ProgrammingLab
diff --git a/‎lib/crowi/express-init.js
+2-17 b/‎lib/crowi/express-init.js
+2-17
diff --git a/‎lib/crowi/index.js
+43 b/‎lib/crowi/index.js
+43
diff --git a/‎lib/routes/index.js
+30-29 b/‎lib/routes/index.js
+30-29
diff --git a/‎lib/util/middlewares.js
+18-1 b/‎lib/util/middlewares.js
+18-1
diff --git a/‎lib/util/swigFunctions.js
+5 b/‎lib/util/swigFunctions.js
+5
diff --git a/‎lib/views/500.html
+1-1 b/‎lib/views/500.html
+1-1
diff --git a/‎lib/views/_form.html
+1 b/‎lib/views/_form.html
+1
diff --git a/‎lib/views/admin/app.html
+6-1 b/‎lib/views/admin/app.html
+6-1
diff --git a/‎lib/views/admin/notification.html
+3 b/‎lib/views/admin/notification.html
+3
diff --git a/‎lib/views/admin/search.html
+1 b/‎lib/views/admin/search.html
+1
@@ -1,13 +1,12 @@
 'use strict';
 
 module.exports = function(crowi, app) {
-  var express        = require('express')
+  var debug = require('debug')('crowi:crowi:express-init')
+    , express        = require('express')
     , bodyParser     = require('body-parser')
     , multer         = require('multer')
-    , morgan         = require('morgan')
     , cookieParser   = require('cookie-parser')
     , methodOverride = require('method-override')
-    , errorHandler   = require('errorhandler')
     , session        = require('express-session')
     , basicAuth      = require('basic-auth-connect')
     , flash          = require('connect-flash')
@@ -98,18 +97,4 @@ module.exports = function(crowi, app) {
 
   app.use(middleware.loginChecker(crowi, app));
 
-  if (env == 'development') {
-    swig.setDefaults({ cache: false });
-    app.use(errorHandler({ dumpExceptions: true, showStack: true }));
-    app.use(morgan('dev'));
-  }
-
-  if (env == 'production') {
-    var oneYear = 31557600000;
-    app.use(morgan('combined'));
-    app.use(function (err, req, res, next) {
-      res.status(500);
-      res.render('500', { error: err });
-    });
-  }
 };
@@ -31,6 +31,9 @@ function Crowi (rootdir, env)
   this.searcher = null;
   this.mailer = {};
 
+  this.tokens = null;
+  this.csrfToken = null;
+  this.csrfSecret = null;
 
   this.models = {};
 
@@ -81,6 +84,8 @@ Crowi.prototype.init = function() {
     return self.setupMailer();
   }).then(function() {
     return self.setupSlack();
+  }).then(function() {
+    return self.setupCsrf();
   }).then(function() {
     return self.buildServer();
   });
@@ -242,7 +247,27 @@ Crowi.prototype.setupSlack = function() {
   });
 };
 
+Crowi.prototype.setupCsrf = function() {
+  var Tokens = require('csrf');
+  var tokens = this.tokens = new Tokens();
+
+  this.csrfSecret = tokens.secretSync();
+  this.csrfToken = tokens.create(this.csrfSecret);
+
+  return Promise.resolve();
+};
+
+Crowi.prototype.getTokens = function() {
+  return this.tokens;
+};
+
+Crowi.prototype.getCsrfSecret = function() {
+  return this.csrfSecret;
+};
 
+Crowi.prototype.getCsrfToken = function() {
+  return this.csrfToken;
+};
 
 Crowi.prototype.start = function() {
   var self = this
@@ -267,12 +292,30 @@ Crowi.prototype.start = function() {
 
 Crowi.prototype.buildServer = function() {
   var express  = require('express')
+    , errorHandler   = require('errorhandler')
+    , morgan         = require('morgan')
     , app = express()
+    , env = this.node_env
     ;
 
   require('./express-init')(this, app);
   require('../routes')(this, app);
 
+  if (env == 'development') {
+    //swig.setDefaults({ cache: false });
+    app.use(errorHandler({ dumpExceptions: true, showStack: true }));
+    app.use(morgan('dev'));
+  }
+
+  if (env == 'production') {
+    var oneYear = 31557600000;
+    app.use(morgan('combined'));
+    app.use(function (err, req, res, next) {
+      res.status(500);
+      res.render('500', { error: err });
+    });
+  }
+
   return new Promise.resolve(app);
 };
 
