From 5e701736174be600a4706b88c21f191fb4dc22b2 Mon Sep 17 00:00:00 2001
From: Pavel Stratil <pavel@vaizard.org>
Date: Wed, 4 Dec 2019 01:29:01 +0000
Subject: [PATCH] add samesite csrf protection to sessionMiddleware, csp + cors
 middleware

---
 README.md                                   |  5 ++++
 composer.json                               |  6 +++--
 glued/Core/Middleware/SessionMiddleware.php | 19 ++++++++++++++
 glued/Core/Views/signup.twig                |  1 -
 glued/Core/Views/templates/default.twig     |  7 ++++++
 glued/Mail/Controllers/MailController.php   | 27 ++++++++++++++++++++
 glued/Mail/Views/opera.twig                 | 21 ++++++++++++++++
 glued/Mail/routes.php                       | 13 ++++++++++
 glued/container.php                         |  5 +++-
 glued/middleware.php                        | 28 +++++++++++++++++----
 glued/settings.dist.php                     | 10 +++++---
 11 files changed, 130 insertions(+), 12 deletions(-)
 create mode 100644 glued/Mail/Controllers/MailController.php
 create mode 100644 glued/Mail/Views/opera.twig
 create mode 100644 glued/Mail/routes.php

diff --git a/README.md b/README.md
index a36caf8c..97e20c2b 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,11 @@ The glue that keeps stuff together in Glued. To all microservices, core provides
 - content-addressable file storage (CAS)
 - internationalization
 - assets management and caching
+- (some of the) security
+  - CSRF prevention (session cookie) via the SessionMiddleware;
+  - TODO / CSRF prevention (other cookies) - hack this https://github.com/selective-php/samesite-cookie/blob/master/src/SameSiteCookieMiddleware.php
+  - CSP prevention
+  - XSS prevention
 
