sharpetronics/dream
1
0
Fork 0
mirror of https://github.com/aantron/dream.git synced 2025-07-23 00:02:28 -04:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: sharpetronics:1c60e60f1799a8308e12dc955781f043a5e2a45e
Branches Tags
sharpetronics:master
sharpetronics:repro-347-ci
sharpetronics:gh-pages
sharpetronics:cohttp-eio
sharpetronics:1.0.0-alpha8
sharpetronics:1.0.0-alpha7
sharpetronics:1.0.0-alpha6
sharpetronics:1.0.0-alpha5
sharpetronics:1.0.0-alpha4
sharpetronics:1.0.0-alpha3
sharpetronics:1.0.0-alpha2
sharpetronics:1.0.0-alpha1
..
compare: sharpetronics:60a0dc5df59a8b1eb65feccd3ee5801630b20ac5
Branches Tags
sharpetronics:master
sharpetronics:repro-347-ci
sharpetronics:gh-pages
sharpetronics:cohttp-eio
sharpetronics:1.0.0-alpha8
sharpetronics:1.0.0-alpha7
sharpetronics:1.0.0-alpha6
sharpetronics:1.0.0-alpha5
sharpetronics:1.0.0-alpha4
sharpetronics:1.0.0-alpha3
sharpetronics:1.0.0-alpha2
sharpetronics:1.0.0-alpha1

No commits in common. "1c60e60f1799a8308e12dc955781f043a5e2a45e" and "60a0dc5df59a8b1eb65feccd3ee5801630b20ac5" have entirely different histories.
1c60e60f17 ... 60a0dc5df5

4 changed files with 42 additions and 24 deletions
Show Stats Expand all files Collapse all files

2
dream-mirage.opam
View File

@ -59,7 +59,7 @@ depends: [
"letsencrypt" {>= "0.3.0"}
"lwt"
"lwt_ppx" {>= "1.2.2"}
"mimic" {>= "0.0.5"}
"mimic"
"mirage-time"
"rresult"
"tcpip"

2
example/z-docker-opam/Dockerfile
View File

@ -15,7 +15,7 @@ RUN opam exec -- dune build
FROM alpine:3.18.4 as run
FROM alpine:3.12 as run
RUN apk add --update libev

7
src/mirage/mirage.ml
View File

@ -343,6 +343,13 @@ module Make (Pclock : Mirage_clock.PCLOCK) (Time : Mirage_time.S) (Stack : Tcpip
let verify_csrf_token = verify_csrf_token ~now
let csrf_tag = Tag.csrf_tag ~now
(* Templates *)
let form_tag ?method_ ?target ?enctype ?csrf_token ~action request =
Tag.form_tag ~now ?method_ ?target ?enctype ?csrf_token ~action request
(* Errors *)
type error = Catch.error = {

51
src/mirage/mirage.mli
View File

@ -908,13 +908,12 @@ module Make
(** {1 Forms}
{!Dream.csrf_tag} and {!Dream.val-form} round-trip secure forms.
{!Dream.csrf_tag} is used inside a form template to generate a hidden field
with a CSRF token:
{!Dream.form_tag} and {!Dream.val-form} round-trip secure forms.
{!Dream.form_tag} is used inside a template to generate a form header with a
CSRF token:
{[
<form method="POST" action="/">
<%s! Dream.csrf_tag request %>
<%s! Dream.form_tag ~action:"/" request %>
<input name="my.field">
</form>
]}
@ -954,13 +953,13 @@ module Make
val form : ?csrf:bool -> request -> (string * string) list form_result promise
(** Parses the request body as a form. Performs CSRF checks. Use
{!Dream.csrf_tag} in a template to transparently generate forms that will
{!Dream.form_tag} in a template to transparently generate forms that will
pass these checks. See {!section-templates} and example
{{:https://github.com/aantron/dream/tree/master/example/d-form#readme}
[d-form]}.
- [Content-Type:] must be [application/x-www-form-urlencoded].
- The form must have a field named [dream.csrf]. {!Dream.csrf_tag} adds such
- The form must have a field named [dream.csrf]. {!Dream.form_tag} adds such
a field.
- {!Dream.form} calls {!Dream.verify_csrf_token} to check the token in
[dream.csrf].
@ -1101,9 +1100,8 @@ module Make
It's usually not necessary to handle CSRF tokens directly.
- CSRF token field generator {!Dream.csrf_tag} generates and inserts a CSRF
token that {!Dream.val-form} and {!Dream.val-multipart} transparently
verify.
- Form tag generator {!Dream.form_tag} generates and inserts a CSRF token
that {!Dream.val-form} and {!Dream.val-multipart} transparently verify.
- AJAX can be protected from CSRF by {!Dream.origin_referrer_check}.
CSRF functions are exposed for creating custom schemes, and for
@ -1138,6 +1136,8 @@ module Make
val verify_csrf_token : request -> string -> csrf_result promise
(** Checks that the CSRF token is valid for the {!type-request}'s session. *)
val csrf_tag : request -> string
(** {1 Templates}
Dream includes a template preprocessor that allows interleaving OCaml and
@ -1223,13 +1223,20 @@ module Make
unquoted attribute values, CSS in [<style>] tags, or literal JavaScript in
[<script>] tags. *)
val csrf_tag : request -> string
(** Generates an [<input>] tag with a CSRF token, suitable for use with
{!Dream.val-form} and {!Dream.val-multipart}. For example, in a template,
val form_tag :
?method_:[< method_] ->
?target:string ->
?enctype:[< `Multipart_form_data] ->
?csrf_token:bool ->
action:string ->
request ->
string
(** Generates a [<form>] tag and an [<input>] tag with a CSRF token, suitable
for use with {!Dream.val-form} and {!Dream.val-multipart}. For example, in
a template,
{[
<form method="POST" action="/">
<%s! Dream.csrf_tag request %>
<%s! Dream.form_tag ~action:"/" request %>
<input name="my.field">
</form>
]}
@ -1238,15 +1245,19 @@ module Make
{[
<form method="POST" action="/">
<input name="dream.csrf" type="hidden" value="j8vjZ6...">
<input name="dream.csrf" type="hidden" value="a-token">
<input name="my.field">
</form>
]}
It is
{{:https://portswigger.net/web-security/csrf/tokens#how-should-csrf-tokens-be-transmitted}
recommended} to put the CSRF tag immediately after the starting [<form>]
tag, to prevent certain kinds of DOM manipulation-based attacks. *)
[~method] sets the method used to submit the form. The default is [`POST].
[~target] adds a [target] attribute. For example, [~target:"_blank"] causes
the browser to submit the form in a new tab or window.
Pass [~enctype:`Multipart_form_data] for a file upload form.
[~csrf_token:false] suppresses generation of the [dream.csrf] field. *)
(** {1 Middleware}