CSRF protection, refs #793

simonw · Jun 5, 2020 · e994b21 · e994b21
1 parent 0c064c5
commit e994b21
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 2 deletions.
diff --git a/datasette/app.py b/datasette/app.py
@@ -1,4 +1,5 @@
 import asyncio
+import asgi_csrf
 import collections
 import datetime
 import hashlib
@@ -884,7 +885,14 @@ async def setup_db():
                     await database.table_counts(limit=60 * 60 * 1000)
 
         asgi = AsgiLifespan(
-            AsgiTracer(DatasetteRouter(self, routes)), on_startup=setup_db
+            AsgiTracer(
+                asgi_csrf.asgi_csrf(
+                    DatasetteRouter(self, routes),
+                    signing_secret=self._secret,
+                    cookie_name="ds_csrftoken",
+                )
+            ),
+            on_startup=setup_db,
         )
         for wrapper in pm.hook.asgi_wrapper(datasette=self):
             asgi = wrapper(asgi)

diff --git a/datasette/templates/messages_debug.html b/datasette/templates/messages_debug.html
@@ -8,7 +8,7 @@ <h1>Debug messages</h1>
 
 <p>Set a message:</p>
 
-<form action="/-/messages" method="POST">
+<form action="/-/messages" method="post">
     <div>
         <input type="text" name="message" style="width: 40%">
         <div class="select-wrapper">
@@ -19,6 +19,7 @@ <h1>Debug messages</h1>
                 <option>all</option>
             </select>
         </div>
+        <input type="hidden" name="csrftoken" value="{{ csrftoken }}">
         <input type="submit" value="Add message">
     </div>
 </form>

diff --git a/datasette/templates/query.html b/datasette/templates/query.html
@@ -52,6 +52,7 @@ <h3>Query parameters</h3>
     {% endif %}
     <p>
         <button id="sql-format" type="button" hidden>Format SQL</button>
+        {% if canned_query %}<input type="hidden" name="csrftoken" value="{{ csrftoken }}">{% endif %}
         <input type="submit" value="Run SQL">
     </p>
 </form>

diff --git a/datasette/views/base.py b/datasette/views/base.py
@@ -95,6 +95,7 @@ async def render(self, templates, request, context=None):
             **context,
             **{
                 "database_url": self.database_url,
+                "csrftoken": request.scope["csrftoken"],
                 "database_color": self.database_color,
                 "show_messages": lambda: self.ds._show_messages(request),
                 "select_templates": [

diff --git a/setup.py b/setup.py
@@ -53,6 +53,7 @@ def get_version():
         "uvicorn~=0.11",
         "aiofiles>=0.4,<0.6",
         "janus>=0.4,<0.6",
+        "asgi-csrf>=0.3.1",
         "PyYAML~=5.3",
         "mergedeep>=1.1.1,<1.4.0",
         "itsdangerous~=1.1",