add CSRF validation

This commit is contained in:
Franzi 2021-12-21 16:57:39 +01:00
parent ae5a18138b
commit e32089c81e
Signed by: kunsi
GPG key ID: 12E3D2136B818350
5 changed files with 21 additions and 1 deletions

View file

@ -2,6 +2,7 @@ from json import load
from os import environ
from flask import Flask, flash, redirect, request, session, url_for
from flask_wtf.csrf import CSRFProtect, CSRFError
from ldap3 import ALL_ATTRIBUTES, MODIFY_ADD, MODIFY_DELETE
from ldap3.core.exceptions import LDAPException
from ldap3.utils.dn import escape_rdn
@ -18,11 +19,24 @@ from .helpers.ldap import (
app = Flask(__name__)
app.secret_key = environ.get("FLASK_SECRET_KEY", default="test")
csrf = CSRFProtect(app)
with open(environ["APP_CONFIG"]) as f:
APP_CONFIG = load(f)
@app.errorhandler(CSRFError)
def handle_csrf_error(e):
flash("CRSF validation error. For your own safety, you have been logged out.")
session["is_logged_in"] = False
session["username"] = ""
session["password"] = ""
return redirect(url_for("login"))
@app.route("/")
def slash():
if session.get('is_logged_in'):
@ -131,7 +145,6 @@ def selfservice(ldap):
return redirect(url_for("selfservice"))
print(session)
return template(ldap, "selfservice.html")

View file

@ -16,6 +16,7 @@
<td>{{ member["cn"] }}</td>
<td>
<form action="{{ url_for("group_edit", ou=ou) }}" method="post">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<input type="hidden" name="remove" value="{{ member["uid"] }}">
<input type="submit" value="remove" class="btn btn-danger">
</form>
@ -25,6 +26,7 @@
</tbody>
</table>
<form action="{{ url_for("group_edit", ou=ou) }}" method="post" class="row g-3 needs-validation">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<fieldset>
<legend>add user to group</legend>

View file

@ -1,6 +1,7 @@
{% extends "layout/default.html" %}
{% block content %}
<form action="{{ url_for("login") }}" method="post">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<fieldset>
<legend>Login</legend>

View file

@ -2,6 +2,7 @@
{% block title %}self service{% endblock %}
{% block content %}
<form action="{{ url_for("selfservice") }}" method="post" class="row g-3 needs-validation">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<fieldset>
<legend>user data</legend>
@ -47,6 +48,7 @@
</form>
<form action="{{ url_for("selfservice") }}" method="post">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<fieldset>
<legend>password</legend>

View file

@ -1,5 +1,6 @@
click==8.0.3
Flask==2.0.2
Flask-WTF==1.0.0
gunicorn==20.1.0
itsdangerous==2.0.1
Jinja2==3.0.3
@ -7,3 +8,4 @@ ldap3==2.9.1
MarkupSafe==2.0.1
pyasn1==0.4.8
Werkzeug==2.0.2
WTForms==3.0.0