Initial commit

.formatter.exs

@@ -0,0 +1,4 @@
+# Used by "mix format"
+[
+  inputs: ["{mix,.formatter}.exs", "{config,lib,test}/**/*.{ex,exs}"]
+]

.gitignore

@@ -0,0 +1,8 @@
+/*.ez
+/.fetch
+/_build/
+/cover/
+/deps/
+/doc/
+/erl_crash.dump
+/ex_verify_origin-*.tar

.travis.yml

@@ -0,0 +1,10 @@
+language: elixir
+
+sudo: false
+
+otp_release: "22.0"
+elixir: "1.9"
+
+script:
+  - mix format --check-formatted
+  - mix test

CHANGELOG.md

@@ -0,0 +1,7 @@
+# Changelog
+
+All notable changes to `ex_verify_origin` will be documented in this file.
+
+## v1.0.0 (2020-03-06)
+
+- initial release

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) The Webstronauts <[email protected]>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,49 @@
+# ex_verify_origin
+
+[![Build Status](https://img.shields.io/travis/com/webstronauts/ex_verify_origin/master.svg?style=flat-square)](https://travis-ci.com/webstronauts/ex_verify_origin)
+[![Hex.pm](https://img.shields.io/hexpm/v/ex_verify_origin.svg?style=flat-square)](https://hex.pm/packages/ex_verify_origin)
+
+A Plug adapter to protect from CSRF attacks by verifying the `Origin` header.
+
+## Installation
+
+To use VerifyOrigin, you can add it to your application's dependencies.
+
+```elixir
+def deps do
+  [
+    {:ex_verify_origin, "~> 0.1.0"}
+  ]
+end
+```
+
+## Usage
+
+You can use the plug within your pipeline.
+
+```elixir
+defmodule MyApp.Endpoint do
+  plug Logger
+  plug VerifyOrigin
+  plug MyApp.Router
+end
+```
+
+To find out more, head to the [online documentation]([https://hexdocs.pm/ex_verify_origin).
+
+## Changelog
+
+Please see [CHANGELOG](CHANGELOG.md) for more information on what has changed recently.
+
+## Contributing
+
+Clone the repository and run `mix test`. To generate docs, run `mix docs`.
+
+## Credits
+
+- [Robin van der Vleuten](https://github.com/robinvdvleuten)
+- [All Contributors](../../contributors)
+
+## License
+
+The MIT License (MIT). Please see [License File](LICENSE) for more information.

lib/verify_origin.ex

@@ -0,0 +1,72 @@
+defmodule VerifyOrigin do
+  @moduledoc """
+  A Plug adapter to protect from CSRF attacks by verifying the `Origin` header.
+
+  ## Options
+    * `:origin` - The origin of the server - requests from this origin will always proceed. Defaults to the default hostname configured for your application's endpoint.
+    * `:strict` - Whether to reject requests that lack an Origin header. Defaults to `true`.
+    * `:allow_safe` - Whether to enforce the strict mode for safe requests (GET, HEAD). Defaults to `true`.
+    * `:fallback_to_referer` - If the Origin header is missing, fill it with the origin part of the Referer. Defaults to `false`.
+  """
+
+  import Plug.Conn
+
+  @safe_methods ["GET", "HEAD"]
+
+  def init(opts \\ []) do
+    origin = Keyword.get(opts, :origin)
+    strict = Keyword.get(opts, :strict, true)
+    allow_safe = Keyword.get(opts, :allow_safe, true)
+    fallback_to_referer = Keyword.get(opts, :fallback_to_referer, false)
+
+    %{
+      origin: origin,
+      strict: strict,
+      allow_safe: allow_safe,
+      fallback_to_referer: fallback_to_referer
+    }
+  end
+
+  def call(conn, config = %{origin: nil}) do
+    current_origin =
+      conn
+      |> Phoenix.Controller.current_url()
+      |> URI.parse()
+      |> Map.put(:path, nil)
+      |> to_string()
+
+    call(conn, %{config | origin: current_origin})
+  end
+
+  def call(conn, config) do
+    %{origin: allowed_origin, strict: strict, allow_safe: allow_safe} = config
+
+    origin =
+      conn
+      |> get_req_header("origin")
+      |> fallback_to_referrer(conn, config)
+      |> List.first()
+
+    cond do
+      origin == nil && !strict ->
+        conn
+
+      origin == nil && allow_safe && conn.method in @safe_methods ->
+        conn
+
+      origin == allowed_origin ->
+        conn
+
+      true ->
+        conn
+        |> send_resp(403, "")
+        |> halt()
+    end
+  end
+
+  defp fallback_to_referrer([], conn, %{fallback_to_referer: true}) do
+    get_req_header(conn, "referer")
+  end
+
+  defp fallback_to_referrer(origin, conn, opts), do: origin
+end

