Seregon/zftpd

Zero-copy FTP/HTTP Daemon compatible with all POSIX systems

C/11.0 KB/No license
src/http_csrf.c
raw
zftpd / src / http_csrf.c
1/*
2MIT License
3 
4Copyright (c) 2026 Seregon
5 
6Permission is hereby granted, free of charge, to any person obtaining a copy
7of this software and associated documentation files (the "Software"), to deal
8in the Software without restriction, including without limitation the rights
9to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10copies of the Software, and to permit persons to whom the Software is
11furnished to do so, subject to the following conditions:
12 
13The above copyright notice and this permission notice shall be included in all
14copies or substantial portions of the Software.
15 
16THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22SOFTWARE.
23*/
24 
25/**
26 * @file http_csrf.c
27 * @brief CSRF Protection Implementation
28 */
29 
30#include "http_csrf.h"
31#include "http_config.h"
32#include <fcntl.h>
33#include <stdio.h>
34#include <string.h>
35#include <unistd.h>
36 
37#if ENABLE_WEB_UPLOAD
38 
39/* Global CSRF token storage (32 hex chars + null) */
40static char g_csrf_token[HTTP_CSRF_TOKEN_LENGTH + 1];
41static int g_csrf_initialized = 0;
42 
43int http_csrf_init(void) {
44 g_csrf_token[0] = '\0';
45 g_csrf_initialized = 0;
46 int fd = open("/dev/urandom", O_RDONLY);
47 if (fd < 0) {
48 /*
49 * VULN-03 fix: fail hard instead of falling back to a
50 * predictable token. Empty token -> all uploads rejected.
51 *
52 * BEFORE: snprintf(g_csrf_token, ..., "0123456789abcdef...");
53 * AFTER: g_csrf_token[0] = '\0'; (all requests fail)
54 */
55 g_csrf_token[0] = '\0';
56 return -1;
57 }
58 
59 unsigned char random_bytes[HTTP_CSRF_TOKEN_LENGTH / 2];
60 if (read(fd, random_bytes, sizeof(random_bytes)) != sizeof(random_bytes)) {
61 close(fd);
62 /* Partial read -> unusable entropy, fail hard */
63 g_csrf_token[0] = '\0';
64 return -1;
65 }
66 close(fd);
67 
68 /* Convert to hex string */
69 for (int i = 0; i < HTTP_CSRF_TOKEN_LENGTH / 2; i++) {
70 size_t offset = (size_t)i * 2U;
71 size_t remaining = sizeof(g_csrf_token) - offset;
72 if (remaining < 3U) {
73 /* Buffer exhausted during conversion, fail hard */
74 g_csrf_token[0] = '\0';
75 return -1;
76 }
77 int n = snprintf(g_csrf_token + offset, remaining, "%02x", random_bytes[i]);
78 if ((n < 0) || (n >= (int)remaining)) {
79 g_csrf_token[0] = '\0';
80 return -1;
81 }
82 }
83 
84 g_csrf_initialized = 1;
85 return 0;
86}
87 
88const char *http_csrf_get_token(void) { return g_csrf_token; }
89 
90int http_csrf_validate(const http_request_t *req) {
91 if (req == NULL) {
92 return -1;
93 }
94 
95 /*
96 * Phase 1.2: use explicit initialization flag instead of
97 * testing token emptiness. More readable and unforgeable.
98 */
99 if (g_csrf_initialized == 0) {
100 return -1;
101 }
102 
103 /* Look for X-CSRF-Token header */
104 const char *token = NULL;
105 for (size_t i = 0; i < req->num_headers; i++) {
106 if (strcasecmp(req->headers[i].name, "X-CSRF-Token") == 0) {
107 token = req->headers[i].value;
108 break;
109 }
110 }
111 
112 if (token == NULL) {
113 return -1;
114 }
115 
116 if (strcmp(token, g_csrf_token) != 0) {
117 return -1;
118 }
119 
120 return 0;
121}
122 
123#else
124 
125/* No-op implementations when upload is disabled */
126void http_csrf_init(void) {}
127const char *http_csrf_get_token(void) { return ""; }
128int http_csrf_validate(const http_request_t *req) {
129 (void)req;
130 return 0;
131}
132 
133#endif /* ENABLE_WEB_UPLOAD */
134