From 17bf0d109ee9dd764f79a0f61d24b643ea808eb2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C4=93teris=20Caune?= <cuu508@gmail.com>
Date: Fri, 30 Dec 2016 18:28:32 +0200
Subject: [PATCH] Fix CSRF in Slack, Pushbullet and Discord callbacks

---
 hc/front/tests/test_add_discord.py    | 23 ++++++++++++-
 hc/front/tests/test_add_pushbullet.py | 23 ++++++++++++-
 hc/front/tests/test_add_slack_btn.py  | 29 ++++++++++++++--
 hc/front/views.py                     | 48 +++++++++++++++++++++------
 templates/front/welcome.html          |  6 ++--
 templates/integrations/add_slack.html |  2 +-
 6 files changed, 113 insertions(+), 18 deletions(-)

diff --git a/hc/front/tests/test_add_discord.py b/hc/front/tests/test_add_discord.py
index 4eab11fe..dbdbcec7 100644
--- a/hc/front/tests/test_add_discord.py
+++ b/hc/front/tests/test_add_discord.py
@@ -16,6 +16,9 @@ class AddDiscordTestCase(BaseTestCase):
         self.assertContains(r, "Connect Discord", status_code=200)
         self.assertContains(r, "discordapp.com/api/oauth2/authorize")
 
+        # There should now be a key in session
+        self.assertTrue("discord" in self.client.session)
+
     @override_settings(DISCORD_CLIENT_ID=None)
     def test_it_requires_client_id(self):
         self.client.login(username="alice@example.org", password="password")
@@ -24,6 +27,10 @@ class AddDiscordTestCase(BaseTestCase):
 
     @patch("hc.front.views.requests.post")
     def test_it_handles_oauth_response(self, mock_post):
+        session = self.client.session
+        session["discord"] = "foo"
+        session.save()
+
         oauth_response = {
             "access_token": "test-token",
             "webhook": {
@@ -35,7 +42,7 @@ class AddDiscordTestCase(BaseTestCase):
         mock_post.return_value.text = json.dumps(oauth_response)
         mock_post.return_value.json.return_value = oauth_response
 
-        url = self.url + "?code=12345678"
+        url = self.url + "?code=12345678&state=foo"
 
         self.client.login(username="alice@example.org", password="password")
         r = self.client.get(url, follow=True)
@@ -44,3 +51,17 @@ class AddDiscordTestCase(BaseTestCase):
 
         ch = Channel.objects.get()
         self.assertEqual(ch.discord_webhook_url, "foo")
+
+        # Session should now be clean
+        self.assertFalse("discord" in self.client.session)
+
+    def test_it_avoids_csrf(self):
+        session = self.client.session
+        session["discord"] = "foo"
+        session.save()
+
+        url = self.url + "?code=12345678&state=bar"
+
+        self.client.login(username="alice@example.org", password="password")
+        r = self.client.get(url)
+        self.assertEqual(r.status_code, 400)
diff --git a/hc/front/tests/test_add_pushbullet.py b/hc/front/tests/test_add_pushbullet.py
index c7ab0211..6356a046 100644
--- a/hc/front/tests/test_add_pushbullet.py
+++ b/hc/front/tests/test_add_pushbullet.py
@@ -16,6 +16,9 @@ class AddPushbulletTestCase(BaseTestCase):
         self.assertContains(r, "www.pushbullet.com/authorize", status_code=200)
         self.assertContains(r, "Connect Pushbullet")
 
+        # There should now be a key in session
+        self.assertTrue("pushbullet" in self.client.session)
+
     @override_settings(PUSHBULLET_CLIENT_ID=None)
     def test_it_requires_client_id(self):
         self.client.login(username="alice@example.org", password="password")
@@ -24,12 +27,16 @@ class AddPushbulletTestCase(BaseTestCase):
 
     @patch("hc.front.views.requests.post")
     def test_it_handles_oauth_response(self, mock_post):
+        session = self.client.session
+        session["pushbullet"] = "foo"
+        session.save()
+
         oauth_response = {"access_token": "test-token"}
 
         mock_post.return_value.text = json.dumps(oauth_response)
         mock_post.return_value.json.return_value = oauth_response
 
