Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
C
coopwire-hypothesis
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
孙灵跃 Leon Sun
coopwire-hypothesis
Commits
5b266c80
Commit
5b266c80
authored
Dec 01, 2014
by
Randall Leeds
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Check cross site request token for WebSocket
http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
parent
7ac29e8a
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
34 additions
and
24 deletions
+34
-24
app.coffee
h/static/scripts/app.coffee
+5
-1
session-service.coffee
h/static/scripts/session/session-service.coffee
+5
-10
streamer-service.coffee
h/static/scripts/streamer-service.coffee
+9
-7
session-service-test.coffee
tests/js/session-service-test.coffee
+8
-4
streamer-service-test.coffee
tests/js/streamer-service-test.coffee
+7
-2
No files found.
h/static/scripts/app.coffee
View file @
5b266c80
...
...
@@ -6,6 +6,7 @@ imports = [
'h.account'
'h.helpers'
'h.identity'
'h.session'
'h.streamer'
]
...
...
@@ -57,7 +58,10 @@ configure = [
basePattern
=
baseURI
.
replace
/\/[^\/]*$/
,
'/**.html'
$sceDelegateProvider
.
resourceUrlWhitelist
[
'self'
,
basePattern
]
streamerProvider
.
url
=
baseURI
.
replace
(
'http'
,
'ws'
)
+
'ws'
streamerProvider
.
urlFn
=
[
'xsrf'
,
(
xsrf
)
->
base
=
baseURI
.
replace
(
/^http/
,
'ws'
)
"
#{
base
}
ws?csrf_token=
#{
xsrf
.
token
}
"
]
]
...
...
h/static/scripts/session/session-service.coffee
View file @
5b266c80
...
...
@@ -40,19 +40,13 @@ class SessionProvider
# });
###
$get
:
[
'$http'
,
'$q'
,
'$resource'
,
'documentHelpers'
,
'flash'
,
(
$http
,
$q
,
$resource
,
documentHelpers
,
flash
)
->
'$http'
,
'$q'
,
'$resource'
,
'documentHelpers'
,
'flash'
,
'xsrf'
,
(
$http
,
$q
,
$resource
,
documentHelpers
,
flash
,
xsrf
)
->
actions
=
{}
provider
=
this
# Capture the state of the cross site request forgery token.
# If cookies are blocked this is our only way to get it.
xsrfToken
=
null
prepare
=
(
data
,
headersGetter
)
->
if
xsrfToken
headers
=
headersGetter
()
headers
[
$http
.
defaults
.
xsrfHeaderName
]
=
xsrfToken
headersGetter
()[
$http
.
defaults
.
xsrfHeaderName
]
=
xsrf
.
token
return
angular
.
toJson
data
process
=
(
data
,
headersGetter
)
->
...
...
@@ -68,7 +62,7 @@ class SessionProvider
for
q
,
msgs
of
data
.
flash
flash
q
,
msgs
xsrf
T
oken
=
model
.
csrf
xsrf
.
t
oken
=
model
.
csrf
# Return the model
model
...
...
@@ -85,3 +79,4 @@ class SessionProvider
angular
.
module
(
'h.session'
)
.
provider
(
'session'
,
SessionProvider
)
.
value
(
'xsrf'
,
token
:
null
)
h/static/scripts/streamer-service.coffee
View file @
5b266c80
...
...
@@ -6,20 +6,21 @@ ST_OPEN = 3
# @ngdoc service
# @name Streamer
#
# @param {String} url The base URL for the socket connection
# @param {String} urlFn A function that will be called with injections to
# generate the socket URL.
#
# @description
# Provides access to the streamer websocket.
###
class Streamer
constructor: (transport, url) ->
constructor: (transport, url
Fn
) ->
this.onmessage = ->
this._failCount = 0
this._queue = []
this._state = ST_CLOSED
this._transport = transport
this._url
= url
this._url
Fn = urlFn
###
*
# @ngdoc method
...
...
@@ -34,7 +35,7 @@ class Streamer
return
self = this
this._sock = new this._transport(this._url)
this._sock = new this._transport(this._url
Fn()
)
this._state = ST_CONNECTING
this._sock.onopen = ->
...
...
@@ -112,9 +113,10 @@ setAjaxClientId = (clientId) ->
streamerProvider
=
->
provider
=
{}
provider
.
url
=
null
provider
.
$get
=
[
'$window'
,
(
$window
)
->
new
Streamer
(
$window
.
WebSocket
,
provider
.
url
)
provider
.
urlFn
=
null
provider
.
$get
=
[
'$injector'
,
'$window'
,
(
$injector
,
$window
)
->
urlFn
=
angular
.
bind
$injector
,
$injector
.
invoke
,
provider
.
urlFn
new
Streamer
(
$window
.
WebSocket
,
urlFn
)
]
return
provider
...
...
tests/js/session-service-test.coffee
View file @
5b266c80
...
...
@@ -23,10 +23,12 @@ describe 'session', ->
describe
'sessionService'
,
->
$httpBackend
=
null
session
=
null
xsrf
=
null
beforeEach
inject
(
_$httpBackend_
,
_session_
)
->
beforeEach
inject
(
_$httpBackend_
,
_session_
,
_xsrf_
)
->
$httpBackend
=
_$httpBackend_
session
=
_session_
xsrf
=
_xsrf_
describe
'#<action>()'
,
->
url
=
'/login'
...
...
@@ -60,15 +62,17 @@ describe 'session', ->
assert
.
match
result
.
reason
,
response
.
reason
,
'the reason is present'
it
'should capture and send the xsrf token'
,
->
xsrf
=
'deadbeef'
token
=
'deadbeef'
headers
=
'Accept'
:
'application/json, text/plain, */*'
'Content-Type'
:
'application/json;charset=utf-8'
'X-XSRF-TOKEN'
:
xsrf
model
=
{
csrf
:
xsrf
}
'X-XSRF-TOKEN'
:
token
model
=
{
csrf
:
token
}
request
=
$httpBackend
.
expectPOST
(
url
).
respond
({
model
})
result
=
session
.
login
({})
$httpBackend
.
flush
()
assert
.
equal
xsrf
.
token
,
token
$httpBackend
.
expectPOST
(
url
,
{},
headers
).
respond
({})
session
.
login
({})
$httpBackend
.
flush
()
tests/js/streamer-service-test.coffee
View file @
5b266c80
...
...
@@ -17,7 +17,8 @@ describe 'streamer', ->
WebSocket
=
sandbox
.
stub
().
returns
(
fakeSock
)
$provide
.
decorator
'$window'
,
(
$delegate
)
->
angular
.
extend
$delegate
,
{
WebSocket
}
streamerProvider
.
url
=
'http://magicstreemz/giraffe'
$provide
.
value
'webSocketUrl'
,
'wss://magicstreemz/giraffe'
streamerProvider
.
urlFn
=
(
webSocketUrl
)
->
webSocketUrl
return
beforeEach
inject
(
_streamer_
)
->
...
...
@@ -26,10 +27,14 @@ describe 'streamer', ->
afterEach
->
sandbox
.
restore
()
it
'calls the transport function with the new keyword'
,
->
streamer
.
open
()
assert
.
calledWithNew
(
WebSocket
)
it
'creates a socket with the correct base URL'
,
->
streamer
.
open
()
assert
.
calledWith
(
WebSocket
,
'
http
://magicstreemz/giraffe'
)
assert
.
calledWith
(
WebSocket
,
'
wss
://magicstreemz/giraffe'
)
it
'does not open another socket while a socket is connecting'
,
->
streamer
.
open
()
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment