Add CSRF token

app.js

@@ -60,6 +60,9 @@ global.syzoj = {
     let multer = require('multer');
     app.multer = multer({ dest: syzoj.utils.resolvePath(syzoj.config.upload_dir, 'tmp') });
 
+    let csurf = require('csurf');
+    app.use(csurf({ cookie: true }));
+
     await this.connectDatabase();
     this.loadHooks();
     this.loadModules();

package.json

@@ -29,6 +29,7 @@
     "cheerio": "^1.0.0-rc.1",
     "cookie-parser": "^1.4.3",
     "cssfilter": "0.0.10",
+    "csurf": "^1.9.0",
     "download": "^5.0.3",
     "ejs": "^2.5.2",
     "express": "^4.14.0",

static/script.js

@@ -7,7 +7,22 @@ $(function () {
     form.method = 'post';
     form.action = $(this).attr('href-post');
     form.target = '_self';
+
+    var input = document.createElement('input');
+    input.type = 'hidden';
+    input.name = '_csrf';
+    input.value = document.head.getAttribute('data-csrf-token');
+    form.appendChild(input);
+
     document.body.appendChild(form);
     form.submit();
   });
+
+  $('form').each(function () {
+    var input = document.createElement('input');
+    input.type = 'hidden';
+    input.name = '_csrf';
+    input.value = document.head.getAttribute('data-csrf-token');
+    this.appendChild(input);
+  });
 });

views/header.ejs

@@ -1,7 +1,7 @@
 <% include util %>
 <!DOCTYPE html>
 <html lang="zh-CN">
-<head>
+<head data-csrf-token="<%= req.csrfToken() %>">
     <meta charset="utf-8">
     <meta content="IE=edge" http-equiv="X-UA-Compatible">
     <title><%= title %> - <%= syzoj.config.title %></title>