Check user_id as part of validating CSRF tokens

2018-11-08 00:29:20 -06:00 · 2018-11-08 00:29:20 -06:00 · 1ff8579575
commit 1ff8579575
parent b9c29bf537
2 changed files with 9 additions and 5 deletions
--- a/src/invidious.cr
+++ b/src/invidious.cr
@ -1429,7 +1429,7 @@ post "/delete_account" do |env|
    token = env.params.body["token"]?

    begin
-      validate_response(challenge, token, "delete_account", HMAC_KEY)
+      validate_response(challenge, token, user.email, "delete_account", HMAC_KEY)
    rescue ex
      error_message = ex.message
      next templated "error"
@ -1474,7 +1474,7 @@ post "/clear_watch_history" do |env|
    token = env.params.body["token"]?

    begin
-      validate_response(challenge, token, "clear_watch_history", HMAC_KEY)
+      validate_response(challenge, token, user.email, "clear_watch_history", HMAC_KEY)
    rescue ex
      error_message = ex.message
      next templated "error"
--- a/src/invidious/helpers/helpers.cr
+++ b/src/invidious/helpers/helpers.cr
@ -403,7 +403,7 @@ def create_response(user_id, operation, key)
  return challenge, token
 end

-def validate_response(challenge, token, action, key)
+def validate_response(challenge, token, user_id, operation, key)
  if !challenge
    raise "Hidden field \"challenge\" is a required field"
  end
@ -414,7 +414,7 @@ def validate_response(challenge, token, action, key)

  challenge = Base64.decode_string(challenge)
  if challenge.split("-").size == 4
-    expire, nonce, user_id, operation = challenge.split("-")
+    expire, nonce, challenge_user_id, challenge_operation = challenge.split("-")

    expire = expire.to_i?
    expire ||= 0
@ -429,7 +429,11 @@ def validate_response(challenge, token, action, key)
    raise "Invalid token"
  end

-  if operation != action
+  if challenge_operation != operation
+    raise "Invalid token"
+  end
+
+  if challenge_user_id != user_id
    raise "Invalid token"
  end