From ff4d2f2a162d8161b2cc4a7a0b749261b43b1610 Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Sun, 1 Mar 2020 15:28:38 -0800 Subject: [PATCH] Initial work-in-progress --- .circleci/config.yml | 106 +++++++++++++++++++++++ LICENSE | 201 +++++++++++++++++++++++++++++++++++++++++++ README.md | 24 ++++++ asgi_csrf.py | 139 ++++++++++++++++++++++++++++++ setup.py | 26 ++++++ test_asgi_csrf.py | 92 ++++++++++++++++++++ 6 files changed, 588 insertions(+) create mode 100644 .circleci/config.yml create mode 100644 LICENSE create mode 100644 README.md create mode 100644 asgi_csrf.py create mode 100644 setup.py create mode 100644 test_asgi_csrf.py diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 0000000..c6f0ad6 --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,106 @@ +version: 2.1 +workflows: + build_and_deploy: + jobs: + - build: + filters: + tags: + only: /.*/ + - test-python-install: + version: "3.6" + requires: + - build + - test-python-install: + version: "3.7" + requires: + - build + - deploy: + requires: + - build + filters: + tags: + only: /[0-9]+(\.[0-9]+)*[ab]?/ + branches: + ignore: /.*/ +jobs: + build: + docker: + - image: circleci/python:3.6 + steps: + - checkout + - restore_cache: + key: v1-dependency-cache-{{ checksum "setup.py" }} + - run: + name: install python dependencies + command: | + python3 -m venv venv + . venv/bin/activate + pip install -e .[test] + - save_cache: + key: v1-dependency-cache-{{ checksum "setup.py" }} + paths: + - "venv" + - run: + name: run tests + command: | + . venv/bin/activate + pytest + test-python-install: + parameters: + version: + type: string + default: latest + docker: + - image: circleci/python:<< parameters.version >> + steps: + - checkout + - restore_cache: + key: v1-dependency-cache-{{ checksum "setup.py" }} + - run: + name: install python dependencies + command: | + python3 -m venv venv + . venv/bin/activate + pip install -e .[test] + - save_cache: + key: v1-dependency-cache-{{ checksum "setup.py" }} + paths: + - "venv" + - run: + name: run tests + command: | + . venv/bin/activate + pytest + deploy: + docker: + - image: circleci/python:3.6 + steps: + - checkout + - restore_cache: + key: v1-dependency-cache-{{ checksum "setup.py" }} + - run: + name: install python dependencies + command: | + python3 -m venv venv + . venv/bin/activate + pip install -e .[test] + - save_cache: + key: v1-dependency-cache-{{ checksum "setup.py" }} + paths: + - "venv" + - run: + name: init .pypirc + command: | + echo -e "[pypi]" >> ~/.pypirc + echo -e "username = simonw" >> ~/.pypirc + echo -e "password = $PYPI_PASSWORD" >> ~/.pypirc + - run: + name: create packages + command: | + python setup.py bdist_wheel + - run: + name: upload to pypi + command: | + . venv/bin/activate + pip install twine + twine upload dist/* diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..261eeb9 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..debf050 --- /dev/null +++ b/README.md @@ -0,0 +1,24 @@ +# asgi-csrf + +[![PyPI](https://img.shields.io/pypi/v/asgi-csrf.svg)](https://pypi.org/project/asgi-csrf/) +[![CircleCI](https://circleci.com/gh/simonw/asgi-csrf.svg?style=svg)](https://circleci.com/gh/simonw/asgi-csrf) +[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://github.com/simonw/asgi-csrf/blob/master/LICENSE) + +ASGI middleware for protecting against CSRF attacks + +**This is a preview release - do not assume that this is robust and secure just yet.** + +## Installation + + pip install asgi-csrf + +## Background + +See the [OWASP guide to Cross Site Request Forgery (CSRF)](https://owasp.org/www-community/attacks/csrf) and their [Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet](https://owasp.org/www-project-cheat-sheets/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet). + +This middleware implements the Double Submit Cookie pattern, where a cookie is set that is then compared to a `csrftoken` hidden form field or a `x-csrftoken` HTTP header. + +## Limitations + +* Brand new. Not extensively tested. Do not trust this yet. +* Currently only works for `application/x-www-form-urlencoded` forms, not `multipart/form-data` forms (with file uploads) diff --git a/asgi_csrf.py b/asgi_csrf.py new file mode 100644 index 0000000..1e71bd2 --- /dev/null +++ b/asgi_csrf.py @@ -0,0 +1,139 @@ +from http.cookies import SimpleCookie +import fnmatch +from functools import wraps +from urllib.parse import parse_qsl +import secrets + +DEFAULT_COOKIE_NAME = "csrftoken" +DEFAULT_FORM_INPUT = "csrftoken" +DEFAULT_HTTP_HEADER = "x-csrftoken" +SCOPE_KEY = "csrftoken" + + +def asgi_csrf_decorator( + cookie_name=DEFAULT_COOKIE_NAME, + http_header=DEFAULT_HTTP_HEADER, + form_input=DEFAULT_FORM_INPUT, +): + def _asgi_csrf_decorator(app): + @wraps(app) + async def app_wrapped_with_csrf(scope, recieve, send): + cookies = cookies_from_scope(scope) + csrftoken = None + should_set_cookie = False + if cookie_name in cookies: + csrftoken = cookies[cookie_name] + else: + # We are going to set that cookie + should_set_cookie = True + csrftoken = make_secret(16) + scope = {**scope, **{SCOPE_KEY: csrftoken}} + + async def wrapped_send(event): + if event["type"] == "http.response.start": + if should_set_cookie: + original_headers = event.get("headers") or [] + set_cookie_headers = [ + (b"set-cookie", "{}={}".format(cookie_name, csrftoken)) + ] + event = { + "type": "http.response.start", + "status": event["status"], + "headers": original_headers + set_cookie_headers, + } + await send(event) + + # Apply to anything that isn't GET, HEAD, OPTIONS, TRACE (like Django does) + if scope["method"] in {"GET", "HEAD", "OPTIONS", "TRACE"}: + await app(scope, recieve, wrapped_send) + else: + # Check for CSRF token in various places + headers = dict(scope.get("headers" or [])) + if ( + headers.get(http_header.encode("latin-1"), b"").decode("latin-1") + == csrftoken + ): + # x-csrftoken header matches + await app(scope, recieve, wrapped_send) + return + # We need to look for it in the POST body + content_type = headers.get(b"content-type", b"").split(b";", 1)[0] + if content_type == b"application/x-www-form-urlencoded": + # Consume entire POST body and check for csrftoken field + post_data, replay_recieve = await _parse_form_urlencoded(recieve) + if secrets.compare_digest(post_data.get(form_input, ""), csrftoken): + # All is good! Forward on the request and replay the body + await app(scope, replay_recieve, wrapped_send) + return + else: + await send_csrf_failed( + scope, wrapped_send, "POST field did not match cookie" + ) + return + elif content_type == b"multipart/form-data": + # Consume non-file items until we see a csrftoken + # If we see a file item first, it's an error + assert False, "multipart/form-data is not yet supported" + else: + await send_csrf_failed( + scope, wrapped_send, message="Unknown content-type" + ) + return + + return app_wrapped_with_csrf + + return _asgi_csrf_decorator + + +async def _parse_form_urlencoded(receive): + # Returns {key: value}, replay_receive + # where replay_recieve is an awaitable that can replay what was recieved + # We ignore cases like foo=one&foo=two because we do not need to + # handle that case for our single csrftoken= argument + body = b"" + more_body = True + messages = [] + while more_body: + message = await receive() + assert message["type"] == "http.request", message + messages.append(message) + body += message.get("body", b"") + more_body = message.get("more_body", False) + + async def replay_receive(): + for message in messages: + yield message + + return dict(parse_qsl(body.decode("utf-8"))), replay_receive + + +async def send_csrf_failed(scope, send, message="CSRF check failed"): + assert scope["type"] == "http" + await send( + { + "type": "http.response.start", + "status": 403, + "headers": [[b"content-type", b"text/html; charset=utf-8"]], + } + ) + await send({"type": "http.response.body", "body": message.encode("utf-8")}) + + +def asgi_csrf(app, cookie_name=DEFAULT_COOKIE_NAME, http_header=DEFAULT_HTTP_HEADER): + return asgi_csrf_decorator(cookie_name, http_header)(app) + + +def cookies_from_scope(scope): + cookie = dict(scope.get("headers") or {}).get(b"cookie") + if