XSSBook - Console

From 0c021ef938622e9d69539075e56bb35c3b4ef7cf Mon Sep 17 00:00:00 2001 From: Tyler Murphy Date: Mon, 30 Jan 2023 11:42:45 -0500 Subject: css changes, secure/http only admin session --- src/admin.rs | 10 +++++----- src/api/admin.rs | 4 ++-- src/console.rs | 21 ++++++++++++++------- src/database/posts.rs | 2 +- src/database/users.rs | 2 +- src/types/extract.rs | 14 ++++++-------- 6 files changed, 29 insertions(+), 24 deletions(-) (limited to 'src') diff --git a/src/admin.rs b/src/admin.rs index 344a953..1da2f1e 100644 --- a/src/admin.rs +++ b/src/admin.rs @@ -59,8 +59,8 @@ pub fn generate_users() -> Response { for user in users { html.push_str( &format!("{}{}{}{}{}{}{}{}{}{}", - user.user_id, sanatize(user.firstname), sanatize(user.lastname), sanatize(user.email), sanatize(user.password), - sanatize(user.gender), user.date, user.day, user.month, user.year + user.user_id, sanatize(&user.firstname), sanatize(&user.lastname), sanatize(&user.email), sanatize(&user.password), + sanatize(&user.gender), user.date, user.day, user.month, user.year ) ); } @@ -94,9 +94,9 @@ pub fn generate_posts() -> Response { "{}{}{}{}{}{}", post.post_id, post.user_id, - sanatize(post.content), - console::beautify(likes), - console::beautify(comments), + sanatize(&post.content), + console::beautify(&likes), + console::beautify(&comments), post.date )); } diff --git a/src/api/admin.rs b/src/api/admin.rs index bda1ae2..7de5fc0 100644 --- a/src/api/admin.rs +++ b/src/api/admin.rs @@ -30,8 +30,8 @@ async fn auth(cookies: Cookies, Json(body): Json) -> Response } let mut cookie = Cookie::new("admin", admin::regen_secret().await); - cookie.set_secure(false); - cookie.set_http_only(false); + cookie.set_secure(true); + cookie.set_http_only(true); cookie.set_path("/"); cookies.add(cookie); diff --git a/src/console.rs b/src/console.rs index 912ace2..008109c 100644 --- a/src/console.rs +++ b/src/console.rs @@ -36,8 +36,8 @@ impl ToString for LogMessage { Method::OPTIONS => "#423fe0", _ => "white", }; - format!("

{} {} {}{} {}

", - ip, color, self.method, self.path, sanatize(self.uri.to_string()), self.body) + format!("

{} {} {}{} {}

", + ip, color, self.method, self.path, sanatize(&self.uri.to_string()), self.body) } } @@ -46,12 +46,11 @@ lazy_static! { } pub async fn log(ip: IpAddr, method: Method, uri: Uri, path: Option, body: Option) { - let path = path.unwrap_or_default(); let body = body.unwrap_or_default(); if path == "/api/admin" { - return + return; } tracing::info!("{} {} {}{} {}", &ip, &method, &path, &uri, &body); @@ -61,7 +60,7 @@ pub async fn log(ip: IpAddr, method: Method, uri: Uri, path: Option, bod method, uri, path, - body: beautify(body), + body: beautify(&body), }; let mut lock = LOG.lock().await; @@ -205,14 +204,14 @@ impl Formatter for HtmlFormatter { } } -pub fn sanatize(input: String) -> String { +pub fn sanatize(input: &str) -> String { input .replace('&', "&") .replace('<', "<") .replace('>', ">") } -pub fn beautify(body: String) -> String { +pub fn beautify(body: &str) -> String { let body = sanatize(body); if body.is_empty() { @@ -240,10 +239,18 @@ pub async fn generate() -> Response { + + + XSSBook - Console + +

"# .to_string(); diff --git a/src/database/posts.rs b/src/database/posts.rs index 3f2fc58..6c0a27e 100644 --- a/src/database/posts.rs +++ b/src/database/posts.rs @@ -81,7 +81,7 @@ pub fn get_post_page(page: u64) -> Result, rusqlite::Error> { pub fn get_all_posts() -> Result, rusqlite::Error> { tracing::trace!("Retrieving posts page"); let conn = database::connect()?; - let mut stmt = conn.prepare("SELECT * FROM posts ORDER BY post_id")?; + let mut stmt = conn.prepare("SELECT * FROM posts ORDER BY post_id DESC")?; let row = stmt.query_map([], |row| { let row = post_from_row(row)?; Ok(row) diff --git a/src/database/users.rs b/src/database/users.rs index 7f8e407..27c3b7f 100644 --- a/src/database/users.rs +++ b/src/database/users.rs @@ -121,7 +121,7 @@ pub fn get_user_page(page: u64, hide_password: bool) -> Result, rusqli pub fn get_all_users() -> Result, rusqlite::Error> { tracing::trace!("Retrieving user page"); let conn = database::connect()?; - let mut stmt = conn.prepare("SELECT * FROM users ORDER BY user_id")?; + let mut stmt = conn.prepare("SELECT * FROM users ORDER BY user_id DESC")?; let row = stmt.query_map([], |row| { let row = user_from_row(row, false)?; Ok(row) diff --git a/src/types/extract.rs b/src/types/extract.rs index af30d3f..50c413b 100644 --- a/src/types/extract.rs +++ b/src/types/extract.rs @@ -4,14 +4,14 @@ use axum::{ async_trait, body::HttpBody, extract::{FromRequest, FromRequestParts}, - headers::Cookie, http::{request::Parts, Request}, response::Response, - BoxError, RequestExt, TypedHeader, + BoxError, RequestExt, }; use axum_client_ip::ClientIp; use bytes::Bytes; use serde::de::DeserializeOwned; +use tower_cookies::Cookies; use crate::{ admin, console, @@ -32,7 +32,7 @@ where type Rejection = Response; async fn from_request_parts(parts: &mut Parts, state: &S) -> Result { - let Ok(Some(cookies)) = Option::>::from_request_parts(parts, state).await else { + let Ok(Some(cookies)) = Option::::from_request_parts(parts, state).await else { return Err(ResponseCode::Forbidden.text("No cookies provided")) }; @@ -40,7 +40,7 @@ where return Err(ResponseCode::Forbidden.text("No auth token provided")) }; - let Ok(session) = Session::from_token(token) else { + let Ok(session) = Session::from_token(token.value()) else { return Err(ResponseCode::Unauthorized.text("Auth token invalid")) }; @@ -63,7 +63,7 @@ where type Rejection = Response; async fn from_request_parts(parts: &mut Parts, state: &S) -> Result { - let Ok(Some(cookies)) = Option::>::from_request_parts(parts, state).await else { + let Ok(Some(cookies)) = Option::::from_request_parts(parts, state).await else { return Err(ResponseCode::Forbidden.text("No cookies provided")) }; @@ -71,11 +71,9 @@ where return Err(ResponseCode::Forbidden.text("No admin secret provided")) }; - println!("{secret}"); - let check = admin::get_secret().await; - if check != secret { + if check != secret.value() { return Err(ResponseCode::Unauthorized.text("Auth token invalid")); } -- cgit v1.2.3-freya