 
@@ -15,20 +15,21 @@ module.exports = function(crowi, app) {
     , search    = require('./search')(crowi, app)
     , loginRequired = middleware.loginRequired
     , accessTokenParser = middleware.accessTokenParser
+    , csrf      = middleware.csrfVerify(crowi, app)
     ;
 
   app.get('/'                        , loginRequired(crowi, app) , page.pageListShow);
 
   app.get('/installer'               , middleware.applicationNotInstalled() , installer.index);
-  app.post('/installer/createAdmin'  , middleware.applicationNotInstalled() , form.register , installer.createAdmin);
+  app.post('/installer/createAdmin'  , middleware.applicationNotInstalled() , form.register , csrf, installer.createAdmin);
   //app.post('/installer/user'         , middleware.applicationNotInstalled() , installer.createFirstUser);
 
   app.get('/login/error/:reason'     , login.error);
   app.get('/login'                   , middleware.applicationInstalled()    , login.login);
   app.get('/login/invited'           , login.invited);
-  app.post('/login/activateInvited'  , form.invited                         , login.invited);
-  app.post('/login'                  , form.login                           , login.login);
-  app.post('/register'               , form.register                        , login.register);
+  app.post('/login/activateInvited'  , form.invited                         , csrf, login.invited);
+  app.post('/login'                  , form.login                           , csrf, login.login);
+  app.post('/register'               , form.register                        , csrf, login.register);
   app.get('/register'                , middleware.applicationInstalled()    , login.register);
   app.post('/register/google'        , login.registerGoogle);
   app.get('/google/callback'         , login.googleCallback);
@@ -38,32 +39,32 @@ module.exports = function(crowi, app) {
 
   app.get('/admin'                      , loginRequired(crowi, app) , middleware.adminRequired() , admin.index);
   app.get('/admin/app'                  , loginRequired(crowi, app) , middleware.adminRequired() , admin.app.index);
-  app.post('/_api/admin/settings/app'   , loginRequired(crowi, app) , middleware.adminRequired() , form.admin.app, admin.api.appSetting);
+  app.post('/_api/admin/settings/app'   , loginRequired(crowi, app) , middleware.adminRequired() , csrf, form.admin.app, admin.api.appSetting);
   app.post('/_api/admin/settings/sec'   , loginRequired(crowi, app) , middleware.adminRequired() , form.admin.sec, admin.api.appSetting);
-  app.post('/_api/admin/settings/mail'  , loginRequired(crowi, app) , middleware.adminRequired() , form.admin.mail, admin.api.appSetting);
-  app.post('/_api/admin/settings/aws'   , loginRequired(crowi, app) , middleware.adminRequired() , form.admin.aws, admin.api.appSetting);
-  app.post('/_api/admin/settings/google', loginRequired(crowi, app) , middleware.adminRequired() , form.admin.google, admin.api.appSetting);
-  app.post('/_api/admin/settings/fb'    , loginRequired(crowi, app) , middleware.adminRequired() , form.admin.fb , admin.api.appSetting);
+  app.post('/_api/admin/settings/mail'  , loginRequired(crowi, app) , middleware.adminRequired() , csrf, form.admin.mail, admin.api.appSetting);
+  app.post('/_api/admin/settings/aws'   , loginRequired(crowi, app) , middleware.adminRequired() , csrf, form.admin.aws, admin.api.appSetting);
+  app.post('/_api/admin/settings/google', loginRequired(crowi, app) , middleware.adminRequired() , csrf, form.admin.google, admin.api.appSetting);
+  app.post('/_api/admin/settings/fb'    , loginRequired(crowi, app) , middleware.adminRequired() , csrf, form.admin.fb , admin.api.appSetting);
 
   // search admin
   app.get('/admin/search'              , loginRequired(crowi, app) , middleware.adminRequired() , admin.search.index);
-  app.post('/admin/search/build'       , loginRequired(crowi, app) , middleware.adminRequired() , admin.search.buildIndex);
+  app.post('/admin/search/build'       , loginRequired(crowi, app) , middleware.adminRequired() , csrf, admin.search.buildIndex);
 
