github.com/google/go-safeweb@v0.0.0-20231219055052-64d8cfc90fbb/safehttp/plugins/fetchmetadata/fetchmetadata.go

github.com/google/go-safeweb@v0.0.0-20231219055052-64d8cfc90fbb/safehttp/plugins/fetchmetadata/fetchmetadata.go (about)

     1  // Copyright 2022 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //	https://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package fetchmetadata provides Fetch-Metadata based protections.
    16  package fetchmetadata
    17  
    18  import (
    19  	"log"
    20  
    21  	"github.com/google/go-safeweb/safehttp"
    22  )
    23  
    24  var (
    25  	navigationalModes = map[string]bool{
    26  		"navigate":        true,
    27  		"nested-navigate": true,
    28  	}
    29  )
    30  
    31  // TODO(empijei): implement NIP as soon as it's production ready.
    32  
    33  // Policy is a security policy based on Fetch Metadata.
    34  //
    35  // See https://web.dev/fetch-metadata/ for more.
    36  type Policy struct {
    37  	isAllowed  func(*safehttp.IncomingRequest) bool
    38  	match      func(safehttp.InterceptorConfig) bool
    39  	skip       func(cfg safehttp.InterceptorConfig) (skip, skipReports bool)
    40  	signal     string
    41  	navigate   *safehttp.URL
    42  	ReportOnly bool
    43  }
    44  
    45  // Before implements the Fetch Metadata validation and signals logic.
    46  func (p *Policy) Before(w safehttp.ResponseWriter, r *safehttp.IncomingRequest, cfg safehttp.InterceptorConfig) safehttp.Result {
    47  	skip, skipReports := p.skip(cfg)
    48  	if p.ReportOnly {
    49  		skip = true
    50  	}
    51  
    52  	if p.isAllowed(r) {
    53  		return safehttp.NotWritten()
    54  	}
    55  
    56  	if !skipReports {
    57  		// TODO(empijei): report this.
    58  		log.Printf("Request for %s %q should be blocked by %s. Actually_blocked=%v", r.Method(), r.URL().String(), p.signal, !skip)
    59  	}
    60  	if skip {
    61  		return safehttp.NotWritten()
    62  	}
    63  	if safehttp.IsLocalDev() {
    64  		log.Println("fetchmetadata plugin blocked a potentially malicious request")
    65  	}
    66  	if p.navigate != nil {
    67  		return safehttp.Redirect(w, r, p.navigate.String(), safehttp.StatusSeeOther)
    68  	}
    69  	return w.WriteError(safehttp.StatusForbidden)
    70  }
    71  
    72  // Commit is a no-op, required to satisfy the safehttp.Interceptor interface.
    73  func (p *Policy) Commit(w safehttp.ResponseHeadersWriter, r *safehttp.IncomingRequest, resp safehttp.Response, _ safehttp.InterceptorConfig) {
    74  }
    75  
    76  // Match recongnizes configs to disable fetch metadata protection.
    77  func (p *Policy) Match(cfg safehttp.InterceptorConfig) bool { return p.match(cfg) }