/logout", s.h.HandleLogout())
|
|
})
|
|
|
|
// User profile routes
|
|
s.router.Route("/user/{username}", func(r chi.Router) {
|
|
r.Use(s.mw.CSRF())
|
|
r.Get("/", s.h.HandleProfile())
|
|
})
|
|
|
|
// Webhook management routes (require authentication, CSRF-protected)
|
|
s.router.Route("/sources", func(r chi.Router) {
|
|
r.Use(s.mw.CSRF())
|
|
r.Use(s.mw.RequireAuth())
|
|
r.Use(s.mw.MaxBodySize(maxFormBodySize))
|
|
r.Get("/", s.h.HandleSourceList()) // List all webhooks
|
|
r.Get("/new", s.h.HandleSourceCreate()) // Show create form
|
|
r.Post("/new", s.h.HandleSourceCreateSubmit()) // Handle create submission
|
|
})
|
|
|
|
s.router.Route("/source/{sourceID}", func(r chi.Router) {
|
|
r.Use(s.mw.CSRF())
|
|
r.Use(s.mw.RequireAuth())
|
|
r.Use(s.mw.MaxBodySize(maxFormBodySize))
|
|
r.Get("/", s.h.HandleSourceDetail()) // View webhook details
|
|
r.Get("/edit", s.h.HandleSourceEdit()) // Show edit form
|
|
r.Post("/edit", s.h.HandleSourceEditSubmit()) // Handle edit submission
|
|
r.Post("/delete", s.h.HandleSourceDelete()) // Delete webhook
|
|
r.Get("/logs", s.h.HandleSourceLogs()) // View webhook logs
|
|
r.Post("/entrypoints", s.h.HandleEntrypointCreate()) // Add entrypoint
|
|
r.Post("/entrypoints/{entrypointID}/delete", s.h.HandleEntrypointDelete()) // Delete entrypoint
|
|
r.Post("/entrypoints/{entrypointID}/toggle", s.h.HandleEntrypointToggle()) // Toggle entrypoint active
|
|
r.Post("/targets", s.h.HandleTargetCreate()) // Add target
|
|
r.Post("/targets/{targetID}/delete", s.h.HandleTargetDelete()) // Delete target
|
|
r.Post("/targets/{targetID}/toggle", s.h.HandleTargetToggle()) // Toggle target active
|
|
})
|
|
|
|
// Entrypoint endpoint — accepts incoming webhook POST requests only.
|
|
// Using HandleFunc so the handler itself can return 405 for non-POST
|
|
// methods (chi's Method routing returns 405 without Allow header).
|
|
s.router.HandleFunc("/webhook/{uuid}", s.h.HandleWebhook())
|
|
}
|