   // notification admin
   app.get('/admin/notification'              , loginRequired(crowi, app) , middleware.adminRequired() , admin.notification.index);
-  app.post('/admin/notification/slackSetting', loginRequired(crowi, app) , middleware.adminRequired() , form.admin.slackSetting, admin.notification.slackSetting);
+  app.post('/admin/notification/slackSetting', loginRequired(crowi, app) , middleware.adminRequired() , csrf, form.admin.slackSetting, admin.notification.slackSetting);
   app.get('/admin/notification/slackAuth'    , loginRequired(crowi, app) , middleware.adminRequired() , admin.notification.slackAuth);
-  app.post('/_api/admin/notification.add'    , loginRequired(crowi, app) , middleware.adminRequired() , admin.api.notificationAdd);
-  app.post('/_api/admin/notification.remove' , loginRequired(crowi, app) , middleware.adminRequired() , admin.api.notificationRemove);
+  app.post('/_api/admin/notification.add'    , loginRequired(crowi, app) , middleware.adminRequired() , csrf, admin.api.notificationAdd);
+  app.post('/_api/admin/notification.remove' , loginRequired(crowi, app) , middleware.adminRequired() , csrf, admin.api.notificationRemove);
 
   app.get('/admin/users'                , loginRequired(crowi, app) , middleware.adminRequired() , admin.user.index);
-  app.post('/admin/user/invite'         , form.admin.userInvite ,  loginRequired(crowi, app) , middleware.adminRequired() , admin.user.invite);
-  app.post('/admin/user/:id/makeAdmin'  , loginRequired(crowi, app) , middleware.adminRequired() , admin.user.makeAdmin);
+  app.post('/admin/user/invite'         , form.admin.userInvite ,  loginRequired(crowi, app) , middleware.adminRequired() , csrf, admin.user.invite);
+  app.post('/admin/user/:id/makeAdmin'  , loginRequired(crowi, app) , middleware.adminRequired() , csrf, admin.user.makeAdmin);
   app.post('/admin/user/:id/removeFromAdmin', loginRequired(crowi, app) , middleware.adminRequired() , admin.user.removeFromAdmin);
-  app.post('/admin/user/:id/activate'   , loginRequired(crowi, app) , middleware.adminRequired() , admin.user.activate);
-  app.post('/admin/user/:id/suspend'    , loginRequired(crowi, app) , middleware.adminRequired() , admin.user.suspend);
-  app.post('/admin/user/:id/remove'     , loginRequired(crowi, app) , middleware.adminRequired() , admin.user.remove);
-  app.post('/admin/user/:id/removeCompletely' , loginRequired(crowi, app) , middleware.adminRequired() , admin.user.removeCompletely);
+  app.post('/admin/user/:id/activate'   , loginRequired(crowi, app) , middleware.adminRequired() , csrf, admin.user.activate);
+  app.post('/admin/user/:id/suspend'    , loginRequired(crowi, app) , middleware.adminRequired() , csrf, admin.user.suspend);
+  app.post('/admin/user/:id/remove'     , loginRequired(crowi, app) , middleware.adminRequired() , csrf, admin.user.remove);
+  app.post('/admin/user/:id/removeCompletely' , loginRequired(crowi, app) , middleware.adminRequired() , csrf, admin.user.removeCompletely);
 
