search

krakenjs / lusca

Application security for express apps.
Other
1.79k stars 123 forks source link

Can't pass _csrf parameter via file upload #39

Closed soichih closed 9 years ago

soichih commented 10 years ago

I am not sure if I am setting this up correctly, but I can't seem to pass _csrf parameter via angularFileUpload module.

I am passing it like following.

        $upload.upload({
            url: '/import/dsbudget',
            data: {
                _csrf: '<%=_csrf%>', //doesn't work here.. let's add to exclusion
                docid: $scope.docid,
                importtype: $scope.importtype.name,
                fd: $scope.fd },
            file: $scope.file,
        })

When I try uploading my file, I get following error message.

Error: CSRF token mismatch
    at csrf (/usr/local/git/dsbudget/node_modules/lusca/lib/csrf.js:44:18)
    at Object.app.use.res.locals.user [as handle] (/usr/local/git/dsbudget/app.js:120:5)
    at next (/usr/local/git/dsbudget/node_modules/express/node_modules/connect/lib/proto.js:193:15)
    at /usr/local/git/dsbudget/node_modules/express-flash/lib/express-flash.js:31:7
    at /usr/local/git/dsbudget/node_modules/connect-flash/lib/flash.js:21:5
    at Object.handle (/usr/local/git/dsbudget/node_modules/express-flash/lib/express-flash.js:22:5)
    at next (/usr/local/git/dsbudget/node_modules/express/node_modules/connect/lib/proto.js:193:15)
    at SessionStrategy.strategy.pass (/usr/local/git/dsbudget/node_modules/passport/lib/middleware/authenticate.js:314:9)
    at /usr/local/git/dsbudget/node_modules/passport/lib/strategies/session.js:61:12
    at pass (/usr/local/git/dsbudget/node_modules/passport/lib/authenticator.js:333:31)
POST /import/dsbudget 403 15.011 ms - -

I see the token sent to my express server inside the HTTP request payload

------WebKitFormBoundarysf8AO9yhuSLqzp68
Content-Disposition: form-data; name="_csrf"

iLmmo4qZGQ5hNaRpGE7ZKlDWV37lcWvQQUI64=

I am guessing that CSRF is not made to receive the token this way?

weisjohn commented 9 years ago

The docs say you can pass on the header, which is what I'm doing.

jasisk commented 9 years ago

Exactly. Not sure how I missed this issue, however we actually have first-class support for angular now. Simply set the angular flag as defined in the README.