-        url = self.url + "?code=12345678"
+        url = self.url + "?code=12345678&state=foo"
 
         self.client.login(username="alice@example.org", password="password")
         r = self.client.get(url, follow=True)
@@ -38,3 +45,17 @@ class AddPushbulletTestCase(BaseTestCase):
 
         ch = Channel.objects.get()
         self.assertEqual(ch.value, "test-token")
+
+        # Session should now be clean
+        self.assertFalse("pushbullet" in self.client.session)
+
+    def test_it_avoids_csrf(self):
+        session = self.client.session
+        session["pushbullet"] = "foo"
+        session.save()
+
+        url = self.url + "?code=12345678&state=bar"
+
+        self.client.login(username="alice@example.org", password="password")
+        r = self.client.get(url)
+        self.assertEqual(r.status_code, 400)
diff --git a/hc/front/tests/test_add_slack_btn.py b/hc/front/tests/test_add_slack_btn.py
index e82a0e7f..a564ab34 100644
--- a/hc/front/tests/test_add_slack_btn.py
+++ b/hc/front/tests/test_add_slack_btn.py
@@ -14,6 +14,9 @@ class AddSlackBtnTestCase(BaseTestCase):
         self.assertContains(r, "Before adding Slack integration",
                             status_code=200)
 
+        # There should now be a key in session
+        self.assertTrue("slack" in self.client.session)
+
     @override_settings(SLACK_CLIENT_ID="foo")
     def test_slack_button(self):
         self.client.login(username="alice@example.org", password="password")
@@ -22,6 +25,10 @@ class AddSlackBtnTestCase(BaseTestCase):
 
     @patch("hc.front.views.requests.post")
     def test_it_handles_oauth_response(self, mock_post):
+        session = self.client.session
+        session["slack"] = "foo"
+        session.save()
+
         oauth_response = {
             "ok": True,
             "team_name": "foo",
@@ -34,7 +41,7 @@ class AddSlackBtnTestCase(BaseTestCase):
         mock_post.return_value.text = json.dumps(oauth_response)
         mock_post.return_value.json.return_value = oauth_response
 
-        url = "/integrations/add_slack_btn/?code=12345678"
+        url = "/integrations/add_slack_btn/?code=12345678&state=foo"
 
         self.client.login(username="alice@example.org", password="password")
         r = self.client.get(url, follow=True)
@@ -46,8 +53,26 @@ class AddSlackBtnTestCase(BaseTestCase):
         self.assertEqual(ch.slack_channel, "bar")
         self.assertEqual(ch.slack_webhook_url, "http://example.org")
 
+        # Session should now be clean
+        self.assertFalse("slack" in self.client.session)
+
+    def test_it_avoids_csrf(self):
+        session = self.client.session
+        session["slack"] = "foo"
+        session.save()
+
+        url = "/integrations/add_slack_btn/?code=12345678&state=bar"
+
+        self.client.login(username="alice@example.org", password="password")
+        r = self.client.get(url)
+        self.assertEqual(r.status_code, 400)
+
     @patch("hc.front.views.requests.post")
     def test_it_handles_oauth_error(self, mock_post):
+        session = self.client.session
+        session["slack"] = "foo"
+        session.save()
+
         oauth_response = {
             "ok": False,
             "error": "something went wrong"
@@ -56,7 +81,7 @@ class AddSlackBtnTestCase(BaseTestCase):
         mock_post.return_value.text = json.dumps(oauth_response)
         mock_post.return_value.json.return_value = oauth_response
 
-        url = "/integrations/add_slack_btn/?code=12345678"
+        url = "/integrations/add_slack_btn/?code=12345678&state=foo"
 
         self.client.login(username="alice@example.org", password="password")
         r = self.client.get(url, follow=True)
diff --git a/hc/front/views.py b/hc/front/views.py
index fc58a973..4492ae8c 100644
--- a/hc/front/views.py
+++ b/hc/front/views.py
@@ -91,7 +91,9 @@ def index(request):
         "page": "welcome",
         "check": check,
         "ping_url": check.url(),
-        "enable_pushover": settings.PUSHOVER_API_TOKEN is not None
+        "enable_pushbullet": settings.PUSHBULLET_CLIENT_ID is not None,
+        "enable_pushover": settings.PUSHOVER_API_TOKEN is not None,
+        "enable_discord": settings.DISCORD_CLIENT_ID is not None
     }
 
     return render(request, "front/welcome.html", ctx)
@@ -430,6 +432,24 @@ def add_pd(request):
     return render(request, "integrations/add_pd.html", ctx)
 
