From 66ef9e6d0c5ecc6a12a697d0e84741464af32369 Mon Sep 17 00:00:00 2001
From: MrGeorgen <moinl6162@gmail.com>
Date: Sat, 10 Apr 2021 19:27:15 +0200
Subject: [PATCH] csrf protection

---
 .gitignore         |  1 +
 go.mod             |  5 +++--
 go.sum             | 22 ++++++++++------------
 src/api.go         |  2 +-
 src/login.go       |  2 +-
 src/main.go        | 19 ++++++++++++++-----
 src/register.go    |  4 ++--
 src/util.go        |  9 +++++++--
 tmpl/register.html |  1 +
 9 files changed, 40 insertions(+), 25 deletions(-)

diff --git a/.gitignore b/.gitignore
index 8135020..7cc0410 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,4 @@
 secrets.json
 test
 secrets_test.json
+csrf-key
diff --git a/go.mod b/go.mod
index d1511ad..52f1a89 100644
--- a/go.mod
+++ b/go.mod
@@ -5,13 +5,14 @@ go 1.14
 require (
 	code.gitea.io/sdk/gitea v0.13.2
 	github.com/bwmarrin/discordgo v0.23.2
-	github.com/cornelk/hashmap v1.0.1
-	github.com/dchest/siphash v1.2.2 // indirect
 	github.com/dlclark/regexp2 v1.4.0
 	github.com/go-sql-driver/mysql v1.5.0
 	github.com/golang/protobuf v1.4.3 // indirect
+	github.com/gorilla/csrf v1.7.0
+	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/websocket v1.4.2 // indirect
 	github.com/mattn/go-sqlite3 v1.14.6
+	github.com/mitchellh/mapstructure v1.4.1
 	github.com/zaddok/moodle v0.6.6
 	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
 	golang.org/x/net v0.0.0-20210119194325-5f4716e94777 // indirect
diff --git a/go.sum b/go.sum
index 527e988..0a3b209 100644
--- a/go.sum
+++ b/go.sum
@@ -6,14 +6,8 @@ github.com/bwmarrin/discordgo v0.23.2 h1:BzrtTktixGHIu9Tt7dEE6diysEF9HWnXeHuoJEt
 github.com/bwmarrin/discordgo v0.23.2/go.mod h1:c1WtWUGN6nREDmzIpyTp/iD3VYt4Fpx+bVyfBG7JE+M=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cornelk/hashmap v1.0.1 h1:RXGcy29hEdLLV8T6aK4s+BAd4tq4+3Hq50N2GoG0uIg=
-github.com/cornelk/hashmap v1.0.1/go.mod h1:8wbysTUDnwJGrPZ1Iwsou3m+An6sldFrJItjRhfegCw=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dchest/siphash v1.1.0 h1:1Rs9eTUlZLPBEvV+2sTaM8O0NWn0ppbgqS7p11aWawI=
-github.com/dchest/siphash v1.1.0/go.mod h1:q+IRvb2gOSrUnYoPqHiyHXS0FOBBOdl6tONBlVnOnt4=
-github.com/dchest/siphash v1.2.2 h1:9DFz8tQwl9pTVt5iok/9zKyzA1Q6bRGiF3HPiEEVr9I=
-github.com/dchest/siphash v1.2.2/go.mod h1:q+IRvb2gOSrUnYoPqHiyHXS0FOBBOdl6tONBlVnOnt4=
 github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E=
 github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -23,7 +17,6 @@ github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
@@ -40,7 +33,12 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0 h1:/QaMHBdZ26BB3SSst0Iwl10Epc+xhTquomWX0oZEB6w=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/gorilla/websocket v1.4.0 h1:WDFjx/TMzVgy9VdMMQi2K2Emtwi2QcUQsztZ/zLaH/Q=
+github.com/gorilla/csrf v1.7.0 h1:mMPjV5/3Zd460xCavIkppUdvnl5fPXMpv2uz2Zyg7/Y=
+github.com/gorilla/csrf v1.7.0/go.mod h1:+a/4tCmqhG6/w4oafeAZ9pEa3/NZOWYVbD9fV0FwIQA=
+github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
+github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@@ -48,6 +46,10 @@ github.com/hashicorp/go-version v1.2.1 h1:zEfKbn2+PDgroKdiOzqiE8rsmLqU2uwi5PB5pB
 github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/mattn/go-sqlite3 v1.14.6 h1:dNPt6NO46WmLVt2DLNpwczCmdV5boIZ6g/tlDrlRUbg=
 github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
+github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -56,7 +58,6 @@ github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJy
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/zaddok/moodle v0.6.6 h1:DQqlOIV9aJVm+jjCPRYuntQgeTafutvLwj5dTMhcx/Y=
 github.com/zaddok/moodle v0.6.6/go.mod h1:wZJLOprT38gE97uCczwUym6iSGzXWDka069e8VwJ9ro=
-golang.org/x/crypto v0.0.0-20181030102418-4d3f4d9ffa16 h1:y6ce7gCWtnH+m3dCjzQ1PCuwl28DDIc3VNnvY29DlIA=
 golang.org/x/crypto v0.0.0-20181030102418-4d3f4d9ffa16/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad h1:DN0cp81fZ3njFcrLCytUHRSUkqBjfTo4Tx9RJTWs0EY=
@@ -70,7 +71,6 @@ golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65 h1:+rhAzEzT3f4JtomfC371qB+0Ola2caSKcY69NUBZrRQ=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777 h1:003p0dJM77cxMSyCPFphvZf/Y5/NXf5fzg6ufd1/Oew=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -98,7 +98,6 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IV
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
@@ -114,7 +113,6 @@ google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQ
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
diff --git a/src/api.go b/src/api.go
index 9d58d65..400e1c6 100644
--- a/src/api.go
+++ b/src/api.go
@@ -18,7 +18,7 @@ func accountApi(w http.ResponseWriter, r *http.Request) {
 	var account accountApiResponse
 	var success bool
 	var usernameInter interface{}
-	usernameInter, success = sessions.GetStringKey(accountKey)
+	usernameInter, success = sessions.Load(accountKey)
 	account.Username = usernameInter.(string)
 	if !success {
 		http.Error(w, "Error 400 invalid session", 400)
diff --git a/src/login.go b/src/login.go
index d8d83d4..8c0a2a1 100644
--- a/src/login.go
+++ b/src/login.go
@@ -47,7 +47,7 @@ func login(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 	if r.Method == http.MethodGet || !login {
-		runTemplate(w, loginTmpl, loginStruct)
+		runTemplate(r, w, loginTmpl, loginStruct)
 	}
 }
 
