Code Vault

xaizek / rocketgit (License: AGPLv3+) (since 2018-12-09)

Light and fast Git hosting solution suitable to serve both as a hub or as a personal code storage with its tickets, pull requests, API and much more.

Clone URLs: https://code.reversed.top/user/xaizek/rocketgit ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit

<root> / tests / http_csrf.php (7ccd9b5fbf533ac639102229773865ed3047ecca) (2,578B) (mode 100644) [raw]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91

<?php
error_reporting(E_ALL | E_STRICT);
ini_set("track_errors", "On");

$rg_cache_debug = TRUE;

$INC = dirname(__FILE__) . "/../inc";
require_once(dirname(__FILE__) . "/config.php");
require_once($INC . "/init.inc.php");
require_once($INC . "/util.inc.php");
require_once("http.inc.php");

rg_log_set_file("http_csrf.log");

$rg_sql = "host=localhost user=rocketgit dbname=rocketgit connect_timeout=10";
$rg_no_db = TRUE;
require_once("common.php");

$rg_cache_enable = TRUE;

$now = time();

$r = test_login($test_url, $good_sid);
if ($r === FALSE) {
	rg_log("Cannot login!");
	exit(1);
}

rg_log("Loading suggestion form (ua test)");
test_set_ua("user-agent-1");
test_set_referer($test_url);
$data = array();
$headers = array("Cookie: sid=" . $good_sid);
$r = do_req($test_url . "/op/suggestion?t=load_suggestion_form_ua", $data, $headers);
if (!stristr($r['body'], "action=\"/op/suggestion\"")) {
	file_put_contents("http_csrf.log", $r);
	rg_log_ml("Cannot load form!");
	exit(1);
}
$good_token = $r['token'];

rg_log("Try posting with different user-agent: should not work");
test_set_ua("user-agent-2");
$data = array(
	"doit" => 1,
	"token" => $good_token,
	"suggestion" => "bla bla bla"
	);
$headers = array("Cookie: sid=" . $good_sid);
$r = do_req($test_url . "/op/suggestion?t=post_suggestion_form_diff_ua", $data, $headers);
if (!stristr($r['body'], "invalid token")) {
	file_put_contents("http_csrf.log", $r['body']);
	rg_log_ml("Seems I could add a suggestion bypassing CSRF"
		. " protection based on user-agent!");
	exit(1);
}


rg_log("Loading suggestion form (referer test)");
test_set_ua("user-agent-1");
test_set_referer($test_url);
$data = array();
$headers = array("Cookie: sid=" . $good_sid);
$r = do_req($test_url . "/op/suggestion?t=load_suggestion_form_referer", $data, $headers);
if (!stristr($r['body'], "action=\"/op/suggestion\"")) {
	file_put_contents("http_csrf.log", $r);
	rg_log_ml("Cannot load form!");
	exit(1);
}
$good_token = $r['token'];

rg_log("Try posting with different referer: should not work");
test_set_ua("user-agent-1");
test_set_referer("http://attacker.com:4000/bla");
$data = array(
	"doit" => 1,
	"token" => $good_token,
	"suggestion" => "bla bla bla"
	);
$headers = array("Cookie: sid=" . $good_sid);
$r = do_req($test_url . "/op/suggestion?t=post_suggestion_form_diff_referer", $data, $headers);
if (!stristr($r['body'], "invalid referer")) {
	file_put_contents("http_csrf.log", $r['body']);
	rg_log_ml("Seems I could add a suggestion bypassing CSRF"
		. " protection based on referer!");
	exit(1);
}


rg_log("Done!");
?>

Hints

Before first commit, do not forget to setup your git environment:

git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):

git clone https://code.reversed.top/user/xaizek/rocketgit

Clone this repository using ssh (do not forget to upload a key first):

git clone ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a pull request:

... clone the repository ...
... make some changes and some commits ...
git push origin master