GOMODULES
/
fiber
mirror of https://github.com/gofiber/fiber.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,126 Commits
25 Branches
128 Tags
169 MiB
Commit Graph

4 Commits (694f0d77d69511c6f3ee1e8f70bbcb7be8e50c6e)

Author SHA1 Message Date
Jason McNeil 643b4b3f53
feat(middleware/csrf): TrustedOrigins using https://*.example.com style subdomains (#2925) 
* feat(middleware/csrf): TrustedOrigins using https://*.example.com style subdomains

* Update middleware/csrf/csrf_test.go

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* test(middleware/csrf): parallel test

* test(middleware/csrf): parallel fix

* chmore(middleware/csrf): no pkg/log

* feat(middleware/csrf): Add tests for Trusted Origin deeply nested subdomain

* test(middleware/csrf): fix loop variable tt being captured

* docs(middleware/csrf): TrustedOrigins validates and normalizes note

* test(middleware/csrf): fix Benchmark_Middleware_CSRF_Check

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Juan Calderon-Perez <835733+gaby@users.noreply.github.com>
 2024-03-25 15:29:37 +01:00
Jason McNeil 8c3916dbf4
Merge pull request from GHSA-94w9-97p3-p368 
* feat: improved csrf with session support

* fix: double submit cookie

* feat: add warning cookie extractor without session

* feat: add warning CsrfFromCookie SameSite

* fix: use byes.Equal instead

* fix: Overriden CookieName KeyLookup cookie:<name>

* feat: Create helpers.go

* feat: use compareTokens (constant time compare)

* feat: validate cookie to prevent token injection

* refactor: clean up csrf.go

* docs: update comment about Double Submit Cookie

* docs: update docs for CSRF changes

* feat: add DeleteToken

* refactor: no else

* test: add more tests

* refactor: re-order tests

* docs: update safe methods RCF add note

* test: add CSRF_Cookie_Injection_Exploit

* feat: add SingleUseToken config

* test: check for new token

* docs: use warning

* fix: always register type Token

* feat: use UUIDv4

* test: swap in UUIDv4 here too

* fix: raw token injection

* fix: merege error

* feat: Sentinel errors

* chore: rename test

* fix: url parse

* test: add path to referer

* test: add expiration tests

* docs: add cookie prefix note

* docs: fix typo

* docs: add warning for refer checks

* test: add referer edge cases

And call ctx.Request.Reset() and
ctx.Response.Reset() before re-using ctx.
 2023-10-16 09:06:30 +02:00
René Werner bb90fc1187 fix lint errors 2023-10-11 15:16:35 +02:00
Jason McNeil b50d91d58e
Merge pull request from GHSA-94w9-97p3-p368 
* feat: improved csrf with session support

* fix: double submit cookie

* feat: add warning cookie extractor without session

* feat: add warning CsrfFromCookie SameSite

* fix: use byes.Equal instead

* fix: Overriden CookieName KeyLookup cookie:<name>

* feat: Create helpers.go

* feat: use compareTokens (constant time compare)

* feat: validate cookie to prevent token injection

* refactor: clean up csrf.go

* docs: update comment about Double Submit Cookie

* docs: update docs for CSRF changes

* feat: add DeleteToken

* refactor: no else

* test: add more tests

* refactor: re-order tests

* docs: update safe methods RCF add note

* test: add CSRF_Cookie_Injection_Exploit

* feat: add SingleUseToken config

* test: check for new token

* docs: use warning

* fix: always register type Token

* feat: use UUIDv4

* test: swap in UUIDv4 here too
 2023-10-11 14:41:42 +02:00