From e7d14c374b9d45e27089994a4eb72186d05514de Mon Sep 17 00:00:00 2001 From: Emanuele Stoppa Date: Thu, 5 Dec 2024 14:29:31 +0000 Subject: [PATCH] fix: `checkOrigin` headers check (#12632) * Merge commit from fork * fix: enforce check origin logic * address feedback * --amend --- .changeset/swift-pandas-serve.md | 5 ++ packages/astro/src/core/app/middlewares.ts | 51 +++++++++++++++------ packages/astro/test/csrf-protection.test.js | 16 +++++++ 3 files changed, 57 insertions(+), 15 deletions(-) create mode 100644 .changeset/swift-pandas-serve.md diff --git a/.changeset/swift-pandas-serve.md b/.changeset/swift-pandas-serve.md new file mode 100644 index 000000000000..75f5f8227155 --- /dev/null +++ b/.changeset/swift-pandas-serve.md @@ -0,0 +1,5 @@ +--- +'astro': patch +--- + +Fixes an issue where the `checkOrigin` feature wasn't correctly checking the `content-type` header diff --git a/packages/astro/src/core/app/middlewares.ts b/packages/astro/src/core/app/middlewares.ts index 095158b42ba3..f89f5c668272 100644 --- a/packages/astro/src/core/app/middlewares.ts +++ b/packages/astro/src/core/app/middlewares.ts @@ -21,22 +21,43 @@ const FORM_CONTENT_TYPES = [ export function createOriginCheckMiddleware(): MiddlewareHandler { return defineMiddleware((context, next) => { const { request, url } = context; - const contentType = request.headers.get('content-type'); - if (contentType) { - if (FORM_CONTENT_TYPES.includes(contentType.toLowerCase())) { - const forbidden = - (request.method === 'POST' || - request.method === 'PUT' || - request.method === 'PATCH' || - request.method === 'DELETE') && - request.headers.get('origin') !== url.origin; - if (forbidden) { - return new Response(`Cross-site ${request.method} form submissions are forbidden`, { - status: 403, - }); - } + if (request.method === "GET") { + return next(); + } + const sameOrigin = + (request.method === 'POST' || + request.method === 'PUT' || + request.method === 'PATCH' || + request.method === 'DELETE') && + request.headers.get('origin') === url.origin; + + const hasContentType = request.headers.has('content-type') + if (hasContentType) { + const formLikeHeader = hasFormLikeHeader(request.headers.get('content-type')); + if (formLikeHeader && !sameOrigin) { + return new Response(`Cross-site ${request.method} form submissions are forbidden`, { + status: 403, + }); + } + } else { + if (!sameOrigin) { + return new Response(`Cross-site ${request.method} form submissions are forbidden`, { + status: 403, + }); } } - return next(); + + return next() }); } + +function hasFormLikeHeader(contentType: string | null): boolean { + if (contentType) { + for (const FORM_CONTENT_TYPE of FORM_CONTENT_TYPES) { + if (contentType.toLowerCase().includes(FORM_CONTENT_TYPE)) { + return true; + } + } + } + return false; +} diff --git a/packages/astro/test/csrf-protection.test.js b/packages/astro/test/csrf-protection.test.js index 25aa9d059050..f8067000d23c 100644 --- a/packages/astro/test/csrf-protection.test.js +++ b/packages/astro/test/csrf-protection.test.js @@ -46,6 +46,22 @@ describe('CSRF origin check', () => { }); response = await app.render(request); assert.equal(response.status, 403); + + request = new Request('http://example.com/api/', { + headers: { origin: 'http://loreum.com', 'content-type': 'application/x-www-form-urlencoded; some-other-value' }, + method: 'POST', + }); + response = await app.render(request); + assert.equal(response.status, 403); + + request = new Request('http://example.com/api/', { + headers: { origin: 'http://loreum.com', }, + method: 'POST', + credentials: 'include', + body: new Blob(["a=b"],{}) + }); + response = await app.render(request); + assert.equal(response.status, 403); }); it("return 403 when the origin doesn't match and calling a PUT", async () => {