feat: add origin check for CSRF protection

ematipico · ematipico · commit bd7cd9ffaab8 · 2024-04-04T18:13:10.000+01:00
diff --git a/packages/astro/src/@types/astro.ts b/packages/astro/src/@types/astro.ts
@@ -1610,6 +1610,49 @@ export interface AstroUserConfig {
 	 */
 	legacy?: object;
 
+	/**
+	 * @name security
+	 * @type {object}
+	 * @version 4.6.0
+	 * @type {object}
+	 * @description
+	 *
+	 * It allows to opt-in various security measures for Astro applications.
+	 */
+	security?: {
+		/**
+		 * @name security.csrfProtection
+		 * @type {object}
+		 * @default '{}'
+		 * @version 4.6.0
+		 * @description
+		 */
+
+		csrfProtection?: {
+			/**
+			 * @name security.csrfProtection.origin
+			 * @type {boolean}
+			 * @default 'false'
+			 * @version 4.6.0
+			 * @description
+			 *
+			 * Something
+			 */
+			origin?: boolean;
+
+			/**
+			 * @name security.csrfProtection.token
+			 * @type {boolean}
+			 * @default 'false'
+			 * @version 4.6.0
+			 * @description
+			 *
+			 * Something
+			 */
+			token?: boolean | string;
+		};
+	};
+
 	/**
 	 * @docs
 	 * @kind heading
@@ -1821,6 +1864,29 @@ export interface AstroUserConfig {
 		 * See the [Internationalization Guide](https://docs.astro.build/en/guides/internationalization/#domains-experimental) for more details, including the limitations of this experimental feature.
 		 */
 		i18nDomains?: boolean;
+
+		/**
+		 * @docs
+		 * @name experimental.csrfProtection
+		 * @type {boolean}
+		 * @default `false`
+		 * @version 4.6.0
+		 * @description
+		 *
+		 * It enables the CSRF protection for Astro websites.
+		 *
+		 * The CSRF protection works only for on-demand pages (SSR) and hybrid pages where prerendering is opted out.
+		 *
+		 * ```js
+		 * // astro.config.mjs
+		 * export default defineConfig({
+		 *   experimental: {
+		 *     csrfProtection: true,
+		 *   },
+		 * })
+		 * ```
+		 */
+		csrfProtection?: boolean;
 	};
 }
 
diff --git a/packages/astro/src/core/app/index.ts b/packages/astro/src/core/app/index.ts
@@ -1,6 +1,7 @@
 import type {
 	ComponentInstance,
 	ManifestData,
+	MiddlewareHandler,
 	RouteData,
 	SSRManifest,
 } from '../../@types/astro.js';
@@ -31,6 +32,7 @@ import { createAssetLink } from '../render/ssr-element.js';
 import { ensure404Route } from '../routing/astro-designed-error-pages.js';
 import { matchRoute } from '../routing/match.js';
 import { AppPipeline } from './pipeline.js';
+import { defineMiddleware, sequence } from '../middleware/index.js';
 export { deserializeManifest } from './common.js';
 
 export interface RenderOptions {
@@ -112,6 +114,13 @@ export class App {
 	 * @private
 	 */
 	#createPipeline(streaming = false) {
+		if (this.#manifest.csrfProtection) {
+			this.#manifest.middleware = sequence(
+				this.#createOriginCheckMiddleware(),
+				this.#manifest.middleware
+			);
+		}
+
 		return AppPipeline.create({
 			logger: this.#logger,
 			manifest: this.#manifest,
@@ -137,6 +146,42 @@ export class App {
 		});
 	}
 
+	/**
+	 * Content types that can be passed when sending a request via a form
+	 *
+	 * https://developer.mozilla.org/en-US/docs/Web/API/HTMLFormElement/enctype
+	 * @private
+	 */
+	#formContentTypes = ['application/x-www-form-urlencoded', 'multipart/form-data', 'text/plain'];
+
+	/**
+	 * Returns a middleware function in charge to check the `origin` header.
+	 *
+	 * @private
+	 */
+	#createOriginCheckMiddleware(): MiddlewareHandler {
+		return defineMiddleware((context, next) => {
+			const { request, url } = context;
+			const contentType = request.headers.get('content-type');
+			if (contentType) {
+				if (this.#formContentTypes.includes(contentType)) {
+					const forbidden =
+						(request.method === 'POST' ||
+							request.method === 'PUT' ||
+							request.method === 'PATCH' ||
+							request.method === 'DELETE') &&
+						request.headers.get('origin') !== url.origin;
+					if (forbidden) {
+						return new Response(`Cross-site ${request.method} form submissions are forbidden`, {
+							status: 403,
+						});
+					}
+				}
+			}
+			return next();
+		});
+	}
+
 	set setManifestData(newManifestData: ManifestData) {
 		this.#manifestData = newManifestData;
 	}
diff --git a/packages/astro/src/core/app/types.ts b/packages/astro/src/core/app/types.ts
@@ -64,6 +64,7 @@ export type SSRManifest = {
 	pageMap?: Map<ComponentPath, ImportComponentInstance>;
 	i18n: SSRManifestI18n | undefined;
 	middleware: MiddlewareHandler;
+	csrfProtection: SSRCsrfProtection | undefined;
 };
 
 export type SSRManifestI18n = {
@@ -74,6 +75,10 @@ export type SSRManifestI18n = {
 	domainLookupTable: Record<string, string>;
 };
 