mix.exs

@@ -0,0 +1,49 @@
+defmodule VerifyOrigin.MixProject do
+  use Mix.Project
+
+  @version "1.0.0"
+  @description "Plug adapter to protect from CSRF attacks by verifying the `Origin` header."
+
+  def project do
+    [
+      app: :ex_verify_origin,
+      version: @version,
+      elixir: "~> 1.9",
+      deps: deps(),
+
+      # Hex
+      package: package(),
+      description: @description,
+
+      # Docs
+      name: "VerifyOrigin",
+      docs: [
+        main: "VerifyOrigin",
+        source_ref: "v#{@version}",
+        source_url: "https://github.com/webstronauts/ex_verify_origin"
+      ]
+    ]
+  end
+
+  def application do
+    [
+      extra_applications: [:logger, :plug]
+    ]
+  end
+
+  defp deps do
+    [
+      {:ex_doc, "~> 0.15", only: :dev},
+      {:phoenix, "~> 1.4"},
+      {:plug, "~> 1.8"}
+    ]
+  end
+
+  defp package() do
+    [
+      maintainers: ["Robin van der Vleuten"],
+      licenses: ["MIT"],
+      links: %{"GitHub" => "https://github.com/webstronauts/ex_verify_origin"}
+    ]
+  end
+end

mix.lock

@@ -0,0 +1,13 @@
+%{
+  "earmark": {:hex, :earmark, "1.4.3", "364ca2e9710f6bff494117dbbd53880d84bebb692dafc3a78eb50aa3183f2bfd", [:mix], [], "hexpm"},
+  "ex_doc": {:hex, :ex_doc, "0.21.3", "857ec876b35a587c5d9148a2512e952e24c24345552259464b98bfbb883c7b42", [:mix], [{:earmark, "~> 1.4", [hex: :earmark, repo: "hexpm", optional: false]}, {:makeup_elixir, "~> 0.14", [hex: :makeup_elixir, repo: "hexpm", optional: false]}], "hexpm"},
+  "makeup": {:hex, :makeup, "1.0.0", "671df94cf5a594b739ce03b0d0316aa64312cee2574b6a44becb83cd90fb05dc", [:mix], [{:nimble_parsec, "~> 0.5.0", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm"},
+  "makeup_elixir": {:hex, :makeup_elixir, "0.14.0", "cf8b7c66ad1cff4c14679698d532f0b5d45a3968ffbcbfd590339cb57742f1ae", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}], "hexpm"},
+  "mime": {:hex, :mime, "1.3.1", "30ce04ab3175b6ad0bdce0035cba77bba68b813d523d1aac73d9781b4d193cf8", [:mix], [], "hexpm"},
+  "nimble_parsec": {:hex, :nimble_parsec, "0.5.3", "def21c10a9ed70ce22754fdeea0810dafd53c2db3219a0cd54cf5526377af1c6", [:mix], [], "hexpm"},
+  "phoenix": {:hex, :phoenix, "1.4.15", "5c39c330f46a33d752c6feceb25629ee8e62a158b997fea62bca59a59b28e3ea", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix_pubsub, "~> 1.1", [hex: :phoenix_pubsub, repo: "hexpm", optional: false]}, {:plug, "~> 1.8.1 or ~> 1.9", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 1.0 or ~> 2.0", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm"},
+  "phoenix_pubsub": {:hex, :phoenix_pubsub, "1.1.2", "496c303bdf1b2e98a9d26e89af5bba3ab487ba3a3735f74bf1f4064d2a845a3e", [:mix], [], "hexpm"},
+  "plug": {:hex, :plug, "1.9.0", "8d7c4e26962283ff9f8f3347bd73838e2413fbc38b7bb5467d5924f68f3a5a4a", [:mix], [{:mime, "~> 1.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.0", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: true]}], "hexpm"},
+  "plug_crypto": {:hex, :plug_crypto, "1.1.2", "bdd187572cc26dbd95b87136290425f2b580a116d3fb1f564216918c9730d227", [:mix], [], "hexpm"},
+  "telemetry": {:hex, :telemetry, "0.4.1", "ae2718484892448a24470e6aa341bc847c3277bfb8d4e9289f7474d752c09c7f", [:rebar3], [], "hexpm"},
+}

