81 Commits

Author SHA1 Message Date
René
abf8f324d6 prepare version v2.52.5 2024-06-26 11:05:26 +02:00
Jason McNeil
7926e5bf4d
Merge pull request from GHSA-98j2-3j3p-fw2v
* fix: token injection vulnerability GHSA-98j2-3j3p-fw2v

- Ensure session IDs are securely generated server-side.
- Add validation to prevent user-supplied session IDs.
- Update tests to verify correct session token use.

This update addresses the critical session middleware vulnerability identified in versions 2 and above of GoFiber.

* test(middleware/csrf): Save session after generating new session ID

This commit saves the session after generating a new session ID to ensure that the updated session ID is persisted. This change is necessary to address a critical session middleware vulnerability identified in versions 2 and above of GoFiber.

* chore: Save session ID in context for middleware chain

The code changes add functionality to save the newly generated session ID in the context, allowing it to be accessible to subsequent middlewares in the chain. This improvement ensures that the session ID is available for use throughout the middleware stack.

* test: Fix session freshness check in session_test

The code changes in `session_test.go` fix the session freshness check by updating the assertions for `sess.Fresh()` and `sess.ID()`. The previous assertions were incorrect and have been corrected to ensure the session ID remains the same and the session is not fresh.

* refactor(session.go): general clean-up

* chore: Revert session freshness behavior

The code changes in `session_test.go` fix the session freshness check by updating the assertions for `sess.Fresh()` and `sess.ID()`. The previous assertions were incorrect and have been corrected to ensure the session ID remains the same and the session is not fresh.
2024-06-26 09:17:41 +02:00
Jason McNeil
ba10e68d01
test(middleware/csrf): Fix Benchmark Tests (#2932)
* test(middleware/csrf): fix Benchmark_Middleware_CSRF_*

* fix(middleware/csrf): update refererMatchesHost()
2024-03-25 15:30:20 +01:00
Benjamin Grosse
b1850834a3
fix: don't constrain middlewares' context-keys to strings 🐛 (#2751)
* Revert "Revert "🐛 requestid.Config.ContextKey is interface{} (#2369)" (#2742)"

This reverts commit 28be17f929cfa7d3c27dd292fc3956f2f9882e22.

* fix: request ContextKey default value condition

Should check for `nil` since it is `any`.

* fix: don't constrain middlewares' context-keys to strings

`context` recommends using "unexported type" as context keys to avoid
collisions https://pkg.go.dev/github.com/gofiber/fiber/v2#Ctx.Locals.

The official go blog also recommends this https://go.dev/blog/context.

`fiber.Ctx.Locals(key any, value any)` correctly allows consumers to
use unexported types or e.g. strings.

But some fiber middlewares constrain their context-keys to `string` in
their "default config structs", making it impossible to use unexported
types.

This PR removes the `string` _constraint_ from all middlewares, allowing
to now use unexported types as per the official guidelines. However
the default value is still a string, so it's not a breaking change, and
anyone still using strings as context keys is not affected.
2023-12-12 14:55:29 +01:00
nickajacks1
eeced206ed
test: Fix failing CSRF tests (#2720)
 test: fix failing csrf test

A test validating that expired tokens fail was hitting a race condition
with garbage collection. Sometimes, an assertion that expects memory
storage GC to have triggered happens too quickly, causing the assertion
to fail. Give the GC a little bit more time to process before asserting.
2023-11-22 19:21:30 +01:00
Jason McNeil
2374cad3cd
📄 docs: improve csrf docs (#2726)
* docs: improve csrf docs

- fix issues with `X-Csrf-Token` capitalization inconsistency.
- reduce redundancy and repetition.
- improve grammar.

* docs: update middleware description

* docs: within vs in

* docs: deleting tokens

* docs: MUST

* docs: add colon

* docs: all modern browsers

* docs: patterns

* docs: improve phrasing of pattern options
2023-11-16 12:34:31 +01:00
Jason McNeil
8c3916dbf4
Merge pull request from GHSA-94w9-97p3-p368
* feat: improved csrf with session support

* fix: double submit cookie

* feat: add warning cookie extractor without session

* feat: add warning CsrfFromCookie SameSite

* fix: use byes.Equal instead

* fix: Overriden CookieName KeyLookup cookie:<name>

* feat: Create helpers.go

* feat: use compareTokens (constant time compare)

