Merge pull request #1454 from hydephp/realtime-compiler-security

Add realtime compiler dashboard CSRF protection

Author: caendesilva

packages/realtime-compiler/resources/dashboard.blade.php

@@ -4,6 +4,7 @@
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="csrf-token" content="{{ $csrfToken }}">
     <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous">
     <title>{{ $title }}</title>
     <base target="_parent">
@@ -64,6 +65,7 @@
                         <h2 class="h5 mb-0">Site Pages & Routes</h2>
                         @if($dashboard->isInteractive())
                             <form class="buttonActionForm" action="" method="POST">
+                                <input type="hidden" name="_token" value="{{ $csrfToken }}">
                                 <input type="hidden" name="action" value="openInExplorer">
                                 <button type="submit" class="btn btn-outline-primary btn-sm" title="Open project in system file explorer">Open folder</button>
                             </form>
@@ -136,6 +138,7 @@
                                             <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
                                         </div>
                                         <form id="createPageForm" action="" method="POST">
+                                            <input type="hidden" name="_token" value="{{ $csrfToken }}">
                                             <input type="hidden" name="action" value="createPage">
 
                                             <div class="modal-body">
@@ -242,6 +245,7 @@
                                     <div class="d-flex justify-content-end">
                                         @if($dashboard->isInteractive())
                                             <form class="buttonActionForm" action="" method="POST">
+                                                <input type="hidden" name="_token" value="{{ $csrfToken }}">
                                                 <input type="hidden" name="action" value="openPageInEditor">
                                                 <input type="hidden" name="routeKey" value="{{ $route->getRouteKey() }}">
                                                 <button type="submit" class="btn btn-outline-primary btn-sm me-2" title="Open in system default application">Edit</button>
@@ -302,6 +306,7 @@
                                                     @if($dashboard->isInteractive())
                                                         <div class="w-auto ps-0">
                                                             <form class="buttonActionForm" action="" method="POST">
+                                                                <input type="hidden" name="_token" value="{{ $csrfToken }}">
                                                                 <input type="hidden" name="action" value="openMediaFileInEditor">
                                                                 <input type="hidden" name="identifier" value="{{ $mediaFile->getIdentifier() }}">
                                                                 <button type="submit" class="btn btn-link btn-sm py-0" title="Open this image in the system editor">Edit</button>

