Use POST for the /api/apply-wg-config endpoint and check the Content-Type Header for all non-GET requests to prevent CSRF attacks

2025-06-07 00:46:58 +03:00 · 2022-07-08 20:02:18 +02:00 · 2022-07-08 20:02:18 +02:00 · 7c7081a3ba
commit 7c7081a3ba
parent f43c59c043
3 changed files with 47 additions and 28 deletions
--- a/handler/middlewares.go
+++ b/handler/middlewares.go
@ -0,0 +1,19 @@
+package handler
+
+import (
+	"github.com/labstack/echo/v4"
+	"net/http"
+)
+
+// ContentTypeJson checks that the requests have the Content-Type header set to "application/json".
+// This helps against CSRF attacks.
+func ContentTypeJson(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		contentType := c.Request().Header.Get("Content-Type")
+		if contentType != "application/json" {
+			return c.JSON(http.StatusBadRequest, jsonHTTPResponse{false, "Only JSON allowed"})
+		}
+
+		return next(c)
+	}
+}
--- a/main.go
+++ b/main.go
@ -137,27 +137,27 @@ func main() {

 	app.GET(util.BasePath+"/_health", handler.Health())
 	app.GET(util.BasePath+"/logout", handler.Logout(), handler.ValidSession)
-	app.POST(util.BasePath + "/new-client", handler.NewClient(db), handler.ValidSession)
-	app.POST(util.BasePath + "/update-client", handler.UpdateClient(db), handler.ValidSession)
-	app.POST(util.BasePath + "/email-client", handler.EmailClient(db, sendmail, defaultEmailSubject, defaultEmailContent), handler.ValidSession)
-	app.POST(util.BasePath + "/client/set-status", handler.SetClientStatus(db), handler.ValidSession)
-	app.POST(util.BasePath + "/remove-client", handler.RemoveClient(db), handler.ValidSession)
+	app.POST(util.BasePath+"/new-client", handler.NewClient(db), handler.ValidSession, handler.ContentTypeJson)
+	app.POST(util.BasePath+"/update-client", handler.UpdateClient(db), handler.ValidSession, handler.ContentTypeJson)
+	app.POST(util.BasePath+"/email-client", handler.EmailClient(db, sendmail, defaultEmailSubject, defaultEmailContent), handler.ValidSession, handler.ContentTypeJson)
+	app.POST(util.BasePath+"/client/set-status", handler.SetClientStatus(db), handler.ValidSession, handler.ContentTypeJson)
+	app.POST(util.BasePath+"/remove-client", handler.RemoveClient(db), handler.ValidSession, handler.ContentTypeJson)
 	app.GET(util.BasePath+"/download", handler.DownloadClient(db), handler.ValidSession)
 	app.GET(util.BasePath+"/wg-server", handler.WireGuardServer(db), handler.ValidSession)
-	app.POST(util.BasePath + "/wg-server/interfaces", handler.WireGuardServerInterfaces(db), handler.ValidSession)
-	app.POST(util.BasePath + "/wg-server/keypair", handler.WireGuardServerKeyPair(db), handler.ValidSession)
+	app.POST(util.BasePath+"/wg-server/interfaces", handler.WireGuardServerInterfaces(db), handler.ValidSession, handler.ContentTypeJson)
+	app.POST(util.BasePath+"/wg-server/keypair", handler.WireGuardServerKeyPair(db), handler.ValidSession, handler.ContentTypeJson)
 	app.GET(util.BasePath+"/global-settings", handler.GlobalSettings(db), handler.ValidSession)
-	app.POST(util.BasePath + "/global-settings", handler.GlobalSettingSubmit(db), handler.ValidSession)
+	app.POST(util.BasePath+"/global-settings", handler.GlobalSettingSubmit(db), handler.ValidSession, handler.ContentTypeJson)
 	app.GET(util.BasePath+"/status", handler.Status(db), handler.ValidSession)
 	app.GET(util.BasePath+"/api/clients", handler.GetClients(db), handler.ValidSession)
 	app.GET(util.BasePath+"/api/client/:id", handler.GetClient(db), handler.ValidSession)
 	app.GET(util.BasePath+"/api/machine-ips", handler.MachineIPAddresses(), handler.ValidSession)
 	app.GET(util.BasePath+"/api/suggest-client-ips", handler.SuggestIPAllocation(db), handler.ValidSession)
-	app.GET(util.BasePath + "/api/apply-wg-config", handler.ApplyServerConfig(db, tmplBox), handler.ValidSession)
+	app.POST(util.BasePath+"/api/apply-wg-config", handler.ApplyServerConfig(db, tmplBox), handler.ValidSession, handler.ContentTypeJson)
 	app.GET(util.BasePath+"/wake_on_lan_hosts", handler.GetWakeOnLanHosts(db), handler.ValidSession)
-	app.POST(util.BasePath + "/wake_on_lan_host", handler.SaveWakeOnLanHost(db), handler.ValidSession)
-	app.DELETE(util.BasePath + "/wake_on_lan_host/:mac_address", handler.DeleteWakeOnHost(db), handler.ValidSession)
-	app.PUT(util.BasePath + "/wake_on_lan_host/:mac_address", handler.WakeOnHost(db), handler.ValidSession)
+	app.POST(util.BasePath+"/wake_on_lan_host", handler.SaveWakeOnLanHost(db), handler.ValidSession, handler.ContentTypeJson)
+	app.DELETE(util.BasePath+"/wake_on_lan_host/:mac_address", handler.DeleteWakeOnHost(db), handler.ValidSession, handler.ContentTypeJson)
+	app.PUT(util.BasePath+"/wake_on_lan_host/:mac_address", handler.WakeOnHost(db), handler.ValidSession, handler.ContentTypeJson)

 	// servers other static files
 	app.GET(util.BasePath+"/static/*", echo.WrapHandler(http.StripPrefix(util.BasePath+"/static/", assetHandler)))
--- a/templates/base.html
+++ b/templates/base.html
@ -494,7 +494,7 @@
            $("#apply_config_confirm").click(function () {
                $.ajax({
                    cache: false,
-                    method: 'GET',
+                    method: 'POST',
                    url: '{{.basePath}}/api/apply-wg-config',
                    dataType: 'json',
                    contentType: "application/json",