search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
44.6k stars 5.45k forks source link

Lang cookie missing secure/httpOnly attributes #9690

Closed tgurr closed 3 years ago

tgurr commented 4 years ago

gitea_cookies_trygiteaio

Description

I've configured my Gitea instance with CSRF_COOKIE_HTTP_ONLY and COOKIE_SECURE:

; Set false to allow JavaScript to read CSRF cookie
CSRF_COOKIE_HTTP_ONLY              = true
; If you use session in https only, default is false
COOKIE_SECURE     = true

which works fine, except for the lang cookie that doesn't seem to respect that setting:

gitea_cookies

resulting in a security scanner complaining about the cookie missing the secure and httpOnly attributes.

rodolpheh commented 4 years ago

I think it all boils down to the i18n module for macaron-go : https://github.com/go-macaron/i18n/blob/5a5348d12f10480196f7376cf48de94fa93eb236/i18n.go#L202

rodolpheh commented 4 years ago

My bad, I just saw that i18n in Gitea is a fork. Anyway, the changes I tried to introduce in https://github.com/go-macaron/i18n/pull/11 works on the i18n version of Gitea. This was tested on a Docker build with latest sources.

image

tgurr commented 3 years ago

@rodolpheh thanks for your work! Looks like the changes also have been pulled into the i18n Gitea fork in the meantime. Is there any option which allows to enable this or is currently the only way to enable/test this to manually change the settings which are off by default in i18n.go before compiling Gitea?

rodolpheh commented 3 years ago

Sorry I have a terrible memory and barely remembered doing that :smile: . Unfortunately it seems that I haven't pushed any changes that would allow setting those in Gitea. I had to dig a little before finding what I had changed in Gitea to make it work. Please find attached a patch file until a proper push is made on Gitea. I pulled the latest sources to make sure this works so hopefully it should work for you.

After applying this patch, the Secure and HttpOnly flags should be added if you had COOKIE_SECURE and CSRF_COOKIE_HTTP_ONLY set to true in your app settings.

macaron.go.patch.txt

tgurr commented 3 years ago

@rodolpheh Thanks for the hint, I couldn't apply your patch, probably because I build from source so I had no /routers/routes/macaron.go b/routers/routes/macaron.go file to begin with.

Based on your patch I went with this: gitea-1.13.1-lang-cookie.txt. Not sure if it's ready for a PR like it is, but it appears to do the trick:

Screenshot_20210104_083856