add CSRF validation

2021-12-21 16:57:39 +01:00 · 2021-12-21 16:57:39 +01:00 · e32089c81e
parent ae5a18138b
commit e32089c81e
5 changed files with 21 additions and 1 deletions
--- a/ldap_frontend/init.py
+++ b/ldap_frontend/init.py
@ -2,6 +2,7 @@ from json import load
 from os import environ

 from flask import Flask, flash, redirect, request, session, url_for
+from flask_wtf.csrf import CSRFProtect, CSRFError
 from ldap3 import ALL_ATTRIBUTES, MODIFY_ADD, MODIFY_DELETE
 from ldap3.core.exceptions import LDAPException
 from ldap3.utils.dn import escape_rdn
@ -18,11 +19,24 @@ from .helpers.ldap import (

 app = Flask(__name__)
 app.secret_key = environ.get("FLASK_SECRET_KEY", default="test")
+csrf = CSRFProtect(app)

 with open(environ["APP_CONFIG"]) as f:
    APP_CONFIG = load(f)


+
+@app.errorhandler(CSRFError)
+def handle_csrf_error(e):
+    flash("CRSF validation error. For your own safety, you have been logged out.")
+
+    session["is_logged_in"] = False
+    session["username"] = ""
+    session["password"] = ""
+
+    return redirect(url_for("login"))
+
+
@app.route("/")
 def slash():
    if session.get('is_logged_in'):
@ -131,7 +145,6 @@ def selfservice(ldap):

        return redirect(url_for("selfservice"))

-    print(session)
    return template(ldap, "selfservice.html")


--- a/ldap_frontend/templates/groups/members.html
+++ b/ldap_frontend/templates/groups/members.html
@ -16,6 +16,7 @@
                        <td>{{ member["cn"] }}</td>
                        <td>
                            <form action="{{ url_for("group_edit", ou=ou) }}" method="post">
+                                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                                <input type="hidden" name="remove" value="{{ member["uid"] }}">
                                <input type="submit" value="remove" class="btn btn-danger">
                            </form>
@ -25,6 +26,7 @@
                </tbody>
            </table>
            <form action="{{ url_for("group_edit", ou=ou) }}" method="post" class="row g-3 needs-validation">
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                <fieldset>
                    <legend>add user to group</legend>

--- a/ldap_frontend/templates/login.html
+++ b/ldap_frontend/templates/login.html
@ -1,6 +1,7 @@
 {% extends "layout/default.html" %}
 {% block content %}
            <form action="{{ url_for("login") }}" method="post">
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
                <fieldset>
                    <legend>Login</legend>

--- a/ldap_frontend/templates/selfservice.html
+++ b/ldap_frontend/templates/selfservice.html
@ -2,6 +2,7 @@
 {% block title %}self service{% endblock %}
 {% block content %}
            <form action="{{ url_for("selfservice") }}" method="post" class="row g-3 needs-validation">
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
                <fieldset>
                    <legend>user data</legend>

@ -47,6 +48,7 @@
            </form>

            <form action="{{ url_for("selfservice") }}" method="post">
+                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
                <fieldset>
                    <legend>password</legend>

--- a/requirements.txt
+++ b/requirements.txt
@ -1,5 +1,6 @@
 click==8.0.3
 Flask==2.0.2
+Flask-WTF==1.0.0
 gunicorn==20.1.0
 itsdangerous==2.0.1
 Jinja2==3.0.3
@ -7,3 +8,4 @@ ldap3==2.9.1
 MarkupSafe==2.0.1
 pyasn1==0.4.8
 Werkzeug==2.0.2
+WTForms==3.0.0