forked from justinas/nosurf
-
Notifications
You must be signed in to change notification settings - Fork 0
/
exempt.go
108 lines (93 loc) · 2.64 KB
/
exempt.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
package nosurf
import (
"fmt"
"net/http"
pathModule "path"
"reflect"
"regexp"
)
// Checks if the given request is exempt from CSRF checks.
// It checks the ExemptFunc first, then the exact paths,
// then the globs and finally the regexps.
func (h *CSRFHandler) IsExempt(r *http.Request) bool {
if h.exemptFunc != nil && h.exemptFunc(r) {
return true
}
path := r.URL.Path
if sContains(h.exemptPaths, path) {
return true
}
// then the globs
for _, glob := range h.exemptGlobs {
matched, err := pathModule.Match(glob, path)
if matched && err == nil {
return true
}
}
// finally, the regexps
for _, re := range h.exemptRegexps {
if re.MatchString(path) {
return true
}
}
return false
}
// Exempts an exact path from CSRF checks
// With this (and other Exempt* methods)
// you should take note that Go's paths
// include a leading slash.
func (h *CSRFHandler) ExemptPath(path string) {
h.exemptPaths = append(h.exemptPaths, path)
}
// A variadic argument version of ExemptPath()
func (h *CSRFHandler) ExemptPaths(paths ...string) {
for _, v := range paths {
h.ExemptPath(v)
}
}
// Exempts URLs that match the specified glob pattern
// (as used by filepath.Match()) from CSRF checks
//
// Note that ExemptGlob() is unable to detect syntax errors,
// because it doesn't have a path to check it against
// and filepath.Match() doesn't report an error
// if the path is empty.
// If we find a way to check the syntax, ExemptGlob
// MIGHT PANIC on a syntax error in the future.
// ALWAYS check your globs for syntax errors.
func (h *CSRFHandler) ExemptGlob(pattern string) {
h.exemptGlobs = append(h.exemptGlobs, pattern)
}
// A variadic argument version of ExemptGlob()
func (h *CSRFHandler) ExemptGlobs(patterns ...string) {
for _, v := range patterns {
h.ExemptGlob(v)
}
}
// Accepts a regular expression string or a compiled *regexp.Regexp
// and exempts URLs that match it from CSRF checks.
//
// If the given argument is neither of the accepted values,
// or the given string fails to compile, ExemptRegexp() panics.
func (h *CSRFHandler) ExemptRegexp(re interface{}) {
var compiled *regexp.Regexp
switch re.(type) {
case string:
compiled = regexp.MustCompile(re.(string))
case *regexp.Regexp:
compiled = re.(*regexp.Regexp)
default:
err := fmt.Sprintf("%v isn't a valid type for ExemptRegexp()", reflect.TypeOf(re))
panic(err)
}
h.exemptRegexps = append(h.exemptRegexps, compiled)
}
// A variadic argument version of ExemptRegexp()
func (h *CSRFHandler) ExemptRegexps(res ...interface{}) {
for _, v := range res {
h.ExemptRegexp(v)
}
}
func (h *CSRFHandler) ExemptFunc(fn func(r *http.Request) bool) {
h.exemptFunc = fn
}