From a0e8c4a36936c2d39a041f42bd78633d07598d59 Mon Sep 17 00:00:00 2001 From: Jordan Wright Date: Thu, 23 Apr 2020 23:16:44 -0500 Subject: [PATCH] Added optional csrf_key to config to better support H/A configurations. Fixes #1816. Fixes #1820. --- config/config.go | 4 +++- config/config_test.go | 1 + controllers/route.go | 6 +++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/config/config.go b/config/config.go index 70d76e29..d460f71e 100644 --- a/config/config.go +++ b/config/config.go @@ -2,8 +2,9 @@ package config import ( "encoding/json" - log "github.com/gophish/gophish/logger" "io/ioutil" + + log "github.com/gophish/gophish/logger" ) // AdminServer represents the Admin server configuration details @@ -12,6 +13,7 @@ type AdminServer struct { UseTLS bool `json:"use_tls"` CertPath string `json:"cert_path"` KeyPath string `json:"key_path"` + CSRFKey string `json:"csrf_key"` } // PhishServer represents the Phish server configuration details diff --git a/config/config_test.go b/config/config_test.go index e0a553e8..7e164fcd 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -62,6 +62,7 @@ func TestLoadConfig(t *testing.T) { } expectedConfig.MigrationsPath = expectedConfig.MigrationsPath + expectedConfig.DBName expectedConfig.TestFlag = false + expectedConfig.AdminConf.CSRFKey = "" if !reflect.DeepEqual(expectedConfig, conf) { t.Fatalf("invalid config received. expected %#v got %#v", expectedConfig, conf) } diff --git a/controllers/route.go b/controllers/route.go index b417b0ac..e512c1c0 100644 --- a/controllers/route.go +++ b/controllers/route.go @@ -138,7 +138,11 @@ func (as *AdminServer) registerRoutes() { router.PathPrefix("/").Handler(http.FileServer(unindexed.Dir("./static/"))) // Setup CSRF Protection - csrfHandler := csrf.Protect([]byte(util.GenerateSecureKey()), + csrfKey := []byte(as.config.CSRFKey) + if len(csrfKey) == 0 { + csrfKey = []byte(util.GenerateSecureKey()) + } + csrfHandler := csrf.Protect(csrfKey, csrf.FieldName("csrf_token"), csrf.Secure(as.config.UseTLS)) adminHandler := csrfHandler(router)