packages/realtime-compiler/src/Http/BaseController.php

@@ -0,0 +1,113 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Hyde\RealtimeCompiler\Http;
+
+use Desilva\Microserve\Request;
+use Desilva\Microserve\Response;
+use Desilva\Microserve\JsonResponse;
+use Hyde\RealtimeCompiler\ConsoleOutput;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+
+/**
+ * @internal This class is not intended to be edited outside the Hyde Realtime Compiler.
+ */
+abstract class BaseController
+{
+    protected Request $request;
+    protected ConsoleOutput $console;
+    protected bool $withConsoleOutput = false;
+    protected bool $withSession = false;
+
+    abstract public function handle(): Response;
+
+    public function __construct(?Request $request = null)
+    {
+        $this->request = $request ?? Request::capture();
+
+        if ($this->withConsoleOutput && ((bool) env('HYDE_SERVER_REQUEST_OUTPUT', false)) === true) {
+            $this->console = new ConsoleOutput();
+        }
+
+        if ($this->withSession) {
+            session_start();
+        }
+    }
+
+    protected function sendJsonErrorResponse(int $statusCode, string $message): JsonResponse
+    {
+        return new JsonResponse($statusCode, $this->matchStatusCode($statusCode), [
+            'error' => $message,
+        ]);
+    }
+
+    protected function abort(int $code, string $message): never
+    {
+        throw new HttpException($code, $message);
+    }
+
+    protected function matchStatusCode(int $statusCode): string
+    {
+        return match ($statusCode) {
+            200 => 'OK',
+            201 => 'Created',
+            400 => 'Bad Request',
+            403 => 'Forbidden',
+            404 => 'Not Found',
+            409 => 'Conflict',
+            default => 'Internal Server Error',
+        };
+    }
+
+    protected function authorizePostRequest(): void
+    {
+        if (! $this->isRequestMadeFromLocalhost()) {
+            throw new HttpException(403, "Refusing to serve request from address {$_SERVER['REMOTE_ADDR']} (must be on localhost)");
+        }
+
+        if ($this->withSession) {
+            if (! $this->validateCSRFToken($this->request->get('_token'))) {
+                throw new HttpException(403, 'Invalid CSRF token');
+            }
+        }
+    }
+
+    protected function isRequestMadeFromLocalhost(): bool
+    {
+        // As the dashboard is not password-protected, and it can make changes to the file system,
+        // we block any requests that are not coming from the host machine. While we are clear
+        // in the documentation that the realtime compiler should only be used for local
+        // development, we still want to be extra careful in case someone forgets.
+
+        $requestIp = $_SERVER['REMOTE_ADDR'];
+        $allowedIps = ['::1', '127.0.0.1', 'localhost'];
+
+        return in_array($requestIp, $allowedIps, true);
+    }
+
+    protected function generateCSRFToken(): string
+    {
+        if (empty($_SESSION['csrf_token'])) {
+            $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+        }
+
+        return $_SESSION['csrf_token'];
+    }
+
+    protected function validateCSRFToken(?string $suppliedToken): bool
+    {
+        if ($suppliedToken === null || empty($_SESSION['csrf_token'])) {
+            return false;
+        }
+
+        return hash_equals($_SESSION['csrf_token'], $suppliedToken);
+    }
+
+    protected function writeToConsole(string $message, string $context = 'dashboard'): void
+    {
+        if (isset($this->console)) {
+            $this->console->printMessage($message, $context);
+        }
+    }
+}

packages/realtime-compiler/src/Http/DashboardController.php

@@ -11,6 +11,7 @@
 use Illuminate\Support\Arr;
 use Hyde\Pages\MarkdownPage;
 use Hyde\Pages\MarkdownPost;
+use Desilva\Microserve\Request;
 use Desilva\Microserve\Response;
 use Hyde\Pages\Concerns\HydePage;
 use Hyde\Pages\DocumentationPage;
@@ -20,10 +21,8 @@
 use Desilva\Microserve\JsonResponse;
 use Hyde\Support\Filesystem\MediaFile;
 use Illuminate\Support\Facades\Process;
-use Hyde\RealtimeCompiler\ConsoleOutput;
 use Hyde\Framework\Actions\StaticPageBuilder;
 use Hyde\Framework\Actions\AnonymousViewCompiler;
-use Desilva\Microserve\Request;
 use Composer\InstalledVersions;
 use Hyde\Framework\Actions\CreatesNewPageSourceFile;
 use Hyde\Framework\Exceptions\FileConflictException;
@@ -33,12 +32,13 @@
 /**
  * @internal This class is not intended to be edited outside the Hyde Realtime Compiler.
  */
-class DashboardController
+class DashboardController extends BaseController
 {
     public string $title;
 
-    protected Request $request;
-    protected ConsoleOutput $console;
+    protected bool $withConsoleOutput = true;
+    protected bool $withSession = true;
+
     protected JsonResponse $response;
 
     protected bool $isAsync = false;
@@ -52,14 +52,11 @@ class DashboardController
         'The dashboard update your project files. You can disable this by setting `server.dashboard.interactive` to `false` in `config/hyde.php`.',
     ];
 
-    public function __construct()
+    public function __construct(?Request $request = null)
     {
-        $this->title = config('hyde.name').' - Dashboard';
-        $this->request = Request::capture();
+        parent::__construct($request);
 
