From 8f465afc97282dbc6bb266ae91565ac97b153c65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Tue, 10 Dec 2024 10:17:38 -0500
Subject: [PATCH] refactor: add csrf protection to webinstall POST route

---
 install/web.js              | 18 +++++++++++++++---
 src/views/install/index.tpl |  2 ++
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/install/web.js b/install/web.js
index 92fe675c22..cd38c3be6e 100644
--- a/install/web.js
+++ b/install/web.js
@@ -2,6 +2,7 @@
 
 const winston = require('winston');
 const express = require('express');
+const session = require('express-session');
 const bodyParser = require('body-parser');
 const fs = require('fs');
 const path = require('path');
@@ -13,7 +14,10 @@ const nconf = require('nconf');
 const Benchpress = require('benchpressjs');
 const { mkdirp } = require('mkdirp');
 const { paths } = require('../src/constants');
-const sass = require('../src/utils').getSass();
+const utils = require('../src/utils');
+
+const sass = utils.getSass();
+const { generateToken, csrfSynchronisedProtection } = require('../src/middleware/csrf');
 
 const app = express();
 let server;
@@ -73,6 +77,13 @@ web.install = async function (port) {
 	app.use(bodyParser.urlencoded({
 		extended: true,
 	}));
+
+	app.use(session({
+		secret: utils.generateUUID(),
+		resave: false,
+		saveUninitialized: false,
+	}));
+
 	try {
 		await Promise.all([
 			compileTemplate(),
@@ -103,8 +114,8 @@ function launchExpress(port) {
 }
 
 function setupRoutes() {
-	app.get('/', welcome);
-	app.post('/', install);
+	app.get('/', csrfSynchronisedProtection, welcome);
+	app.post('/', csrfSynchronisedProtection, install);
 	app.get('/testdb', testDatabase);
 	app.get('/ping', ping);
 	app.get('/sping', ping);
@@ -160,6 +171,7 @@ function welcome(req, res) {
 		minimumPasswordStrength: defaults.minimumPasswordStrength,
 		installing: installing,
 		percentInstalled: installing ? ((Date.now() - timeStart) / totalTime * 100).toFixed(2) : 0,
+		csrf_token: generateToken(req),
 	});
 }
 
diff --git a/src/views/install/index.tpl b/src/views/install/index.tpl
index f41400f734..aa703f8356 100644
--- a/src/views/install/index.tpl
+++ b/src/views/install/index.tpl
@@ -35,6 +35,8 @@
 			You are just a few steps away from launching your own NodeBB forum!
 		</p>
 		<form id="install" action="/" method="post" autocomplete="off">
+			<input type="hidden" name="csrf_token" value="{csrf_token}" />
+
 			{{{ if !skipGeneralSetup }}}
 			<div class="general">
 				<p>