diff --git a/src/main.go b/src/main.go
index 545e93d..b800e1e 100644
--- a/src/main.go
+++ b/src/main.go
@@ -15,6 +15,8 @@ import (
 	"regexp"
 	"code.gitea.io/sdk/gitea"
 	"fmt"
+	"github.com/gorilla/csrf"
+	"github.com/gorilla/mux"
 )
 var discord *discordgo.Session
 var secret secrets_json
@@ -94,13 +96,20 @@ func main() {
 	rusername = regexp.MustCompile("^([[:lower:]]|\\d|_|-|\\.){1,40}$")
 	rpassword = regexp2.MustCompile("^(?=.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*\\W).*$", 0)
 	stmtCreateAccount, err = db.Prepare("INSERT INTO account(username, email, hash, salt, discordUserId) VALUES(?,?,?,?,?)")
-	http.HandleFunc("/register", register)
-	http.HandleFunc("/submit", submit)
-	http.HandleFunc("/login", login)
-	http.HandleFunc("/api/accountinfo", accountApi)
+	csrfKeyfile, err := os.Open("csrf-key")
+	log(err)
+	csrfKey, err := ioutil.ReadAll(csrfKeyfile)
+	log(err)
+	csrfKeyfile.Close()
+	csrfHandler := csrf.Protect(csrfKey)
+	router := mux.NewRouter()
+	router.HandleFunc("/register", register)
+	router.HandleFunc("/submit", submit)
+	router.HandleFunc("/login", login)
+	router.HandleFunc("/api/accountinfo", accountApi)
 
 	if(!isTest) {
-		http.ListenAndServe(":" + fmt.Sprint(config.Port), nil)
+		http.ListenAndServe(":" + fmt.Sprint(config.Port), csrfHandler(router))
 	}
 }
 
diff --git a/src/register.go b/src/register.go
index 13d739b..94b0ef8 100644
--- a/src/register.go
+++ b/src/register.go
@@ -88,7 +88,7 @@ func register(w http.ResponseWriter, r *http.Request) {
 		usernameExitsMap.Store(newAccount.username, nil)
 		discordUserExitsMap.Store(newAccount.discordId, nil)
 	}
-	registerReturn: runTemplate(w, registerTmpl, registerStruct)
+	registerReturn: runTemplate(r, w, registerTmpl, registerStruct)
 }
 	func submit(w http.ResponseWriter, r *http.Request) {
 		var err error
@@ -124,7 +124,7 @@ func register(w http.ResponseWriter, r *http.Request) {
 			}
 		}
 
-		submitReturn: runTemplate(w, submitTmpl, submitStruct)
+		submitReturn: runTemplate(r, w, submitTmpl, submitStruct)
 	}
 func getRbuMember(user string, tag string) (*discordgo.Member, bool) {
 	allUsers, err := discord.GuildMembers(secret.DiscordServerID, "0", 1000)
diff --git a/src/util.go b/src/util.go
index 5f11dce..9c17853 100644
--- a/src/util.go
+++ b/src/util.go
@@ -3,6 +3,8 @@ import (
 	"golang.org/x/crypto/argon2"
 	"net/http"
 	"html/template"
+	"github.com/gorilla/csrf"
+	"github.com/mitchellh/mapstructure"
 )
 
 func log(err error)  {
@@ -14,8 +16,11 @@ func log(err error)  {
 func hashFunc(password []byte, salt []byte) []byte {
 	return argon2.IDKey(password, salt, 1, 64*1024, 4, 32)
 }
-func runTemplate(w http.ResponseWriter, template *template.Template, templateData interface{}) {
+func runTemplate(r *http.Request, w http.ResponseWriter, template *template.Template, templateData interface{}) {
+	var templateMap map[string]interface{}
+	mapstructure.Decode(templateData, &templateMap)
+	templateMap[csrf.TemplateTag] = csrf.TemplateField(r)
 	w.Header().Set("Content-Type", "text/html")
-	var err error = template.Execute(w, templateData)
+	var err error = template.Execute(w, templateMap)
 	log(err)
 }
diff --git a/tmpl/register.html b/tmpl/register.html
index 619c904..680bda8 100644
--- a/tmpl/register.html
+++ b/tmpl/register.html
@@ -64,6 +64,7 @@
 								<input class="responsive" type="text" name="discordUser"><br/>
 								<label class="responsive">Passwort:</label><br/>
 								<input class="responsive" type="password" name="password"><br/>
+								{{ .csrfField }}
 								<input type="submit" name="createAccount" value="Account erstellen"class="btn active responsive">
 							</form>
 						{{end}}