Add CSRF check into websockets
This adds CSRF check into websockets to avoid
attacks on websockets.
Tested: Could no longer use crosssite scripting to
open websocket. KVM and SOL still work once web-ui
changes are updated
Change-Id: I325079ae3d4db2701671564dff733e034d2670d6
Signed-off-by: James Feist <james.feist@linux.intel.com>
diff --git a/http/websocket.h b/http/websocket.h
index c467d25..ad090e0 100644
--- a/http/websocket.h
+++ b/http/websocket.h
@@ -72,7 +72,7 @@
openHandler(std::move(open_handler)),
messageHandler(std::move(message_handler)),
closeHandler(std::move(close_handler)),
- errorHandler(std::move(error_handler))
+ errorHandler(std::move(error_handler)), session(reqIn.session)
{
BMCWEB_LOG_DEBUG << "Creating new connection " << this;
}
@@ -94,8 +94,20 @@
// Perform the websocket upgrade
ws.async_accept_ex(
req,
- [protocol{std::string(protocol)}](
+ [session{session}, protocol{std::string(protocol)}](
boost::beast::websocket::response_type& m) {
+
+#ifndef BMCWEB_INSECURE_DISABLE_CSRF_PREVENTION
+ // use protocol for csrf checking
+ if (session->cookieAuth &&
+ !crow::utility::constantTimeStringCompare(
+ protocol, session->csrfToken))
+ {
+ BMCWEB_LOG_ERROR << "Websocket CSRF error";
+ m.result(boost::beast::http::status::unauthorized);
+ return;
+ }
+#endif
if (!protocol.empty())
{
m.insert(bf::sec_websocket_protocol, protocol);
@@ -262,6 +274,7 @@
std::function<void(Connection&, const std::string&, bool)> messageHandler;
std::function<void(Connection&, const std::string&)> closeHandler;
std::function<void(Connection&)> errorHandler;
+ std::shared_ptr<crow::persistent_data::UserSession> session;
};
} // namespace websocket
} // namespace crow