 ### Spider
 
diff --git a/composer.json b/composer.json
index 103d45d2..b5ec5837 100644
--- a/composer.json
+++ b/composer.json
@@ -24,7 +24,6 @@
     "php": "^7.3",
     "slim/slim": "^4.3",
     "slim/twig-view": "3.0.0-beta",
-    "slim/csrf": "^1.0.0",
     "slim/flash": "^0.4.0",
     "slim/http": "^0.8",
     "nyholm/psr7": "^1.1",
@@ -50,7 +49,10 @@
     "granam/czech-vocative": "^2.0",
     "dfridrich/ares": "^1.2",
     "spatie/browsershot": "^3.33",
-    "google/apiclient": "^2.4"
+    "google/apiclient": "^2.4",
+    "php-imap/php-imap": "^3.0",
+    "tuupola/cors-middleware": "^1.1",
+    "middlewares/csp": "^3.0"
   },
   "scripts": {
     "start": "php -S localhost:8080 -t public",
diff --git a/glued/Core/Middleware/SessionMiddleware.php b/glued/Core/Middleware/SessionMiddleware.php
index e6faa111..828646b1 100644
--- a/glued/Core/Middleware/SessionMiddleware.php
+++ b/glued/Core/Middleware/SessionMiddleware.php
@@ -9,6 +9,13 @@
  */
 final class SessionMiddleware implements MiddlewareInterface
 {
+
+    protected $settings;
+    public function __construct($settings) 
+    {
+        $this->settings = $settings;
+    }
+    
     /**
      * Invoke middleware.
      *
@@ -20,6 +27,18 @@ final class SessionMiddleware implements MiddlewareInterface
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
         if (session_status() !== PHP_SESSION_ACTIVE) {
+
+            if (ini_get('session.use_cookies')) {
+                $ini_defs = session_get_cookie_params();
+            }
+            session_set_cookie_params([
+                'lifetime' => $this->settings['glued']['session_cookie_lifetime'],
+                'path' => $ini_defs['path'],
+                'domain' => $ini_defs['domain'],
+                'secure' => $this->settings['glued']['session_cookie_secure'],
+                'httponly' => $this->settings['glued']['session_cookie_httponly'],
+                'samesite' => $this->settings['glued']['session_cookie_samesite'],
+            ]);
             session_start();
         }
         $response = $handler->handle($request);
diff --git a/glued/Core/Views/signup.twig b/glued/Core/Views/signup.twig
index 2152f0ae..29ec2693 100644
--- a/glued/Core/Views/signup.twig
+++ b/glued/Core/Views/signup.twig
@@ -36,7 +36,6 @@
                     </div>
                     <div class="card-footer">
                       <button type="submit" class="btn btn-primary">{{ __('Sign up') }}</button>
-                      {{ csrf.field | raw }}
                     </div>
                 </form>
               </div>
diff --git a/glued/Core/Views/templates/default.twig b/glued/Core/Views/templates/default.twig
index e2d43695..f794e530 100644
--- a/glued/Core/Views/templates/default.twig
+++ b/glued/Core/Views/templates/default.twig
@@ -91,6 +91,13 @@
                 <li><a class="nav-link" href="#">Statistics</a></li>
               </ul>
             </li>
+            <li class="dropdown">
+              <a href="#" class="nav-link has-dropdown" data-toggle="dropdown"><i class="fas fa-mail-bulk"></i> <span>Mail</span></a>
+              <ul class="dropdown-menu">
+                <li><a class="nav-link" href="{{ url_for('mail.accounts.web') }}">{{ __('Accounts') }}</a></li>
+                <li><a class="nav-link" href="{{ url_for('mail.opera.web') }}">{{ __('Opera') }}</a></li>
+              </ul>
+            </li>
             <li class="dropdown">
               <a href="#" class="nav-link has-dropdown" data-toggle="dropdown"><i class="fas fa-spider"></i> <span>Spider</span></a>
               <ul class="dropdown-menu">
diff --git a/glued/Mail/Controllers/MailController.php b/glued/Mail/Controllers/MailController.php
new file mode 100644
index 00000000..e16c583c
--- /dev/null
+++ b/glued/Mail/Controllers/MailController.php
@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Glued\Mail\Controllers;
+
+use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Glued\Core\Controllers\AbstractTwigController;
+use Respect\Validation\Validator as v;
+
+class MailController extends AbstractTwigController
+{
+    /**
+     * @param Request  $request
+     * @param Response $response
+     * @param array    $args
+     *
+     * @return Response
+     */
+    public function __invoke(Request $request, Response $response, array $args = []): Response
+    {
+        return $this->render($response, 'Mail/Views/opera.twig', [
+            'pageTitle' => 'Opera',
+        ]);
+    }
+}
diff --git a/glued/Mail/Views/opera.twig b/glued/Mail/Views/opera.twig
new file mode 100644
index 00000000..9c80cc10
--- /dev/null
+++ b/glued/Mail/Views/opera.twig
@@ -0,0 +1,21 @@
+{% extends '/Core/Views/templates/default.twig' %}
+
+{% block content %}
+        <section class="section">
+          <div class="section-header">
+            <h1>{{ __('Hello, dear') }} {{ name | default(__('Anonymous')) }}</h1>
+          </div>
+
+          <div class="section-body">
+            {{ __('Let\'s stick together.') }}
+            <form id="spider_browse_fetch" onsubmit="changeUri()">
+                <input type="text" name="uri">
+                <input type="submit" value="Fetch">
+            </form>
+            <br />
+            uri: <a href="{{ uri }}">{{ uri }}</a> <br />
+            uri valid: {{ validate }} <br />
+            <img width="300" src="{{ screenshot }}">
+          </div>
+        </section>
+{% endblock %}
diff --git a/glued/Mail/routes.php b/glued/Mail/routes.php
new file mode 100644
index 00000000..358e8429
--- /dev/null
+++ b/glued/Mail/routes.php
@@ -0,0 +1,13 @@
+<?php
+use Slim\Routing\RouteCollectorProxy;
+use Glued\Mail\Controllers\MailController;
+use Glued\Core\Middleware\RedirectIfAuthenticated;
+use Glued\Core\Middleware\RedirectIfNotAuthenticated;
+use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface as Request;
+
+// Define the app routes.
+$app->group('/mail', function (RouteCollectorProxy $group) {
+    $group->get ('/accounts[/{uri}]', MailController::class)->setName('mail.accounts.web'); // ->add(new RedirectIfNotAuthenticated());
+    $group->get ('/opera[/{uri}]', MailController::class)->setName('mail.opera.web'); // ->add(new RedirectIfNotAuthenticated());
+});
diff --git a/glued/container.php b/glued/container.php
index 399881e8..a69f8b2b 100644
--- a/glued/container.php
+++ b/glued/container.php
@@ -1,8 +1,8 @@
 <?php
 