+export type SSRCsrfProtection = {
+	origin: boolean;
+};
+
 export type SerializedSSRManifest = Omit<
 	SSRManifest,
 	'middleware' | 'routes' | 'assets' | 'componentMetadata' | 'inlinedScripts' | 'clientDirectives'
diff --git a/packages/astro/src/core/build/generate.ts b/packages/astro/src/core/build/generate.ts
@@ -615,5 +615,8 @@ function createBuildManifest(
 		i18n: i18nManifest,
 		buildFormat: settings.config.build.format,
 		middleware,
+		csrfProtection: settings.config.experimental.csrfProtection
+			? settings.config.security?.csrfProtection
+			: undefined,
 	};
 }
diff --git a/packages/astro/src/core/build/plugins/plugin-manifest.ts b/packages/astro/src/core/build/plugins/plugin-manifest.ts
@@ -276,5 +276,8 @@ function buildManifest(
 		assets: staticFiles.map(prefixAssetPath),
 		i18n: i18nManifest,
 		buildFormat: settings.config.build.format,
+		csrfProtection: settings.config.experimental.csrfProtection
+			? settings.config.security?.csrfProtection
+			: undefined,
 	};
 }
diff --git a/packages/astro/src/core/config/schema.ts b/packages/astro/src/core/config/schema.ts
@@ -86,6 +86,7 @@ const ASTRO_CONFIG_DEFAULTS = {
 		clientPrerender: false,
 		globalRoutePriority: false,
 		i18nDomains: false,
+		csrfProtection: false,
 	},
 } satisfies AstroUserConfig & { server: { open: boolean } };
 
@@ -139,6 +140,15 @@ export const AstroConfigSchema = z.object({
 			.array(z.object({ name: z.string(), hooks: z.object({}).passthrough().default({}) }))
 			.default(ASTRO_CONFIG_DEFAULTS.integrations)
 	),
+	security: z
+		.object({
+			csrfProtection: z
+				.object({
+					origin: z.boolean().default(false),
+				})
+				.optional(),
+		})
+		.optional(),
 	build: z
 		.object({
 			format: z
@@ -508,6 +518,10 @@ export const AstroConfigSchema = z.object({
 				.boolean()
 				.optional()
 				.default(ASTRO_CONFIG_DEFAULTS.experimental.globalRoutePriority),
+			csrfProtection: z
+				.boolean()
+				.optional()
+				.default(ASTRO_CONFIG_DEFAULTS.experimental.csrfProtection),
 			i18nDomains: z.boolean().optional().default(ASTRO_CONFIG_DEFAULTS.experimental.i18nDomains),
 		})
 		.strict(
diff --git a/packages/astro/src/vite-plugin-astro-server/plugin.ts b/packages/astro/src/vite-plugin-astro-server/plugin.ts
@@ -143,6 +143,9 @@ export function createDevelopmentManifest(settings: AstroSettings): SSRManifest
 		componentMetadata: new Map(),
 		inlinedScripts: new Map(),
 		i18n: i18nManifest,
+		csrfProtection: settings.config.experimental.csrfProtection
+			? settings.config.security?.csrfProtection
+			: undefined,
 		middleware(_, next) {
 			return next();
 		},

Original file line number	Diff line number	Diff line change
`@@ -615,5 +615,8 @@ function createBuildManifest(`
`615`	`615`	`i18n: i18nManifest,`
`616`	`616`	`buildFormat: settings.config.build.format,`
`617`	`617`	`middleware,`
	`618`	`+ csrfProtection: settings.config.experimental.csrfProtection`
	`619`	`+ ? settings.config.security?.csrfProtection`
	`620`	`+ : undefined,`
`618`	`621`	`};`
`619`	`622`	`}`
Original file line number	Diff line number	Diff line change
`@@ -276,5 +276,8 @@ function buildManifest(`
`276`	`276`	`assets: staticFiles.map(prefixAssetPath),`
`277`	`277`	`i18n: i18nManifest,`
`278`	`278`	`buildFormat: settings.config.build.format,`
	`279`	`+ csrfProtection: settings.config.experimental.csrfProtection`
	`280`	`+ ? settings.config.security?.csrfProtection`
	`281`	`+ : undefined,`
`279`	`282`	`};`
`280`	`283`	`}`