From f628e147cddd5859118390ab964eeec9b0bce91b Mon Sep 17 00:00:00 2001
From: Lukas Metzger <developer@lukas-metzger.com>
Date: Fri, 29 Jan 2016 16:52:23 +0100
Subject: [PATCH] Added csrf protection

---
 add-domain.php      |  2 +-
 api/add-domain.php  |  5 +++++
 api/domains.php     |  5 +++++
 api/edit-master.php |  5 +++++
 api/edit-user.php   |  5 +++++
 api/index.php       |  4 +++-
 api/install.php     |  5 +++++
 api/password.php    |  5 +++++
 api/users.php       |  5 +++++
 domains.php         |  1 +
 edit-master.php     |  1 +
 edit-user.php       |  1 +
 js/add-domain.js    |  3 ++-
 js/domains.js       |  7 +++++--
 js/edit-master.js   | 25 +++++++++++++++++--------
 js/edit-user.js     | 18 ++++++++++++------
 js/password.js      |  3 ++-
 js/users.js         |  7 +++++--
 password.php        |  1 +
 users.php           |  1 +
 20 files changed, 87 insertions(+), 22 deletions(-)

diff --git a/add-domain.php b/add-domain.php
index 17b1552..23cb06f 100644
--- a/add-domain.php
+++ b/add-domain.php
@@ -97,7 +97,7 @@ limitations under the License.
             </row>
             
         </div>
-
+        <?php echo '<span class="hidden" id="csrfToken">' . $_SESSION['csrfToken'] . '</span>'; ?> 
     </body>
 </html>
 
diff --git a/api/add-domain.php b/api/add-domain.php
index 4643dcd..3b71f20 100644
--- a/api/add-domain.php
+++ b/api/add-domain.php
@@ -23,6 +23,11 @@ require_once '../lib/soa-mail.php';
 
 $input = json_decode(file_get_contents('php://input'));
 
+if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
+    echo "Permission denied!";
+    exit();
+}
+
 if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") {
     echo "Permission denied!";
     exit();
diff --git a/api/domains.php b/api/domains.php
index 25546d6..7071330 100644
--- a/api/domains.php
+++ b/api/domains.php
@@ -22,6 +22,11 @@ require_once '../lib/session.php';
 
 $input = json_decode(file_get_contents('php://input'));
 
+if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
+    echo "Permission denied!";
+    exit();
+}
+
 if(isset($input->action) && $input->action == "getDomains") {
 
     $sql = "
diff --git a/api/edit-master.php b/api/edit-master.php
index e18569b..0a3b7f8 100644
--- a/api/edit-master.php
+++ b/api/edit-master.php
@@ -24,6 +24,11 @@ require_once '../lib/update-serial.php';
 
 $input = json_decode(file_get_contents('php://input'));
 
+if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
+    echo "Permission denied!";
+    exit();
+}
+
 //Permission check
 if(isset($input->domain)) {
     $permquery = $db->prepare("SELECT * FROM permissions WHERE user=? AND domain=?");
diff --git a/api/edit-user.php b/api/edit-user.php
index 03eb6a5..a07fa84 100644
--- a/api/edit-user.php
+++ b/api/edit-user.php
@@ -22,6 +22,11 @@ require_once '../lib/session.php';
 
 $input = json_decode(file_get_contents('php://input'));
 
+if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
+    echo "Permission denied!";
+    exit();
+}
+
 if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") {
     echo "Permission denied!";
     exit();
diff --git a/api/index.php b/api/index.php
index 61269b6..4933f6f 100644
--- a/api/index.php
+++ b/api/index.php
@@ -38,8 +38,10 @@ if (password_verify($input->password, $password)) {
     
     $randomSecret = base64_encode(openssl_random_pseudo_bytes(32));
     $_SESSION['secret'] = $randomSecret;
-    
     setcookie("authSecret", $randomSecret, 0, "/", "", false, true);
+    
+    $csrfToken = base64_encode(openssl_random_pseudo_bytes(32));
+    $_SESSION['csrfToken'] = $csrfToken;
 } else {
     $retval['status'] = "fail";
 }
diff --git a/api/install.php b/api/install.php
index 701b38f..35c1a04 100644
--- a/api/install.php
+++ b/api/install.php
@@ -24,6 +24,11 @@ if(file_exists("../config/config-user.php")) {
 //Get input
 $input = json_decode(file_get_contents('php://input'));
 
+if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
+    echo "Permission denied!";
+    exit();
+}
+
 //Database command
 $sql = "
 CREATE TABLE IF NOT EXISTS domains (
diff --git a/api/password.php b/api/password.php
index 9cfc12b..63c615f 100644
--- a/api/password.php
+++ b/api/password.php
@@ -22,6 +22,11 @@ require_once '../lib/session.php';
 
 $input = json_decode(file_get_contents('php://input'));
 
+if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
+    echo "Permission denied!";
+    exit();
+}
+
 if(isset($input->action) && $input->action == "changePassword") {
     $passwordHash = password_hash($input->password, PASSWORD_DEFAULT);
     
diff --git a/api/users.php b/api/users.php
index 7088dc6..8de5ec8 100644
--- a/api/users.php
+++ b/api/users.php
@@ -22,6 +22,11 @@ require_once '../lib/session.php';
 
 $input = json_decode(file_get_contents('php://input'));
 
+if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
+    echo "Permission denied!";
+    exit();
+}
+
 if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") {
     echo "Permission denied!";
     exit();
diff --git a/domains.php b/domains.php
index 26f8760..de606dd 100644
--- a/domains.php
+++ b/domains.php
@@ -101,5 +101,6 @@ limitations under the License.
                 </div>
             </div>
         </div>
+        <?php echo '<span class="hidden" id="csrfToken">' . $_SESSION['csrfToken'] . '</span>'; ?> 
     </body>
 </html>
diff --git a/edit-master.php b/edit-master.php
index 0a9b361..0456d43 100644
--- a/edit-master.php
+++ b/edit-master.php
@@ -160,6 +160,7 @@ limitations under the License.
                 </table>
             </div>
         </div>
+        <?php echo '<span class="hidden" id="csrfToken">' . $_SESSION['csrfToken'] . '</span>'; ?> 
 
     </body>
 </html>
diff --git a/edit-user.php b/edit-user.php
index 4219c60..8f68526 100644
--- a/edit-user.php
+++ b/edit-user.php
@@ -100,6 +100,7 @@ limitations under the License.
             </row>
             
         </div>
+        <?php echo '<span class="hidden" id="csrfToken">' . $_SESSION['csrfToken'] . '</span>'; ?> 
 
     </body>
 </html>
diff --git a/js/add-domain.js b/js/add-domain.js
index 49cd722..8feb1d8 100644
--- a/js/add-domain.js
+++ b/js/add-domain.js
@@ -62,7 +62,8 @@ function saveData(callback) {
         retry: $('#zone-retry').val(),
         expire: $('#zone-expire').val(),
         ttl: $('#zone-ttl').val(),
-        action: "addDomain"
+        action: "addDomain",
+        csrfToken: $('#csrfToken').text()
     };
     
     $.post(
diff --git a/js/domains.js b/js/domains.js
index 039944e..697b32d 100644
--- a/js/domains.js
+++ b/js/domains.js
@@ -54,7 +54,9 @@ $(document).ready(function() {
 });
 
 function requestData() {
-    var restrictions = {};
+    var restrictions = {
+        csrfToken: $('#csrfToken').text()
+    };
     
     restrictions.sort = sort;
     
@@ -128,7 +130,8 @@ function deleteDomain() {
 function deleteDomainWithId(id, callback) {
     var data = {
         action: "deleteDomain",
-        id: id
+        id: id,
+        csrfToken: $('#csrfToken').text()
     };
     
     $.post(
diff --git a/js/edit-master.js b/js/edit-master.js
index a6c0660..2a34472 100644
--- a/js/edit-master.js
+++ b/js/edit-master.js
@@ -124,7 +124,9 @@ function recreateTable(data) {
 }
 
 function requestRecordData() {
-    var restrictions = {};
+    var restrictions = {
+        csrfToken: $('#csrfToken').text()
+    };
     
     restrictions.sort = sort;
     
@@ -159,7 +161,8 @@ function requestRecordData() {
 
 function requestSoaData() {
     var data = {
-        action: "getSoa"
+        action: "getSoa",
+        csrfToken: $('#csrfToken').text()
     };
     
     data.domain = location.hash.substring(1);
@@ -181,7 +184,8 @@ function requestSoaData() {
 
 function requestSerial() {
     var data = {
-        action: "getSerial"
+        action: "getSerial",
+        csrfToken: $('#csrfToken').text()
     };
     
     data.domain = location.hash.substring(1);
@@ -198,7 +202,8 @@ function requestSerial() {
 
 function saveSoaData() {
     var data = {
-        action: "saveSoa"
+        action: "saveSoa",
+        csrfToken: $('#csrfToken').text()
     };
     
     data.domain = location.hash.substring(1);
@@ -268,7 +273,8 @@ function saveRecord() {
         prio: tableRow.children('td').eq(4).children('input').val(),
         ttl: tableRow.children('td').eq(5).children('input').val(),
         action: "saveRecord",
-        domain: location.hash.substring(1)
+        domain: location.hash.substring(1),
+        csrfToken: $('#csrfToken').text()
     };
     
     tableRow.children('td').eq(0).empty().text(data.id);
@@ -309,7 +315,8 @@ function addRecord() {
         prio: $('#addPrio').val(),
         ttl: $('#addTtl').val(),
         action: "addRecord",
-        domain: location.hash.substring(1)
+        domain: location.hash.substring(1),
+        csrfToken: $('#csrfToken').text()
     };
     
