🐛 [Bug]: Strange CSRF middleware behavior with header KeyLookup configuration

[demget]

Bug Description

Discord discussion

The middleware randomly starts responding with 403 Forbidden if it's configured to look up for header:X-Csrf-Token. I found that the storage's map keys are messing up with random header values, so possibly this has something to do with unsafe magic.

One moment you have a map entry with a valid key which is actually a recently added CSRF token, a couple of requests ago you check this map and you see a random header value that replaced the first characters of the key, it can't be found by the middleware which results in returning the Forbidden response.

How to Reproduce

Steps to reproduce the behavior:

1. Use a default CSRF middleware for all your endpoints
2. Obtain your token with the GET request
3. Keep making POST requests and eventually you'll get 403 Forbidden

Expected Behavior

Technically, storage's map keys shouldn't mess up with random header values. CSRF middleware working correctly.

Fiber Version

v2.34.1

Code Snippet (optional)

No response

Checklist:

• I agree to follow Fiber's Code of Conduct.
• I have checked for existing issues that describe my problem prior to opening this one.
• I understand that improperly formatted bug reports may be closed without explanation.

[welcome]

Thanks for opening your first issue here! 🎉 Be sure to follow the issue template! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord

[demget]

René in our Discord discussion advised to:

yes we should make a copy here
here https://github.com/gofiber/fiber/blob/master/middleware/csrf/csrf.go#L42 and here https://github.com/gofiber/fiber/blob/master/middleware/csrf/csrf.go#L37

[ReneWerner87]

we will look at this and develop a fix in a timely manner

[ReneWerner87]

does anyone have any idea how i can reproduce the case in the test? can't get the reused headers to have effect on memory

fiber/middleware/csrf/csrf_test.go

Lines 346 to 394 in 466d6b1

	func Test_CSRF_UnsafeHeaderValue(t *testing.T) { // TODO: add the flow of the bug to a testcase before we start fixing it
	app := fiber.New()
	app.Use(New())
	app.Get("/", func(c *fiber.Ctx) error {
	return c.SendStatus(fiber.StatusOK)
	})
	app.Get("/test", func(c *fiber.Ctx) error {
	return c.SendStatus(fiber.StatusOK)
	})
	app.Post("/", func(c *fiber.Ctx) error {
	return c.SendStatus(fiber.StatusOK)
	})
	resp, err := app.Test(httptest.NewRequest(http.MethodGet, "/", nil))
	utils.AssertEqual(t, nil, err)
	utils.AssertEqual(t, fiber.StatusOK, resp.StatusCode)
	var token string
	for _, c := range resp.Cookies() {
	if c.Name != ConfigDefault.CookieName {
	continue
	}
	token = c.Value
	break
	}
	fmt.Println("token", token)
	getReq := httptest.NewRequest(http.MethodGet, "/", nil)
	getReq.Header.Set(HeaderName, token)
	resp, err = app.Test(getReq)
	getReq = httptest.NewRequest(http.MethodGet, "/test", nil)
	getReq.Header.Set("X-Requested-With", "XMLHttpRequest")
	getReq.Header.Set(fiber.HeaderCacheControl, "no")
	getReq.Header.Set(HeaderName, token)
	resp, err = app.Test(getReq)
	getReq.Header.Set(fiber.HeaderAccept, "*/*")
	getReq.Header.Del(HeaderName)
	resp, err = app.Test(getReq)
	postReq := httptest.NewRequest(http.MethodPost, "/", nil)
	postReq.Header.Set("X-Requested-With", "XMLHttpRequest")
	postReq.Header.Set(HeaderName, token)
	resp, err = app.Test(postReq)
	}

@demget @efectn @GalvinGao

would like to produce this first before I fix it

[GalvinGao]

does anyone have any idea how i can reproduce the case in the test? can't get the reused headers to have effect on memory

fiber/middleware/csrf/csrf_test.go

Lines 346 to 394 in 466d6b1

	func Test_CSRF_UnsafeHeaderValue(t *testing.T) { // TODO: add the flow of the bug to a testcase before we start fixing it
	app := fiber.New()
	app.Use(New())
	app.Get("/", func(c *fiber.Ctx) error {
	return c.SendStatus(fiber.StatusOK)
	})
	app.Get("/test", func(c *fiber.Ctx) error {
	return c.SendStatus(fiber.StatusOK)
	})
	app.Post("/", func(c *fiber.Ctx) error {
	return c.SendStatus(fiber.StatusOK)
	})
	resp, err := app.Test(httptest.NewRequest(http.MethodGet, "/", nil))
	utils.AssertEqual(t, nil, err)
	utils.AssertEqual(t, fiber.StatusOK, resp.StatusCode)
	var token string
	for _, c := range resp.Cookies() {
	if c.Name != ConfigDefault.CookieName {
	continue
	}
	token = c.Value
	break
	}
	fmt.Println("token", token)
	getReq := httptest.NewRequest(http.MethodGet, "/", nil)
	getReq.Header.Set(HeaderName, token)
	resp, err = app.Test(getReq)
	getReq = httptest.NewRequest(http.MethodGet, "/test", nil)
	getReq.Header.Set("X-Requested-With", "XMLHttpRequest")
	getReq.Header.Set(fiber.HeaderCacheControl, "no")
	getReq.Header.Set(HeaderName, token)
	resp, err = app.Test(getReq)
	getReq.Header.Set(fiber.HeaderAccept, "*/*")
	getReq.Header.Del(HeaderName)
	resp, err = app.Test(getReq)
	postReq := httptest.NewRequest(http.MethodPost, "/", nil)
	postReq.Header.Set("X-Requested-With", "XMLHttpRequest")
	postReq.Header.Set(HeaderName, token)
	resp, err = app.Test(postReq)
	}

@demget @efectn @GalvinGao

would like to produce this first before I fix it

I think sequentially call app.Test won't trigger this as I suspect such issue would only occur in race conditions specifically, if I correctly understand the mechanism of fasthttp.

[ReneWerner87]

not really, it's just about putting the request and response objects back into the pool and reusing them later on.

but due to the unsafe there is still a link to the header value of the previous process

1. request, response workflow -> back to the pool
2. then the next request comes and the pool uses the objects from before, but here is then still the connection to

thought you can reproduce it like this

[demget]

I remember I couldn't reproduce this through go tests and postman, only together with the frontend part using a browser, which uses my API. I don't understand why is it working like so, but anyway I'll try to prepare a JS code snippet for you guys which is able to produce this bug.

[ReneWerner87]

yes that would be good

try to fix it this time not test driven and hopefully will make that reproducible with your snippet then later in a test