* feat: validate cookie to prevent token injection

* refactor: clean up csrf.go

* docs: update comment about Double Submit Cookie

* docs: update docs for CSRF changes

* feat: add DeleteToken

* refactor: no else

* test: add more tests

* refactor: re-order tests

* docs: update safe methods RCF add note

* test: add CSRF_Cookie_Injection_Exploit

* feat: add SingleUseToken config

* test: check for new token

* docs: use warning

* fix: always register type Token

* feat: use UUIDv4

* test: swap in UUIDv4 here too

* fix: raw token injection

* fix: merege error

* feat: Sentinel errors

* chore: rename test

* fix: url parse

* test: add path to referer

* test: add expiration tests

* docs: add cookie prefix note

* docs: fix typo

* docs: add warning for refer checks

* test: add referer edge cases

And call ctx.Request.Reset() and
ctx.Response.Reset() before re-using ctx.
2023-10-16 09:06:30 +02:00
René Werner
bb90fc1187 fix lint errors 2023-10-11 15:16:35 +02:00
Jason McNeil
b50d91d58e
Merge pull request from GHSA-94w9-97p3-p368
* feat: improved csrf with session support

* fix: double submit cookie

* feat: add warning cookie extractor without session

* feat: add warning CsrfFromCookie SameSite

* fix: use byes.Equal instead

* fix: Overriden CookieName KeyLookup cookie:<name>

* feat: Create helpers.go

* feat: use compareTokens (constant time compare)

* feat: validate cookie to prevent token injection

* refactor: clean up csrf.go

* docs: update comment about Double Submit Cookie

* docs: update docs for CSRF changes

* feat: add DeleteToken

* refactor: no else

* test: add more tests

* refactor: re-order tests

* docs: update safe methods RCF add note

* test: add CSRF_Cookie_Injection_Exploit

* feat: add SingleUseToken config

* test: check for new token

* docs: use warning

* fix: always register type Token

* feat: use UUIDv4

* test: swap in UUIDv4 here too
2023-10-11 14:41:42 +02:00
Jiun Lee
fefc533834
🚀 Add Logger interface and fiberlog (#2499)
* add log for fiber

* replace log in fiber

* add Log use to adapt for log libraries

* Update app.go

Co-authored-by: Tomás Warynyca <41587659+tomaswarynyca@users.noreply.github.com>

* wip: add log docs

* add WithLogger use to print key and value

* remove CtxLogger and add WithContext use to bind Context

* fix errcheck

* fix errcheck

* update log.md

---------

Co-authored-by: Tomás Warynyca <41587659+tomaswarynyca@users.noreply.github.com>
2023-06-26 08:16:57 +02:00
RW
3a7dbd0b48
🚀 Consistent way of logging and fix middleware log format #2432 (#2444)
- change log patter
2023-05-01 18:52:30 +02:00
Kousik Mitra
a59d9bac59
🚀 Consistent way of logging and fix middleware log format (#2432)
* 🚀 Replace fmt.Print* with log.Print* (#2402)

* 🚀 Fix middleware logging format (#2402)
2023-05-01 10:01:27 +02:00
Muhammed Efe Çetin
15e9235383
📝 docs: remove README.mds from middleware dirs 2023-03-06 16:42:35 +03:00
leonklingele
ac4ce21d9c
🐛 Bug: Fix issues introduced in linting PR (#2319)
* internal: revert linting changes

Changes to the internal package should not have been made in 167a8b5e9421e0ab51fbf44c5621632f4a1a90c5.

* middleware/monitor: revert changes to exported field "ChartJSURL"

This is a breaking change introduced in 167a8b5e9421e0ab51fbf44c5621632f4a1a90c5.

* middleware/monitor: fix error checking

Fix the errorenous error checking introduced in 167a8b5e9421e0ab51fbf44c5621632f4a1a90c5.

* 🐛 Bug: Fix issues introduced in linting PR #2319

* 🐛 Bug: Fix issues introduced in linting PR #2319

* Bug: Fix issues introduced in linting PR #2319

---------

Co-authored-by: René Werner <rene@gofiber.io>
2023-02-02 15:57:40 +01:00
leonklingele
167a8b5e94
🚀 Feature: Add and apply more stricter golangci-lint linting rules (#2286)
* golangci-lint: add and apply more stricter linting rules

* github: drop security workflow now that we use gosec linter inside golangci-lint

* github: use official golangci-lint CI linter

* Add editorconfig and gitattributes file
2023-01-27 09:01:37 +01:00
M. Efe Çetin
5406560033
🧹 chore: make most tests parallel (#2299)
* 🧹 chore: make most tests parallel

* revert some tests

* revert some tests

* revert some tests
2023-01-15 23:21:37 +08:00
RW
ec96d161a0
Fix csrf middleware behavior with header key lookup (#2063)
* 🐛 [Bug]: Strange CSRF middleware behavior with header KeyLookup configuration #2045
2022-08-30 14:48:31 +02:00
Jason McNeil
6272d759eb
🚀 [Feature]: middleware/csrf custom extractor (#2052)
* feat(middleware/csrf): allow custom Extractor

* test: update Test_CSRF_From_Custom

* docs: add comma

* docs: update KeyLookup docs
2022-08-28 18:57:47 +02:00
Abhishek Mehandiratta
68fcd8c88f
Feature: Session Only Cookies (#1752)
* feat(ctx): add SessionOnly property on Cookie struct