 
+def _prepare_state(request, session_key):
+    state = get_random_string()
+    request.session[session_key] = state
+    return state
+
+
+def _get_validated_code(request, session_key):
+    if session_key not in request.session:
+        return None
+
+    session_state = request.session.pop(session_key)
+    request_state = request.GET.get("state")
+    if session_state is None or session_state != request_state:
+        return None
+
+    return request.GET.get("code")
+
+
 def add_slack(request):
     if not settings.SLACK_CLIENT_ID and not request.user.is_authenticated:
         return redirect("hc-login")
@@ -452,13 +472,16 @@ def add_slack(request):
         "slack_client_id": settings.SLACK_CLIENT_ID
     }
 
+    if settings.SLACK_CLIENT_ID:
+        ctx["state"] = _prepare_state(request, "slack")
+
     return render(request, "integrations/add_slack.html", ctx)
 
 
 @login_required
 def add_slack_btn(request):
-    code = request.GET.get("code", "")
-    if len(code) < 8:
+    code = _get_validated_code(request, "slack")
+    if code is None:
         return HttpResponseBadRequest()
 
     result = requests.post("https://slack.com/api/oauth.access", {
@@ -507,8 +530,8 @@ def add_pushbullet(request):
         raise Http404("pushbullet integration is not available")
 
     if "code" in request.GET:
-        code = request.GET.get("code", "")
-        if len(code) < 8:
+        code = _get_validated_code(request, "pushbullet")
+        if code is None:
             return HttpResponseBadRequest()
 
         result = requests.post("https://api.pushbullet.com/oauth2/token", {
@@ -536,7 +559,8 @@ def add_pushbullet(request):
     authorize_url = "https://www.pushbullet.com/authorize?" + urlencode({
         "client_id": settings.PUSHBULLET_CLIENT_ID,
         "redirect_uri": redirect_uri,
-        "response_type": "code"
+        "response_type": "code",
+        "state": _prepare_state(request, "pushbullet")
     })
 
     ctx = {
@@ -553,8 +577,8 @@ def add_discord(request):
 
     redirect_uri = settings.SITE_ROOT + reverse("hc-add-discord")
     if "code" in request.GET:
-        code = request.GET.get("code", "")
-        if len(code) < 8:
+        code = _get_validated_code(request, "discord")
+        if code is None:
             return HttpResponseBadRequest()
 
         result = requests.post("https://discordapp.com/api/oauth2/token", {
@@ -579,17 +603,19 @@ def add_discord(request):
 
         return redirect("hc-channels")
 
-    authorize_url = "https://discordapp.com/api/oauth2/authorize?" + urlencode({
+    auth_url = "https://discordapp.com/api/oauth2/authorize?" + urlencode({
         "client_id": settings.DISCORD_CLIENT_ID,
         "scope": "webhook.incoming",
         "redirect_uri": redirect_uri,
-        "response_type": "code"
+        "response_type": "code",
+        "state": _prepare_state(request, "discord")
     })
 
     ctx = {
         "page": "channels",
-        "authorize_url": authorize_url
+        "authorize_url": auth_url
     }
+
     return render(request, "integrations/add_discord.html", ctx)
 
 
diff --git a/templates/front/welcome.html b/templates/front/welcome.html
index 65ce1d5b..a4207209 100644
--- a/templates/front/welcome.html
+++ b/templates/front/welcome.html
@@ -248,12 +248,14 @@
                 <td>Notifications in <a href="https://slack.com/">Slack</a> channel.</td>
             </tr>
 
+            {% if enable_discord %}
             <tr>
                 <td>
                     <img width="22" height="22" alt="Discord icon" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACwAAAAsAQMAAAAkSshCAAAABGdBTUEAALGPC/xhBQAAAAFzUkdCAK7OHOkAAAAGUExURUxpcXKJ2kFuBesAAAABdFJOUwBA5thmAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAb0lEQVQY053QzQmAMAwF4CceRBAcoaPoSG5gQQfrKAUXKF68FGOf8feogfDd8pKgEJEI1AkBzAP7g+gnMqMkASD+or9xJ21DQnhg34BtRmVARZzv9mG932Nl+bruepCm8PYUxE8wLFWtFEquZArsBlghj/fhSNdMAAAAAElFTkSuQmCC" />
                 </td>
                 <td>Notifications in <a href="https://discordapp.com/">Discord</a> channel.</td>
             </tr>
+            {% endif %}
 