test/test_helper.exs

@@ -0,0 +1 @@
+ExUnit.start()

test/verify_origin_test.exs

@@ -0,0 +1,107 @@
+defmodule VerifyOriginTest do
+  use ExUnit.Case, async: true
+  use Plug.Test
+
+  def url(), do: "https://example.com"
+  def origin(), do: "https://example.com"
+
+  def build_conn_for_path(path, method \\ :get) do
+    conn(method, path)
+    |> put_private(:phoenix_endpoint, __MODULE__)
+    |> put_private(:phoenix_router, __MODULE__)
+  end
+
+  test "allows same-origin request for safe requests" do
+    conn =
+      build_conn_for_path("/foo")
+      |> put_req_header("origin", origin())
+      |> VerifyOrigin.call(VerifyOrigin.init())
+
+    refute conn.halted
+  end
+
+  test "allows same-origin requests for unsafe requests" do
+    conn =
+      build_conn_for_path("/foo", :post)
+      |> put_req_header("origin", origin())
+      |> VerifyOrigin.call(VerifyOrigin.init())
+
+    refute conn.halted
+  end
+
+  test "halts cross-origin requests for safe requests" do
+    conn =
+      build_conn_for_path("/foo")
+      |> put_req_header("origin", "https://evil.com")
+      |> VerifyOrigin.call(VerifyOrigin.init())
+
+    assert conn.halted
+  end
+
+  test "halts cross-origin requests for unsafe requests" do
+    conn =
+      build_conn_for_path("/foo")
+      |> put_req_header("origin", "https://evil.com")
+      |> VerifyOrigin.call(VerifyOrigin.init())
+
+    assert conn.halted
+  end
+
+  test "allows request for safe requests without origin" do
+    conn =
+      build_conn_for_path("/foo")
+      |> VerifyOrigin.call(VerifyOrigin.init())
+
+    refute conn.halted
+  end
+
+  test "allows request for safe requests without origin when not strict" do
+    conn =
+      build_conn_for_path("/foo")
+      |> VerifyOrigin.call(VerifyOrigin.init(strict: false))
+
+    refute conn.halted
+  end
+
+  test "halts request for safe requests without origin when safe not allowed" do
+    conn =
+      build_conn_for_path("/foo")
+      |> VerifyOrigin.call(VerifyOrigin.init(allow_safe: false))
+
+    assert conn.halted
+  end
+
+  test "falls back to referer for safe requests without origin" do
+    conn =
+      build_conn_for_path("/foo")
+      |> put_req_header("referer", origin())
+      |> VerifyOrigin.call(VerifyOrigin.init(fallback_to_referer: true))
+
+    refute conn.halted
+  end
+
+  test "halts request for unsafe requests without origin" do
+    conn =
+      build_conn_for_path("/foo", :post)
+      |> VerifyOrigin.call(VerifyOrigin.init())
+
+    assert conn.halted
+  end
+
+  test "allows request for unsafe requests without origin when not strict" do
+    conn =
+      build_conn_for_path("/foo", :post)
+      |> VerifyOrigin.call(VerifyOrigin.init(strict: false))
+
+    refute conn.halted
+  end
+
+  test "falls back to referer for unsafe requests without origin" do
+    conn =
+      build_conn_for_path("/foo", :post)
+      |> put_req_header("referer", origin())
+      |> VerifyOrigin.call(VerifyOrigin.init(fallback_to_referer: true))
+
+    refute conn.halted
+  end
+end