+use DI\Container;
 use Glued\Core\Classes\Users;
 use Glued\Core\Middleware\TranslatorMiddleware;
-use DI\Container;
 use Monolog\Handler\StreamHandler;
 use Monolog\Logger;
 use Monolog\Processor\UidProcessor;
@@ -11,6 +11,7 @@
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Psr\Log\LoggerInterface;
 use Slim\App;
+use Slim\Csrf\Guard;
 use Slim\Factory\AppFactory;
 use Slim\Flash\Messages;
 use Slim\Interfaces\RouteParserInterface;
@@ -57,6 +58,8 @@
    return new Glued\Core\Classes\Validation\Validator;
 });
 
+
+
 $container->set('routerParser', $app->getRouteCollector()->getRouteParser());
 
 
diff --git a/glued/middleware.php b/glued/middleware.php
index c97264ad..51d8ff9e 100644
--- a/glued/middleware.php
+++ b/glued/middleware.php
@@ -1,18 +1,21 @@
 <?php
 
 use DI\Container;
+use Glued\Core\Middleware\LocaleSessionMiddleware;
+use Glued\Core\Middleware\SessionMiddleware;
+use Glued\Core\Middleware\Timer;
+use Glued\Core\Middleware\TranslatorMiddleware;
+use Middlewares\Csp;
 use Middlewares\TrailingSlash;
 use Nyholm\Psr7\Response as Psr7Response;
+use ParagonIE\CSPBuilder\CSPBuilder;
 use Slim\App;
 use Slim\Exception\HttpNotFoundException;
 use Slim\Middleware\ErrorMiddleware;
 use Slim\Views\Twig;
 use Slim\Views\TwigMiddleware;
 use Slim\addRoutingMiddleware;
-use Glued\Core\Middleware\LocaleSessionMiddleware; // Twig-translation
-use Glued\Core\Middleware\TranslatorMiddleware; // Twig-translation
-use Glued\Core\Middleware\Timer;
-use Glued\Core\Middleware\SessionMiddleware;
+use Tuupola\Middleware\CorsMiddleware;
 
 
 // =================================================
@@ -80,7 +83,22 @@
 
 
 $app->add(\Glued\Core\Middleware\ValidationFormsMiddleware::class);
-$app->add(SessionMiddleware::class);
+//$app->add(SessionMiddleware::class);
+
+
+$csp = new CSPBuilder([
+            'script-src' => ['self' => true],
+            'object-src' => ['self' => true],
+            'frame-ancestors' => ['self' => true],
+        ]);
+
+$app->add(new Middlewares\Csp($csp));
+
+$app->add(new Tuupola\Middleware\CorsMiddleware);
+// TODO add sane defaults to CorsMiddleware
+
+$sessionMiddleware = new SessionMiddleware($settings);
+$app->add($sessionMiddleware);
 
 
 // =================================================
diff --git a/glued/settings.dist.php b/glued/settings.dist.php
index edca7873..2f69498f 100644
--- a/glued/settings.dist.php
+++ b/glued/settings.dist.php
@@ -42,9 +42,13 @@
 
     // Glued globals
     'glued' => [
-        'hostname' => 'glued.example.com',
-        'session_def_timeout' => 7200,
-        'session_min_timeout' => 300,
+        //'hostname' => 'glued.example.com',
+        //'session_def_timeout' => 7200,
+        //'session_min_timeout' => 300,
+        'session_cookie_lifetime' => 0,
+        'session_cookie_secure' => true,
+        'session_cookie_httponly' => true,
+        'session_cookie_samesite' => 'Lax',
         'timezone' => 'Europe/Prague',
         'password_hash_algo' => PASSWORD_ARGON2ID,
         'password_hash_opts' => [