     $.post(
@@ -344,7 +351,8 @@ function trashClicked() {
     var data = {
         id: $(this).parent().parent().children().eq(0).text(),
         domain: location.hash.substring(1),
-        action: "removeRecord"
+        action: "removeRecord",
+        csrfToken: $('#csrfToken').text()
     };
     
     var lineAffected = $(this).parent().parent();
@@ -363,7 +371,8 @@ function trashClicked() {
 function requestDomainName() {
     var data = {
         action: "getDomainName",
-        domain: location.hash.substring(1)
+        domain: location.hash.substring(1),
+        csrfToken: $('#csrfToken').text()
     };
     
     $.post(
diff --git a/js/edit-user.js b/js/edit-user.js
index 0d6d061..9c42fd6 100644
--- a/js/edit-user.js
+++ b/js/edit-user.js
@@ -111,7 +111,8 @@ function addUser() {
         name: $('#user-name').val(),
         password: $('#user-password').val(),
         type: $('#user-type').val(),
-        action: "addUser"
+        action: "addUser",
+        csrfToken: $('#csrfToken').text()
     };
     
     $.post(
@@ -128,7 +129,8 @@ function addUser() {
 function getUserData() {
     var data = {
         id: location.hash.substring(1),
-        action: "getUserData"
+        action: "getUserData",
+        csrfToken: $('#csrfToken').text()
     };
     
     $.post(
@@ -147,7 +149,8 @@ function saveUserChanges() {
         id: location.hash.substring(1),
         name: $('#user-name').val(),
         type: $('#user-type').val(),
-        action: "saveUserChanges"
+        action: "saveUserChanges",
+        csrfToken: $('#csrfToken').text()
     };
     
     if($('#user-password').val().length > 0) {
@@ -165,7 +168,8 @@ function saveUserChanges() {
 function requestPermissions() {
     var data = {
         id: location.hash.substring(1),
-        action: "getPermissions"
+        action: "getPermissions",
+        csrfToken: $('#csrfToken').text()
     };
     
     $.post(
@@ -195,7 +199,8 @@ function removePermission() {
     var data = {
         domainId: $(this).parent().parent().data("id"),
         userId: location.hash.substring(1),
-        action: "removePermission" 
+        action: "removePermission",
+        csrfToken: $('#csrfToken').text()
     };
     
     var lineToRemove = $(this).parent().parent();
@@ -214,7 +219,8 @@ function addPermissions() {
     var data = {
         action: "addPermissions",
         userId: location.hash.substring(1),
-        domains: $('#permissions select#selectAdd').val()
+        domains: $('#permissions select#selectAdd').val(),
+        csrfToken: $('#csrfToken').text()
     }
     
     $.post(
diff --git a/js/password.js b/js/password.js
index 3e197e2..14e16ce 100644
--- a/js/password.js
+++ b/js/password.js
@@ -46,7 +46,8 @@ function savePassword() {
     
     var data = {
         password: $('#user-password').val(),
-        action: "changePassword"
+        action: "changePassword",
+        csrfToken: $('#csrfToken').text()
     };
     
     $.post(
diff --git a/js/users.js b/js/users.js
index 80617f8..3b5ff19 100644
--- a/js/users.js
+++ b/js/users.js
@@ -54,7 +54,9 @@ $(document).ready(function() {
 });
 
 function requestData() {
-    var restrictions = {};
+    var restrictions = {
+        csrfToken: $('#csrfToken').text()
+    };
     
     restrictions.sort = sort;
     
@@ -123,7 +125,8 @@ function deleteDomain() {
 function deleteUserWithId(id, callback) {
     var data = {
         action: "deleteUser",
-        id: id
+        id: id,
+        csrfToken: $('#csrfToken').text()
     };
     
     $.post(
diff --git a/password.php b/password.php
index 2ca9139..1d60501 100644
--- a/password.php
+++ b/password.php
@@ -74,6 +74,7 @@ limitations under the License.
             </row>
             
         </div>
+        <?php echo '<span class="hidden" id="csrfToken">' . $_SESSION['csrfToken'] . '</span>'; ?> 
 
     </body>
 </html>
diff --git a/users.php b/users.php
index 8509cfb..3dab1d8 100644
--- a/users.php
+++ b/users.php
@@ -101,5 +101,6 @@ limitations under the License.
                 </div>
             </div>
         </div>
+        <?php echo '<span class="hidden" id="csrfToken">' . $_SESSION['csrfToken'] . '</span>'; ?> 
     </body>
 </html>