Jason McNeil
|
8c3916dbf4
|
Merge pull request from GHSA-94w9-97p3-p368
* feat: improved csrf with session support
* fix: double submit cookie
* feat: add warning cookie extractor without session
* feat: add warning CsrfFromCookie SameSite
* fix: use byes.Equal instead
* fix: Overriden CookieName KeyLookup cookie:<name>
* feat: Create helpers.go
* feat: use compareTokens (constant time compare)
* feat: validate cookie to prevent token injection
* refactor: clean up csrf.go
* docs: update comment about Double Submit Cookie
* docs: update docs for CSRF changes
* feat: add DeleteToken
* refactor: no else
* test: add more tests
* refactor: re-order tests
* docs: update safe methods RCF add note
* test: add CSRF_Cookie_Injection_Exploit
* feat: add SingleUseToken config
* test: check for new token
* docs: use warning
* fix: always register type Token
* feat: use UUIDv4
* test: swap in UUIDv4 here too
* fix: raw token injection
* fix: merege error
* feat: Sentinel errors
* chore: rename test
* fix: url parse
* test: add path to referer
* test: add expiration tests
* docs: add cookie prefix note
* docs: fix typo
* docs: add warning for refer checks
* test: add referer edge cases
And call ctx.Request.Reset() and
ctx.Response.Reset() before re-using ctx.
|
2023-10-16 09:06:30 +02:00 |
|
