Merge pull request #1695 from hackmdio/feat/csrf-export-user-data

Feat/csrf export user data

Author: Yukaii

lib/homepage/index.js

@@ -16,7 +16,8 @@ exports.showIndex = async (req, res) => {
     errorMessage: req.flash('error'),
     privacyStatement: fs.existsSync(path.join(config.docsPath, 'privacy.md')),
     termsOfUse: fs.existsSync(path.join(config.docsPath, 'terms-of-use.md')),
-    deleteToken: deleteToken
+    deleteToken: deleteToken,
+    csrfToken: req.csrfToken()
   }
 
   if (!isLogin) {

lib/routes.js

@@ -17,8 +17,11 @@ const appRouter = Router()
 
 // register route
 
+const csurf = require('csurf')
+const csurfMiddleware = csurf({ cookie: true })
+
 // get index
-appRouter.get('/', wrap(indexController.showIndex))
+appRouter.get('/', csurfMiddleware, wrap(indexController.showIndex))
 
 // ----- error page -----
 // get 403 forbidden
@@ -52,7 +55,7 @@ appRouter.get('/me', wrap(userController.getMe))
 appRouter.get('/me/delete/:token?', wrap(userController.deleteUser))
 
 // export the data of the authenticated user
-appRouter.get('/me/export', userController.exportMyData)
+appRouter.post('/me/export', urlencodedParser, csurfMiddleware, userController.exportMyData)
 
 appRouter.get('/user/:username/avatar.svg', userController.getMyAvatar)
 

package-lock.json

@@ -49,6 +49,7 @@
     "connect-session-sequelize": "~6.0.0",
     "cookie": "~0.4.0",
     "cookie-parser": "~1.4.4",
+    "csurf": "~1.11.0",
     "deep-freeze": "~0.0.1",
     "ejs": "~2.6.2",
     "express": "~4.17.1",

package.json

@@ -90,7 +90,7 @@ function pageInit () {
   )
 }
 
-$('.masthead-nav li').click(function () {
+$('.masthead-nav > li').click(function () {
   $(this).siblings().removeClass('active')
   $(this).addClass('active')
 })
@@ -428,3 +428,7 @@ $('.ui-use-tags').on('change', function () {
 $('.search').keyup(() => {
   checkHistoryList()
 })
+
+$('.ui-export-user-data').click(function (e) {
+  document.exportNoteData.submit()
+})

public/js/cover.js

@@ -19,6 +19,9 @@
                                 <button class="btn btn-sm btn-success ui-signin" data-toggle="modal" data-target=".signin-modal"><%= __('Sign In') %></button>
                                 <% } %>
                             </div>
+                            <form name="exportNoteData" action="<%- serverURL %>/me/export" method="post">
+                                <input type="hidden" name="_csrf" value="<%- csrfToken %>">
+                            </form>
                             <div class="ui-signout" style="float: right; margin-top: 8px;<% if(!signin) { %> display: none;<% } %>">
                                 <a type="button" href="<%- serverURL %>/new" class="btn btn-sm btn-primary"><i class="fa fa-plus"></i> <%= __('New note') %></a>
                                 <span class="ui-profile dropdown pull-right">
@@ -27,7 +30,7 @@
                                     </button>
                                     <ul class="dropdown-menu" aria-labelledby="profileLabel">
                                         <li><a href="<%- serverURL %>/features"><i class="fa fa-dot-circle-o fa-fw"></i> <%= __('Features') %></a></li>
-                                        <li><a href="<%- serverURL %>/me/export"><i class="fa fa-cloud-download fa-fw"></i> <%= __('Export user data') %></a></li>
+                                        <li><a href="#" class="ui-export-user-data"><i class="fa fa-cloud-download fa-fw"></i> <%= __('Export user data') %></a></li>
                                         <li><a class="ui-delete-user" data-toggle="modal" data-target=".delete-user-modal"><i class="fa fa-trash fa-fw"></i> <%= __('Delete user') %></a></li>
                                         <li><a href="<%- serverURL %>/logout"><i class="fa fa-sign-out fa-fw"></i> <%= __('Sign Out') %></a></li>
                                     </ul>