             <tr>
                 <td>
@@ -283,14 +285,14 @@
                 <td>Open and resolve incidents in <a href="https://victorops.com/">VictorOps</a>.</td>
             </tr>
 
-
-
+            {% if enable_pushbullet %}
             <tr>
                 <td>
                     <img width="22" height="22" alt="Pushbullet icon" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAMAAAApWqozAAAABGdBTUEAALGPC/xhBQAAAAFzUkdCAK7OHOkAAAAJcEhZcwAACxMAAAsTAQCanBgAAAMAUExURUxpcX+ogzl6UzJlSAECAR49LQAAAAIFAgAAAAAAAHrChoC1hwAAAAAAAAAAABMjHIu6j4PEjRMlHD+RXoXFjUWUX0KWYVGbYgEBAjyIWXzBh3efe4rBkIbHj3nAhWeHaYK9igUHCFt6XkecZHmrgC5fRHC8fo24kIe+jnrCh4O8i4qvi4XDjoCthVuRZGaJaViRY0mgZixbQC9gQCFBL0B+U1mvcj+aYCVSOC5kRStWQIO1iEKWYRYpIRcpIIW9jHXBgk6bZoS9i3ixgFyhaXq8hGKkbm28fHy0g2CcbESSYjtwSkyWYU6SXl6ba1aqa2a4dzVlSWO4dHO4f1uhaTJhRjRzTTNxTT+RYEiSW0qoazNsSDJwSzJuSz+gZUSoZIGvhkOYYGe4d22cc/38/P38/fz7+//+/2q+em7AfXDBfnHBf3TCgm/Afm6/fXLCgGS6dnPCgfz8+2y/fGa8d165cmm9eUaqav/9/mC5c8fe0kKranbDg1u4cGa9d2y+fEWpami9eESbaEqzaU6yame7eWK6dEqlbKvYtP///zuSZUeWbVG1a2W7dmC2c0qrbGu9e0uqbtTm3EekaUOeakiuaqbUsEOpa0GqadPm23PBgUOka0SnakehaVS2bU6waUuobGK6dVm1b0Ocamu+e16zcGu/e0Oia0esakamaT+VY0SfaEOfakmia2C4c1iyblKva6LSrkKna0uzaV21cVe2bv/9/124cUSrakizZ0ioa/v7+3nEhWe6d/P29FOzbFSxbEWsaGO2dUuvbU2tbj2WZ0aXazuRY0SXZ0edaUGWZEifaUaaaJXEqmS5dVm4b2S7dVqmeVOhdJbFrEiwaEGZaUmzaP79/UmbcEihbECYZanVtE+saF24cY/Bpa/atkSvakutbbrYyMng03ezkfT59ZvSpbDTvufw6ozJmlivbnfCh0Ksasfjzdzt34HDj57Qqdfr3GGnfpDKnZXCqI2+omaqgna9h/H28lKrar/dyoPClk+wbkyibE+lcMjh0e9qjokAAABkdFJOUwAou3wDTAECCQb1YRMOGTRl2Sbi8eH4lybG2Ayo9dgfpy0Q+GWD3Fkj3HwSuV0sF0fghzcgdfzmaIt7Zt9HR4329I08lryI9j1v9FDCi27h3m32u4hsqqr3ivhPnZ35+ibi+yqXaXYbAAAE2UlEQVQ4y33VBVRbZxQH8Fc0eCmUQt3dvZ27u/vZOdlLIMSNQARohLQkhCFLkY0Fb0LRUqxFCh0wyIDhLVpZdco2Ojln93svBGjp/hzgOyc/Lve7ObkPw+7Klo3Pemx+5PHNHk9s3IL9fzZs3eReI+Wy2Wyp9NFNWzfcXy7x8K/hckPZXDaDwQgJCQkOZvt7LJnbzvetCQ3lcqEsA2FmMCSHsXz+HNRtaY2UtEjaLD+Yz2eudLrbzvNFNhR1C5hJWhY/h8+nBy+eN9uuWCaV2jDqgWmz/JycHDqd7r5iVt1lodM9QAvI8qcoXSR3n1HbzZcom5LCZpJVWVBUkUUnIoqKipIvd7PjpUQHKdACE8KCKBQGhQEgXSRCOIq+0j4zaQoEpMJgMCgULAVdpTqDolKpBCq5QC6XC+gPkHb1YgaDjf791ZGRkZibCgMjOYZI8vWbKqsAItfpOtavJvDaUGIArKtaWjmNdtvQcFtLs+XKLz/prRyOjqPrEK0lsD+L6NQQQ+PxqLzw/dk/9qED8UXl/aZvsFrhD9TuyG5jsIgriQBTqdRL/f8ChgNY+PVZ+c/Z+gaJWq0WbMMw16eyFCiGMzE0ELzw/qbP+whJfPOoV/7M1uslwN9wwXasp2chLrJeoKFXLyGMEJUoz+OF/XVHrz8pkUhe3YFtf4aYvEjVcIGGKoUfOwqVCYcTpXnazhtleolQ8vp2bKcBRm/DRBsI86aagOC0H8w3yoRCoWQn9hy8P4IolYrTkDxdmbQ2jl+LLigsGxoSvow9LSBj1QMmKx/vs1t0U3yyayDDdPq07E3sSYFOoNNxOIDL7ZVxe8M8OJ7tHNDEm2SyRdgigICt1uwZbeD2ptE9JxFuNAF+qeNriFqtB4zjMyqTGJ2gDU18fOOp97B9BJUALqbBK1SEw2yM7AO/NjigyYhv/Gcf9kKZBOWkvrAYtYGHH/sGLojbNQ6jayVw/AfYnv1CNEN9mR3DNKZmjDrGtV1tBZqMscb392B7X0F4aIjAaHTnofJUC5DqvvETLQWauLGxXXsxyosyyJDMVFdMXhBhQlUTTVRP/tr2bUFV3Ni5IArm+poJaRPCqE87xsmRhP3e2pKuATz2livm4vmY7DsIwvBu4SS2zQ6KX24mCsede94T7QHHwlOQwrrr8Gkqp42fPzoOB21YmFarPXv8j9a2lvQEwFWOaIu5LNj1JaS2rujv79vbh7t6evqH2yfaJybahy93NjdHI1sVl/TgAnLFONaCra0tumhuamrqyczM7BkcPIHS2hyNbD5YsSO5Zlw8HWJjYwEX3dGAzLQkWhIzo8m0mMGK85KSHDxdyMXhFLgQdKyyqOhiQqLFkpuba7EkQszmdHNCfr4YsF+gfe9SnNfEKpXKryBVQFNTU+FnbkICyLTISLABztO7DqM8vEapJHleaklJSRpKfiREDMkLeIgyc+dSnBcqS0uPHCktLc0r+QKCXGSFuKKioj7Pz5kye5tTVjl0A0ZJInGFOKIior6+PtJhFeWeZ4r3uk+7gfb29oKOIHNrNM1vnbfbvU8gVy+f3QG9lb2VlZWj4IxGY8Qt47u7fbxc53y2OXkFHg468El9d+Wo0ViS+vGBoMOBXk73fWw6Ubx9nA8e+vDtdz46dNDZx5sym/4Hf8sasXN/S2oAAAAASUVORK5CYII=" />
                 </td>
                 <td>Instant push notifications with <a href="https://www.pushbullet.com/">Pushbullet</a>.</td>
             </tr>
+            {% endif %}
 
             {% if enable_pushover %}
             <tr>
diff --git a/templates/integrations/add_slack.html b/templates/integrations/add_slack.html
index 0738bbbd..5d27ed50 100644
--- a/templates/integrations/add_slack.html
+++ b/templates/integrations/add_slack.html
@@ -16,7 +16,7 @@
         Slack channel.</p>
 
         <div class="text-center">
-        <a href="https://slack.com/oauth/authorize?scope=incoming-webhook&client_id={{ slack_client_id }}">
+        <a href="https://slack.com/oauth/authorize?scope=incoming-webhook&client_id={{ slack_client_id }}&state={{ state }}">
             <img alt="Add to Slack" height="40" width="139" src="https://platform.slack-edge.com/img/add_to_slack.png" srcset="https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/add_to_slack@2x.png 2x" />
         </a>
         </div>