sneak/webhooker
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
60786c501980f95b7d2fd82574f690ada0e1b2ab
webhooker/internal/session/session.go
clawbot 60786c5019
All checks were successful
check / check (push) Successful in 4s
Details
feat: add CSRF protection, SSRF prevention, and login rate limiting (#42) 
## Security Hardening

This PR implements three security hardening issues:

### CSRF Protection (closes #35)

- Session-based CSRF tokens with cryptographically random 256-bit generation
- Constant-time token comparison to prevent timing attacks
- CSRF middleware applied to `/pages`, `/sources`, `/source`, and `/user` routes
- Hidden `csrf_token` field added to all 12+ POST forms in templates
- Excluded from `/webhook` (inbound webhook POSTs) and `/api` (stateless API)

### SSRF Prevention (closes #36)

- `ValidateTargetURL()` blocks private/reserved IP ranges at target creation time
- Blocked ranges: `127.0.0.0/8`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `169.254.0.0/16`, `::1`, `fc00::/7`, `fe80::/10`, plus multicast, reserved, test-net, and CGN ranges
- SSRF-safe HTTP transport with custom `DialContext` in the delivery engine for defense-in-depth (prevents DNS rebinding attacks)
- Only `http` and `https` schemes allowed

### Login Rate Limiting (closes #37)

- Per-IP rate limiter using `golang.org/x/time/rate`
- 5 attempts per minute per IP on `POST /pages/login`
- GET requests (form rendering) pass through unaffected
- Automatic cleanup of stale per-IP limiter entries every 5 minutes
- `X-Forwarded-For` and `X-Real-IP` header support for reverse proxies

### Files Changed

**New files:**
- `internal/middleware/csrf.go` + tests — CSRF middleware
- `internal/middleware/ratelimit.go` + tests — Login rate limiter
- `internal/delivery/ssrf.go` + tests — SSRF validation + safe transport

**Modified files:**
- `internal/server/routes.go` — Wire CSRF and rate limit middleware
- `internal/handlers/handlers.go` — Inject CSRF token into template data
- `internal/handlers/source_management.go` — SSRF validation on target creation
- `internal/delivery/engine.go` — SSRF-safe HTTP transport for production
- All form templates — Added hidden `csrf_token` fields
- `README.md` — Updated Security section and TODO checklist

`docker build .` passes (lint + tests + build).

Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Co-authored-by: clawbot <clawbot@eeqj.de>
Co-authored-by: Jeffrey Paul <sneak@noreply.example.org>
Reviewed-on: #42
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
2026-03-17 12:38:45 +01:00

193 lines
5.5 KiB
Go
Raw Blame History

package session
import (
"context"
"encoding/base64"
"fmt"
"log/slog"
"net/http"
"github.com/gorilla/sessions"
"go.uber.org/fx"
"sneak.berlin/go/webhooker/internal/config"
"sneak.berlin/go/webhooker/internal/database"
"sneak.berlin/go/webhooker/internal/logger"
)
const (
// SessionName is the name of the session cookie
SessionName = "webhooker_session"
// UserIDKey is the session key for user ID
UserIDKey = "user_id"
// UsernameKey is the session key for username
UsernameKey = "username"
// AuthenticatedKey is the session key for authentication status
AuthenticatedKey = "authenticated"
)
// nolint:revive // SessionParams is a standard fx naming convention
type SessionParams struct {
fx.In
Config *config.Config
Database *database.Database
Logger *logger.Logger
}
// Session manages encrypted session storage
type Session struct {
store *sessions.CookieStore
key []byte // raw 32-byte auth key, also used for CSRF cookie signing
log *slog.Logger
config *config.Config
}
// New creates a new session manager. The cookie store is initialized
// during the fx OnStart phase after the database is connected, using
// a session key that is auto-generated and stored in the database.
func New(lc fx.Lifecycle, params SessionParams) (*Session, error) {
s := &Session{
log: params.Logger.Get(),
config: params.Config,
}
lc.Append(fx.Hook{
OnStart: func(_ context.Context) error { // nolint:revive // ctx unused but required by fx
sessionKey, err := params.Database.GetOrCreateSessionKey()
if err != nil {
return fmt.Errorf("failed to get session key: %w", err)
}
keyBytes, err := base64.StdEncoding.DecodeString(sessionKey)
if err != nil {
return fmt.Errorf("invalid session key format: %w", err)
}
if len(keyBytes) != 32 {
return fmt.Errorf("session key must be 32 bytes (got %d)", len(keyBytes))
}
store := sessions.NewCookieStore(keyBytes)
// Configure cookie options for security
store.Options = &sessions.Options{
Path: "/",
MaxAge: 86400 * 7, // 7 days
HttpOnly: true,
Secure: !params.Config.IsDev(), // HTTPS in production
SameSite: http.SameSiteLaxMode,
}
s.key = keyBytes
s.store = store
s.log.Info("session manager initialized")
return nil
},
})
return s, nil
}
// Get retrieves a session for the request
func (s *Session) Get(r *http.Request) (*sessions.Session, error) {
return s.store.Get(r, SessionName)
}
// GetKey returns the raw 32-byte authentication key used for session
// encryption. This key is also suitable for CSRF cookie signing.
func (s *Session) GetKey() []byte {
return s.key
}
// Save saves the session
func (s *Session) Save(r *http.Request, w http.ResponseWriter, sess *sessions.Session) error {
return sess.Save(r, w)
}
// SetUser sets the user information in the session
func (s *Session) SetUser(sess *sessions.Session, userID, username string) {
sess.Values[UserIDKey] = userID
sess.Values[UsernameKey] = username
sess.Values[AuthenticatedKey] = true
}
// ClearUser removes user information from the session
func (s *Session) ClearUser(sess *sessions.Session) {
delete(sess.Values, UserIDKey)
delete(sess.Values, UsernameKey)
delete(sess.Values, AuthenticatedKey)
}
// IsAuthenticated checks if the session has an authenticated user
func (s *Session) IsAuthenticated(sess *sessions.Session) bool {
auth, ok := sess.Values[AuthenticatedKey].(bool)
return ok && auth
}
// GetUserID retrieves the user ID from the session
func (s *Session) GetUserID(sess *sessions.Session) (string, bool) {
userID, ok := sess.Values[UserIDKey].(string)
return userID, ok
}
// GetUsername retrieves the username from the session
func (s *Session) GetUsername(sess *sessions.Session) (string, bool) {
username, ok := sess.Values[UsernameKey].(string)
return username, ok
}
// Destroy invalidates the session
func (s *Session) Destroy(sess *sessions.Session) {
sess.Options.MaxAge = -1
s.ClearUser(sess)
}
// Regenerate creates a new session with the same values but a fresh ID.
// The old session is destroyed (MaxAge = -1) and saved, then a new session
// is created. This prevents session fixation attacks by ensuring the
// session ID changes after privilege escalation (e.g. login).
func (s *Session) Regenerate(r *http.Request, w http.ResponseWriter, oldSess *sessions.Session) (*sessions.Session, error) {
// Copy the values from the old session
oldValues := make(map[interface{}]interface{})
for k, v := range oldSess.Values {
oldValues[k] = v
}
// Destroy the old session
oldSess.Options.MaxAge = -1
s.ClearUser(oldSess)
if err := oldSess.Save(r, w); err != nil {
return nil, fmt.Errorf("failed to destroy old session: %w", err)
}
// Create a new session (gorilla/sessions generates a new ID)
newSess, err := s.store.New(r, SessionName)
if err != nil {
// store.New may return an error alongside a new empty session
// if the old cookie is now invalid. That is expected after we
// destroyed it above. Only fail on a nil session.
if newSess == nil {
return nil, fmt.Errorf("failed to create new session: %w", err)
}
}
// Restore the copied values into the new session
for k, v := range oldValues {
newSess.Values[k] = v
}
// Apply the standard session options (the destroyed old session had
// MaxAge = -1, which store.New might inherit from the cookie).
newSess.Options = &sessions.Options{
Path: "/",
MaxAge: 86400 * 7,
HttpOnly: true,
Secure: !s.config.IsDev(),
SameSite: http.SameSiteLaxMode,
}
return newSess, nil
}
Reference in New Issue View Git Blame Copy Permalink