* feat(middleware/config): add CookieSessionOnly property on middleware Config struct

* feat(csrf): link config CookieSessionOnly with fiber.Cookie in create middleware function

* fix(ctx_test): add tests for SessionOnly cookie in test_ctx_cookie

* fix(readme): update readme in csrf middleware for CookieSessionOnly property

* remove deprecated property from CookieSessionOnly explaination comments
2022-02-07 13:35:00 +01:00
Jason McNeil
59e4bf6cc5
🔧 fix(middleware/csrf): unmatched token returns nil error (#1667)
* Update csrf.go

* Update csrf_test.go

* fix(middleware/csrf): missing token return and unit test

* Update csrf_test.go
2021-12-29 02:13:20 +01:00
Jason McNeil
af6b204e50
CookieSameSite default "Lax" (#1640) 2021-12-02 07:41:44 +01:00
Gusted
7b7dcf29f7
♻️ Tidy up the codebase (#1613)
* run gofmt

* add t.Helper()

* Simplify assigns

* Simplify make operation

* Remove unused field in struct

* Fix typo

* Run gofumpt ./

* Consistent spacing

* len(...) can never be negative

* Use ReplaceAll

* Simplify operation

* Remove deadcode

* Fix typo

* Tidy up `} else { if ...`

* Fix AssertEqual

* Remove t.Helper() to fix go1.14.15
2021-11-05 08:00:03 +01:00
Nik Schaefer
a6868c24b9
📚 Doc: Correct Session to Crsf in Import (#1277) 2021-04-10 16:19:40 -04:00
iRedMail
078b6e295a
Fix comment in middleware/csrf/config.go 2021-03-20 12:58:08 +08:00
Joey
0f18e0f1b0
Merge pull request #1194 from gofiber/csrf-mw-restructuring
CSRF MW Restructuring
2021-03-09 15:32:16 +01:00
hi019
13f0d5bb61 Remove global variable 2021-03-09 09:29:47 -05:00
hi019
983919fd18
CSRF Docs - Add note about how to get token (#1196) 2021-03-01 20:32:22 -05:00
hi019
b31953ab8d Revert "Remove global variable"
This reverts commit 2d4d2f7c
2021-03-01 16:38:56 -05:00
hi019
2d4d2f7c47 Remove global variable 2021-03-01 16:30:04 -05:00
hi019
86e43593cd CSRF MW Restructuring 2021-03-01 16:25:32 -05:00
Jason McNeil
53e5dc523e
🩹 Fix: CSRF middleware cookie<>storage bug squashed and other improvements (#1180)
* expire cookie on Post, Delete, Patch and Put

Cookie should always expire on Post, Delete, Patch and Put as it is either valid and will be removed from storage, or is not in storage and invalid

* token and cookie match

* retrigger checks

* csrf tests

* csrf per session strategy
2021-03-01 17:44:17 +01:00
hinoguma
1ad5a618cb make default handler to private. fix testcase for invalid token and empty token. 2021-01-23 12:39:27 +09:00
hinoguma
19e6a4429d add custom error func for csrf middleware 2021-01-23 03:45:47 +09:00
hi019
494474aebd
Merge branch 'master' into master 2020-12-13 22:08:51 -05:00
amalshaji
86f258c4ae fixed cookie error in csrf.go 2020-12-10 10:45:21 +05:30
Fenny
323d9d89cc 🩹 fix manager logic 2020-11-23 07:38:42 +01:00
hi019
bc7b240158 improve mw 2020-11-21 12:36:16 -05:00
hi019
e828c17554 Standardize MW docs 2020-11-17 12:12:49 -05:00
Fenny
9be8eedcc6 🩹 fix cache mw
Co-Authored-By: RW <7063188+ReneWerner87@users.noreply.github.com>
2020-11-17 13:03:18 +01:00
Fenny
6338ce855c 🩹 fix csrf test 2020-11-14 03:09:53 +01:00
Fenny
9a0551049c 📝 update readme 2020-11-14 00:47:31 +01:00
Fenny
6b48509ce9 update cookie config fields 2020-11-14 00:45:55 +01:00
Fenny
558d802cdd 🩹 Fix expiration check 2020-11-13 18:34:01 +01:00
Fenny
ef35d00a79 🦺 simplify session config 2020-11-11 23:51:32 +01:00
Fenny
ec8fdb32de 🧽 clean code structure 2020-11-11 21:44:37 +01:00
Fenny
b29d500fc0 🩹 verify csrf on state changing methods 2020-11-11 21:39:22 +01:00
Fenny
ce897c0b66 🩹 fix tests 2020-11-11 18:34:46 +01:00
Fenny
66ee4de7d8 🕊 rename token to key 2020-11-11 18:19:53 +01:00
Fenny
1bd7b1b15b ✏ fix typo 2020-11-11 16:41:26 +01:00
Fenny
2b0f65c5d2 ✏ update readme 2020-11-11 15:57:38 +01:00