Merge pull request #161 from cviecco/fix-xss-admin-port

Fix xss admin port

Author: rgooch

cmd/keymasterd/adminDashboard.go

@@ -27,6 +27,7 @@ func (dashboard *adminDashboardType) ServeHTTP(w http.ResponseWriter,
 	}
 	writer := bufio.NewWriter(w)
 	defer writer.Flush()
+	setSecurityHeaders(w)
 	fmt.Fprintln(writer, "<title>keymaster status page</title>")
 	fmt.Fprintln(writer, "<body>")
 	fmt.Fprintln(writer, "<center>")

cmd/keymasterd/main.go

@@ -437,6 +437,7 @@ func (state *RuntimeState) writeFailureResponse(w http.ResponseWriter, r *http.R
 	}
 	w.WriteHeader(code)
 	publicErrorText := fmt.Sprintf("%d %s %s\n", code, http.StatusText(code), message)
+	setSecurityHeaders(w)
 	switch code {
 
 	case http.StatusUnauthorized:
@@ -456,7 +457,7 @@ func (state *RuntimeState) writeFailureResponse(w http.ResponseWriter, r *http.R
 			if r.Method == "POST" {
 				/// assume it has been parsed... otherwise why are we here?
 				if r.Form.Get("login_destination") != "" {
-					loginDestnation = r.Form.Get("login_destination")
+					loginDestnation = getLoginDestination(r)
 				}
 			}
 			if authCookie == nil {
@@ -489,6 +490,14 @@ func (state *RuntimeState) writeFailureResponse(w http.ResponseWriter, r *http.R
 	}
 }
 
+func setSecurityHeaders(w http.ResponseWriter) {
+	//all common security headers go here
+	w.Header().Set("Strict-Transport-Security", "max-age=1209600")
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("X-XSS-Protection", "1")
+	w.Header().Set("Content-Security-Policy", "default-src 'self' ;style-src 'self' fonts.googleapis.com 'unsafe-inline'; font-src fonts.gstatic.com fonts.googleapis.com")
+}
+
 // returns true if the system is locked and sends message to the requester
 func (state *RuntimeState) sendFailureToClientIfLocked(w http.ResponseWriter, r *http.Request) bool {
 	var signerIsNull bool
@@ -497,12 +506,7 @@ func (state *RuntimeState) sendFailureToClientIfLocked(w http.ResponseWriter, r
 	signerIsNull = (state.Signer == nil)
 	state.Mutex.Unlock()
 
-	//all common security headers go here
-	w.Header().Set("Strict-Transport-Security", "max-age=31536")
-	w.Header().Set("X-Frame-Options", "DENY")
-	w.Header().Set("X-XSS-Protection", "1")
-	//w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self';")
-	w.Header().Set("Content-Security-Policy", "default-src 'self' ;style-src 'self' fonts.googleapis.com 'unsafe-inline'; font-src fonts.gstatic.com fonts.googleapis.com")
+	setSecurityHeaders(w)
 
 	if signerIsNull {
 		state.writeFailureResponse(w, r, http.StatusInternalServerError, "")
@@ -1089,6 +1093,7 @@ func (state *RuntimeState) publicPathHandler(w http.ResponseWriter, r *http.Requ
 	case "loginForm":
 		w.WriteHeader(200)
 		//fmt.Fprintf(w, "%s", loginFormText)
+		setSecurityHeaders(w)
 		state.writeHTMLLoginPage(w, r, profilePath, "")
 		return
 	case "x509ca":
@@ -1151,6 +1156,21 @@ func (state *RuntimeState) startVIPPush(cookieVal string, username string) error
 	return nil
 }
 
+// We need to ensure that all login destinations are relative paths
+// Thus the path MUST start with a / but MUST NOT start with a //, because
+// // is interpreted as: use whatever protocol you think is OK
+func getLoginDestination(r *http.Request) string {
+	loginDestination := profilePath
+	if r.Form.Get("login_destination") != "" {
+		inboundLoginDestination := r.Form.Get("login_destination")
+		if strings.HasPrefix(inboundLoginDestination, "/") &&
+			!strings.HasPrefix(inboundLoginDestination, "//") {
+			loginDestination = inboundLoginDestination
+		}
+	}
+	return loginDestination
+}
+
 //const loginPath = "/api/v0/login"
 
 func (state *RuntimeState) loginHandler(w http.ResponseWriter, r *http.Request) {
@@ -1275,11 +1295,7 @@ func (state *RuntimeState) loginHandler(w http.ResponseWriter, r *http.Request)
 		CertAuthBackend: certBackends}
 	switch returnAcceptType {
 	case "text/html":
-		loginDestination := profilePath
-		if r.Form.Get("login_destination") != "" {
-			loginDestination = r.Form.Get("login_destination")
-		}
-
+		loginDestination := getLoginDestination(r)
 		requiredAuth := state.getRequiredWebUIAuthLevel()
 		if (requiredAuth & AuthTypePassword) != 0 {
 			eventNotifier.PublishWebLoginEvent(username)
@@ -1455,10 +1471,7 @@ func (state *RuntimeState) VIPAuthHandler(w http.ResponseWriter, r *http.Request
 	loginResponse := proto.LoginResponse{Message: "success"} //CertAuthBackend: certBackends
 	switch returnAcceptType {
 	case "text/html":
-		loginDestination := profilePath
-		if r.Form.Get("login_destination") != "" {
-			loginDestination = r.Form.Get("login_destination")
-		}
+		loginDestination := getLoginDestination(r)
 		eventNotifier.PublishWebLoginEvent(authUser)
 		http.Redirect(w, r, loginDestination, 302)
 	default:
@@ -2247,6 +2260,7 @@ func (state *RuntimeState) serveClientConfHandler(w http.ResponseWriter, r *http
 }
 
 func (state *RuntimeState) defaultPathHandler(w http.ResponseWriter, r *http.Request) {
+	setSecurityHeaders(w)
 	//redirect to profile
 	if r.URL.Path[:] == "/" {
 		//landing page

cmd/keymasterd/templateData.go

@@ -69,7 +69,7 @@ const loginFormText = `
 	{{template "login_pre_password" .}}
         <form enctype="application/x-www-form-urlencoded" action="/api/v0/login" method="post">
             <p>Username: <INPUT TYPE="text" NAME="username" SIZE=18></p>
-            <p>Password: <INPUT TYPE="password" NAME="password" SIZE=18></p>
+            <p>Password: <INPUT TYPE="password" NAME="password" SIZE=18  autocomplete="off"></p>
 	    <INPUT TYPE="hidden" NAME="login_destination" VALUE={{.LoginDestination}}>
             <p><input type="submit" value="Submit" /></p>
         </form>
@@ -117,7 +117,7 @@ const secondFactorAuthFormText = `
 	<div id="vip_login_destination" style="display: none;">{{.LoginDestination}}</div>
         <form enctype="application/x-www-form-urlencoded" action="/api/v0/vipAuth" method="post">
             <p>
-	    Enter VIP token value: <INPUT TYPE="text" NAME="OTP" SIZE=18>
+	    Enter VIP token value: <INPUT TYPE="text" NAME="OTP" SIZE=18  autocomplete="off">
 	    <INPUT TYPE="hidden" NAME="login_destination" VALUE={{.LoginDestination}}>
             <input type="submit" value="Submit" />
 	    </p>