not cookie: + return {} + simple_cookie = SimpleCookie() + simple_cookie.load(cookie.decode("utf8")) + return {key: morsel.value for key, morsel in simple_cookie.items()} + + +allowed_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" + + +def make_secret(length): + return "".join(secrets.choice(allowed_chars) for i in range(length)) diff --git a/setup.py b/setup.py new file mode 100644 index 0000000..a099f8f --- /dev/null +++ b/setup.py @@ -0,0 +1,26 @@ +from setuptools import setup +import os + +VERSION = "0.1a" + + +def get_long_description(): + with open( + os.path.join(os.path.dirname(os.path.abspath(__file__)), "README.md"), + encoding="utf8", + ) as fp: + return fp.read() + + +setup( + name="asgi-csrf", + description="ASGI middleware for protecting against CSRF attacks", + long_description=get_long_description(), + long_description_content_type="text/markdown", + author="Simon Willison", + url="https://github.com/simonw/asgi-csrf", + license="Apache License, Version 2.0", + version=VERSION, + py_modules=["asgi_csrf"], + extras_require={"test": ["pytest", "pytest-asyncio", "httpx",]}, +) diff --git a/test_asgi_csrf.py b/test_asgi_csrf.py new file mode 100644 index 0000000..ac1b66f --- /dev/null +++ b/test_asgi_csrf.py @@ -0,0 +1,92 @@ +from asgi_csrf import asgi_csrf +import httpx +import pytest + +CSRF_TOKEN = "9izX9q37XP9knNNQ" + + +async def hello_world_app(scope, receive, send): + assert scope["type"] == "http" + await send( + { + "type": "http.response.start", + "status": 200, + "headers": [[b"content-type", b"application/json"]], + } + ) + await send({"type": "http.response.body", "body": b'{"hello": "world"}'}) + + +@pytest.mark.asyncio +async def test_hello_world_app(): + async with httpx.AsyncClient(app=hello_world_app) as client: + response = await client.get("http://localhost/") + assert b'{"hello": "world"}' == response.content + + +@pytest.mark.asyncio +async def test_asgi_csrf_sets_cookie(): + async with httpx.AsyncClient(app=asgi_csrf(hello_world_app)) as client: + response = await client.get("http://localhost/") + assert b'{"hello": "world"}' == response.content + assert "csrftoken" in response.cookies + + +@pytest.mark.asyncio +async def test_asgi_csrf_does_not_set_cookie_if_one_sent(): + async with httpx.AsyncClient(app=asgi_csrf(hello_world_app)) as client: + response = await client.get( + "http://localhost/", cookies={"csrftoken": CSRF_TOKEN} + ) + assert b'{"hello": "world"}' == response.content + assert "csrftoken" not in response.cookies + + +@pytest.mark.asyncio +async def test_prevents_post_if_no_cookie(): + async with httpx.AsyncClient(app=asgi_csrf(hello_world_app)) as client: + response = await client.post("http://localhost/") + assert 403 == response.status_code + + +@pytest.mark.asyncio +async def test_prevents_post_if_cookie_not_sent_in_post(): + async with httpx.AsyncClient(app=asgi_csrf(hello_world_app)) as client: + response = await client.post( + "http://localhost/", cookies={"csrftoken": CSRF_TOKEN} + ) + assert 403 == response.status_code + + +@pytest.mark.asyncio +async def test_allows_post_if_cookie_duplicated_in_header(): + async with httpx.AsyncClient(app=asgi_csrf(hello_world_app)) as client: + response = await client.post( + "http://localhost/", + headers={"X-CSRFToken": CSRF_TOKEN}, + cookies={"csrftoken": CSRF_TOKEN}, + ) + assert 200 == response.status_code + + +@pytest.mark.asyncio +async def test_allows_post_if_cookie_duplicated_in_post_data(): + async with httpx.AsyncClient(app=asgi_csrf(hello_world_app)) as client: + response = await client.post( + "http://localhost/", + data={"csrftoken": CSRF_TOKEN}, + cookies={"csrftoken": CSRF_TOKEN}, + ) + assert 200 == response.status_code + + +@pytest.mark.asyncio +async def test_multipart_not_supported(): + async with httpx.AsyncClient(app=asgi_csrf(hello_world_app)) as client: + with pytest.raises(AssertionError): + response = await client.post( + "http://localhost/", + data={"csrftoken": CSRF_TOKEN}, + files={"csv": ("data.csv", "blah,foo\n1,2", "text/csv")}, + cookies={"csrftoken": CSRF_TOKEN}, + )