blacklist routes from CSRF middleware

alexweissman · alexweissman · commit 3d0629c124c3 · 2017-06-16T18:06:11.000-04:00
diff --git a/app/sprinkles/core/config/default.php b/app/sprinkles/core/config/default.php
@@ -51,7 +51,15 @@
             'name'             => 'csrf',
             'storage_limit'    => 200,
             'strength'         => 16,
-            'persistent_token' => true
+            'persistent_token' => true,
+            // A list of url paths to ignore CSRF checks on
+            'blacklist' => [
+                // URL paths will be matched against each regular expression in this list.
+                // Each regular expression should map to an array of methods.
+                // Regular expressions will be delimited with ~ in preg_match, so if you
+                // have routes with ~ in them, you must escape this character in your regex.
+                // Also, remember to use ^ when you only want to match the beginning of a URL path!
+            ]
         ],
         'db'      =>  [
             'default' => [
diff --git a/app/sprinkles/core/src/Core.php b/app/sprinkles/core/src/Core.php
@@ -40,12 +40,21 @@ public function onAddGlobalMiddleware(Event $event)
         // See https://github.com/laravel/framework/issues/8172#issuecomment-99112012 for more information on why it's bad to hit Laravel sessions multiple times in rapid succession.
         $request = $this->ci->request;
         $path = $request->getUri()->getPath();
+        $method = $request->getMethod();
 
-        $csrfBlacklist = [
-            $this->ci->config['assets.raw.path']
-        ];
+        $csrfBlacklist = $this->ci->config['csrf.blacklist'];
+
+        $isBlacklisted = false;
+
+        foreach ($csrfBlacklist as $pattern => $methods) {
+            $methods = array_map('strtoupper', (array) $methods);
+            if (in_array($method, $methods) && $pattern != '' && preg_match('~' . $pattern . '~', $path)) {
+                $isBlacklisted = true;
+                break;
+            }
+        }
 
-        if (!$path || !starts_with($path, $csrfBlacklist)) {
+        if (!$path || !$isBlacklisted) {
             $app = $event->getApp();
             $app->add($this->ci->csrf);
         }
diff --git a/app/sprinkles/core/src/ServicesProvider/ServicesProvider.php b/app/sprinkles/core/src/ServicesProvider/ServicesProvider.php
@@ -239,6 +239,14 @@ public function register(ContainerInterface $container)
                 $config['site.uri.public'] = trim($public, '/');
             }
 
+            // Add asset URLs to the CSRF blacklist
+            $csrfBlacklist = $config['csrf.blacklist'];
+            $csrfBlacklist['^' . $config['assets.raw.path']] = [
+                'GET'
+            ];
+
+            $config->set('csrf.blacklist', $csrfBlacklist);
+
             if (isset($config['display_errors'])) {
                 ini_set("display_errors", $config['display_errors']);
             }

Original file line number	Diff line number	Diff line change
`@@ -239,6 +239,14 @@ public function register(ContainerInterface $container)`
`239`	`239`	`$config['site.uri.public'] = trim($public, '/');`
`240`	`240`	`}`
`241`	`241`
	`242`	`+ // Add asset URLs to the CSRF blacklist`
	`243`	`+ $csrfBlacklist = $config['csrf.blacklist'];`
	`244`	`+ $csrfBlacklist['^' . $config['assets.raw.path']] = [`
	`245`	`+ 'GET'`
	`246`	`+ ];`
	`247`	`+`
	`248`	`+ $config->set('csrf.blacklist', $csrfBlacklist);`
	`249`	`+`
`242`	`250`	`if (isset($config['display_errors'])) {`
`243`	`251`	`ini_set("display_errors", $config['display_errors']);`
`244`	`252`	`}`