-        if (((bool) env('HYDE_SERVER_REQUEST_OUTPUT', false)) === true) {
-            $this->console = new ConsoleOutput();
-        }
+        $this->title = config('hyde.name').' - Dashboard';
 
         $this->loadFlashData();
 
@@ -75,11 +72,9 @@ public function handle(): Response
                 return $this->sendJsonErrorResponse(403, 'Enable `server.editor` in `config/hyde.php` to use interactive dashboard features.');
             }
 
-            if ($this->shouldUnsafeRequestBeBlocked()) {
-                return $this->sendJsonErrorResponse(403, "Refusing to serve request from address {$_SERVER['REMOTE_ADDR']} (must be on localhost)");
-            }
-
             try {
+                $this->authorizePostRequest();
+
                 return $this->handlePostRequest();
             } catch (HttpException $exception) {
                 if (! $this->isAsync) {
@@ -98,7 +93,7 @@ public function handle(): Response
     protected function show(): string
     {
         return AnonymousViewCompiler::handle(__DIR__.'/../../resources/dashboard.blade.php', array_merge(
-            (array) $this, ['dashboard' => $this, 'request' => $this->request],
+            (array) $this, ['dashboard' => $this, 'request' => $this->request, 'csrfToken' => $this->generateCSRFToken()],
         ));
     }
 
@@ -451,38 +446,13 @@ protected static function getPackageVersion(string $packageName): string
         return $prettyVersion ?? 'unreleased';
     }
 
-    protected function shouldUnsafeRequestBeBlocked(): bool
-    {
-        // As the dashboard is not password-protected, and it can make changes to the file system,
-        // we block any requests that are not coming from the host machine. While we are clear
-        // in the documentation that the realtime compiler should only be used for local
-        // development, we still want to be extra careful in case someone forgets.
-
-        $requestIp = $_SERVER['REMOTE_ADDR'];
-        $allowedIps = ['::1', '127.0.0.1', 'localhost'];
-
-        return ! in_array($requestIp, $allowedIps, true);
-    }
-
     protected function setJsonResponse(int $statusCode, string $body): void
     {
         $this->response = new JsonResponse($statusCode, $this->matchStatusCode($statusCode), [
             'body' => $body,
         ]);
     }
 
-    protected function sendJsonErrorResponse(int $statusCode, string $message): JsonResponse
-    {
-        return new JsonResponse($statusCode, $this->matchStatusCode($statusCode), [
-            'error' => $message,
-        ]);
-    }
-
-    protected function abort(int $code, string $message): never
-    {
-        throw new HttpException($code, $message);
-    }
-
     protected function findGeneralOpenBinary(): string
     {
         return match (PHP_OS_FAMILY) {
@@ -496,28 +466,8 @@ protected function findGeneralOpenBinary(): string
         };
     }
 
-    protected function matchStatusCode(int $statusCode): string
-    {
-        return match ($statusCode) {
-            200 => 'OK',
-            201 => 'Created',
-            400 => 'Bad Request',
-            403 => 'Forbidden',
-            404 => 'Not Found',
-            409 => 'Conflict',
-            default => 'Internal Server Error',
-        };
-    }
-
     protected function hasAsyncHeaders(): bool
     {
         return (getallheaders()['X-RC-Handler'] ?? getallheaders()['x-rc-handler'] ?? null) === 'Async';
     }
-
-    protected function writeToConsole(string $message, string $context = 'dashboard'): void
-    {
-        if (isset($this->console)) {
-            $this->console->printMessage($message, $context);
-        }
-    }
 }

packages/realtime-compiler/src/Routing/PageRouter.php

@@ -33,7 +33,7 @@ public function __construct(Request $request)
     protected function handlePageRequest(): Response
     {
         if ($this->request->path === '/dashboard' && DashboardController::enabled()) {
-            return (new DashboardController())->handle();
+            return (new DashboardController($this->request))->handle();
         }
 
         return new HtmlResponse(200, 'OK', [