   app.get('/me'                       , loginRequired(crowi, app) , me.index);
   app.get('/me/password'              , loginRequired(crowi, app) , me.password);
@@ -97,27 +98,27 @@ module.exports = function(crowi, app) {
   app.get('/_api/pages.get'           , accessTokenParser(crowi, app) , loginRequired(crowi, app) , page.api.get);
   app.get('/_api/pages.updatePost'    , accessTokenParser(crowi, app) , loginRequired(crowi, app) , page.api.getUpdatePost);
   app.post('/_api/pages.seen'         , accessTokenParser(crowi, app) , loginRequired(crowi, app) , page.api.seen);
-  app.post('/_api/pages.rename'       , accessTokenParser(crowi, app) , loginRequired(crowi, app) , page.api.rename);
-  app.post('/_api/pages.remove'       , loginRequired(crowi, app) , page.api.remove); // (Avoid from API Token)
-  app.post('/_api/pages.revertRemove' , loginRequired(crowi, app) , page.api.revertRemove); // (Avoid from API Token)
+  app.post('/_api/pages.rename'       , accessTokenParser(crowi, app) , loginRequired(crowi, app) , csrf, page.api.rename);
+  app.post('/_api/pages.remove'       , loginRequired(crowi, app) , csrf, page.api.remove); // (Avoid from API Token)
+  app.post('/_api/pages.revertRemove' , loginRequired(crowi, app) , csrf, page.api.revertRemove); // (Avoid from API Token)
   app.get('/_api/comments.get'        , accessTokenParser(crowi, app) , loginRequired(crowi, app) , comment.api.get);
-  app.post('/_api/comments.add'       , form.comment, accessTokenParser(crowi, app) , loginRequired(crowi, app) , comment.api.add);
+  app.post('/_api/comments.add'       , form.comment, accessTokenParser(crowi, app) , loginRequired(crowi, app) , csrf, comment.api.add);
   app.get( '/_api/bookmarks.get'      , accessTokenParser(crowi, app) , loginRequired(crowi, app) , bookmark.api.get);
-  app.post('/_api/bookmarks.add'      , accessTokenParser(crowi, app) , loginRequired(crowi, app) , bookmark.api.add);
-  app.post('/_api/bookmarks.remove'   , accessTokenParser(crowi, app) , loginRequired(crowi, app) , bookmark.api.remove);
-  app.post('/_api/likes.add'          , accessTokenParser(crowi, app) , loginRequired(crowi, app) , page.api.like);
-  app.post('/_api/likes.remove'       , accessTokenParser(crowi, app) , loginRequired(crowi, app) , page.api.unlike);
+  app.post('/_api/bookmarks.add'      , accessTokenParser(crowi, app) , loginRequired(crowi, app) , csrf, bookmark.api.add);
+  app.post('/_api/bookmarks.remove'   , accessTokenParser(crowi, app) , loginRequired(crowi, app) , csrf, bookmark.api.remove);
+  app.post('/_api/likes.add'          , accessTokenParser(crowi, app) , loginRequired(crowi, app) , csrf, page.api.like);
+  app.post('/_api/likes.remove'       , accessTokenParser(crowi, app) , loginRequired(crowi, app) , csrf, page.api.unlike);
 
   app.get( '/_api/revisions.get'      , accessTokenParser(crowi, app) , loginRequired(crowi, app) , revision.api.get);
   app.get( '/_api/revisions.list'     , accessTokenParser(crowi, app) , loginRequired(crowi, app) ,revision.api.list);
 
   //app.get('/_api/revision/:id'     , user.useUserData()         , revision.api.get);
   //app.get('/_api/r/:revisionId'    , user.useUserData()         , page.api.get);
 
-  app.post('/_/edit'                 , form.revision             , loginRequired(crowi, app) , page.pageEdit);
+  app.post('/_/edit'                 , form.revision             , loginRequired(crowi, app) , csrf, page.pageEdit);
   app.get('/trash/$'                 , loginRequired(crowi, app) , page.deletedPageListShow);
   app.get('/trash/*/$'               , loginRequired(crowi, app) , page.deletedPageListShow);
   app.get('/*/$'                     , loginRequired(crowi, app) , page.pageListShow);
   app.get('/*'                       , loginRequired(crowi, app) , page.pageShow);
-  //app.get('/*/edit'                , routes.edit);
+
 };
@@ -23,6 +23,21 @@ exports.loginChecker = function(crowi, app) {
   };
 };
 
+exports.csrfVerify = function(crowi, app) {
+  return function(req, res, next) {
+    var token = req.body._csrf || req.query._csrf || null;
+    if (req.skipCsrfVerify) {
+      return next();
+    }
+
+    if (crowi.getTokens().verify(crowi.getCsrfSecret(), token)) {
+      return next();
+    }
+
+    return res.sendStatus(403);
+  };
+};
+
 exports.swigFunctions = function(crowi, app) {
   return function(req, res, next) {
     require('../util/swigFunctions')(crowi, app, req, res.locals);
@@ -138,7 +153,7 @@ exports.loginRequired = function(crowi, app) {
 
 exports.accessTokenParser = function(crowi, app) {
   return function(req, res, next) {
-    var accessToken = req.query.access_token;
+    var accessToken = req.query.access_token || req.body.access_token || null;
     if (!accessToken) {
       return next();
     }
@@ -148,6 +163,8 @@ exports.accessTokenParser = function(crowi, app) {
     User.findUserByApiToken(accessToken)
     .then(function(userData) {
       req.user = userData;
+      req.skipCsrfVerify = true;
+
       next();
     }).catch(function(err) {
       next();
 
@@ -5,6 +5,11 @@ module.exports = function(crowi, app, req, locals) {
     , User = crowi.model('User')
   ;
 
