Merge pull request #201 from crosbymichael/csrf

Add CSRF Protection
2016-04-02 21:05:13 -05:00 · 2016-04-02 21:05:13 -05:00 · 7e1d5338cf
parent 5bf922325a a67206dd8d
commit 7e1d5338cf
4 changed files with 44 additions and 4 deletions
--- a/app/app.js
+++ b/app/app.js
@ -25,6 +25,10 @@ angular.module('dockerui', [
    'volumes'])
    .config(['$routeProvider', '$httpProvider', function ($routeProvider, $httpProvider) {
        'use strict';
        $httpProvider.defaults.xsrfCookieName = 'csrfToken';
        $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token';
        $routeProvider.when('/', {
            templateUrl: 'app/components/dashboard/dashboard.html',
            controller: 'DashboardController'
@ -79,6 +83,10 @@ angular.module('dockerui', [
                            time: 10000
                        });
                    }
                    var csrfToken = response.headers('X-Csrf-Token');
                    if (csrfToken) {
                        document.cookie = 'csrfToken=' + csrfToken;
                    }
                    return response;
                }
            };
@ -88,4 +96,4 @@ angular.module('dockerui', [
    // You need to set this to the api endpoint without the port i.e. http://192.168.1.9
    .constant('DOCKER_ENDPOINT', 'dockerapi')
    .constant('DOCKER_PORT', '') // Docker port, leave as an empty string if no port is requred.  If you have a port, prefix it with a ':' i.e. :4243
-    .constant('UI_VERSION', 'v0.9.0-beta');
+    .constant('UI_VERSION', 'v0.10.1-beta');
--- a/bower.json
+++ b/bower.json
@ -1,6 +1,6 @@
 {
  "name": "dockerui",
-  "version": "0.9.0-beta",
+  "version": "0.10.1-beta",
  "homepage": "https://github.com/crosbymichael/dockerui",
  "authors": [
    "Michael Crosby <crosbymichael@gmail.com>",
--- a/dockerui.go
+++ b/dockerui.go
@ -10,12 +10,18 @@ import (
 	"net/url"
 	"os"
 	"strings"
 	"github.com/gorilla/csrf"
 	"io/ioutil"
 	"fmt"
 	"github.com/gorilla/securecookie"
 )
 var (
 	endpoint = flag.String("e", "/var/run/docker.sock", "Dockerd endpoint")
 	addr     = flag.String("p", ":9000", "Address and port to serve dockerui")
 	assets   = flag.String("a", ".", "Path to the assets")
 	authKey  []byte
 	authKeyFile = "authKey.dat"
 )
 type UnixHandler struct {
@ -85,9 +91,35 @@ func createHandler(dir string, e string) http.Handler {
 		h = createUnixHandler(e)
 	}
 	// Use existing csrf authKey if present or generate a new one.
 	dat, err := ioutil.ReadFile(authKeyFile)
 	if err != nil {
 		fmt.Println(err)
 		authKey = securecookie.GenerateRandomKey(32)
 		err := ioutil.WriteFile(authKeyFile, authKey, 0644)
 		if err != nil {
 			fmt.Println("unable to persist auth key", err)
 		}
 	} else {
 		authKey = dat
 	}
 	CSRF := csrf.Protect(
 		authKey,
 		csrf.HttpOnly(false),
 		csrf.Secure(false),
 	)
 	mux.Handle("/dockerapi/", http.StripPrefix("/dockerapi", h))
 	mux.Handle("/", fileHandler)
-	return mux
+	return CSRF(csrfWrapper(mux))
 }
 func csrfWrapper(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("X-CSRF-Token", csrf.Token(r))
 		h.ServeHTTP(w, r)
 	})
 }
 func main() {
--- a/package.json
+++ b/package.json
@ -2,7 +2,7 @@
  "author": "Michael Crosby & Kevan Ahlquist",
  "name": "dockerui",
  "homepage": "https://github.com/crosbymichael/dockerui",
-  "version": "0.9.0-beta",
+  "version": "0.10.1-beta",
  "repository": {
    "type": "git",
    "url": "git@github.com:crosbymichael/dockerui.git"