+  // token getter
+  locals._csrf = function() {
+    return crowi.getCsrfToken();
+  };
+
   locals.facebookLoginEnabled = function() {
     var config = crowi.getConfig()
     return config.crowi['facebook:appId'] && config.crowi['facebook:secret'];
 
@@ -1 +1 @@
-Error: {{ error }}
+Error: {{ error.message }}
@@ -49,6 +49,7 @@
           {% endfor %}
         </select>
         {% endif %}
+        <input type="hidden" name="_csrf" value="{{ _csrf() }}">
         <input type="submit" class="btn btn-primary" id="edit-form-submit" value="ページを更新" />
       </div>
     </div>
 
@@ -54,6 +54,7 @@ <h1 class="title" id="">アプリ設定</h1>
 
         <div class="form-group">
           <div class="col-xs-offset-3 col-xs-6">
+            <input type="hidden" name="_csrf" value="{{ _csrf() }}">
             <button type="submit" class="btn btn-primary">更新</button>
           </div>
         </div>
@@ -105,6 +106,7 @@ <h1 class="title" id="">アプリ設定</h1>
 
         <div class="form-group">
           <div class="col-xs-offset-3 col-xs-6">
+            <input type="hidden" name="_csrf" value="{{ _csrf() }}">
             <button type="submit" class="btn btn-primary">更新</button>
           </div>
         </div>
@@ -149,6 +151,7 @@ <h1 class="title" id="">アプリ設定</h1>
 
         <div class="form-group">
           <div class="col-xs-offset-3 col-xs-6">
+            <input type="hidden" name="_csrf" value="{{ _csrf() }}">
             <button type="submit" class="btn btn-primary">更新</button>
           </div>
         </div>
@@ -197,6 +200,7 @@ <h1 class="title" id="">アプリ設定</h1>
 
         <div class="form-group">
           <div class="col-xs-offset-3 col-xs-6">
+            <input type="hidden" name="_csrf" value="{{ _csrf() }}">
             <button type="submit" class="btn btn-primary">更新</button>
           </div>
         </div>
@@ -225,6 +229,7 @@ <h1 class="title" id="">アプリ設定</h1>
 
         <div class="form-group">
           <div class="col-xs-offset-3 col-xs-6">
+            <input type="hidden" name="_csrf" value="{{ _csrf() }}">
             <button type="submit" class="btn btn-primary">更新</button>
           </div>
         </div>
@@ -253,6 +258,7 @@ <h1 class="title" id="">アプリ設定</h1>
 
         <div class="form-group">
           <div class="col-xs-offset-3 col-xs-6">
+            <input type="hidden" name="_csrf" value="{{ _csrf() }}">
             <button type="submit" class="btn btn-primary">更新</button>
           </div>
         </div>
@@ -297,7 +303,6 @@ <h1 class="title" id="">アプリ設定</h1>
           $button.attr('disabled', 'disabled');
           var jqxhr = $.post($form.attr('action'), $form.serialize(), function(data)
             {
-              console.log(data);
               if (data.status) {
                 showMessage($id, '更新しました');
               } else {
 
@@ -65,6 +65,7 @@ <h1 class="title" id="">通知設定</h1>
           </div>
         </div>
       </fieldset>
+      <input type="hidden" name="_csrf" value="{{ _csrf() }}">
       </form>
 
       {% if hasSlackConfig %}
@@ -108,6 +109,7 @@ <h4>Default Notification Settings for Patterns</h4>
               </p>
             </td>
             <td>
+              <input type="hidden" name="_csrf" value="{{ _csrf() }}">
               <input type="submit" value="Add" class="btn btn-primary">
             </td>
           </tr>
@@ -124,6 +126,7 @@ <h4>Default Notification Settings for Patterns</h4>
             <td>
               <form class="admin-remove-updatepost">
                 <input type="hidden" name="id" value="{{ notif._id.toString() }}">
+                <input type="hidden" name="_csrf" value="{{ _csrf() }}">
                 <input type="submit" value="Delete" class="btn btn-default">
               </form>
             </td>
 
@@ -51,6 +51,7 @@ <h1 class="title" id="">検索管理</h1>
           </div>
         </div>
       </fieldset>
+      <input type="hidden" name="_csrf" value="{{ _csrf() }}">
       </form>
 
     </div>
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-Error: {{ error }}`
	`1`	`+Error: {{ error.message }}`