From c6ec81174ce04edc2a8ac396e1ef2489e809130a Mon Sep 17 00:00:00 2001
From: Jonas Kohl
Date: Thu, 7 Nov 2024 16:19:33 +0100
Subject: CSRF tokens

---
 public/index.php | 101 +++++++++++++++----------------------------------------
 public/site.js   |  80 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 107 insertions(+), 74 deletions(-)
 create mode 100644 public/site.js

diff --git a/public/index.php b/public/index.php
index 6e0a8fb..0b3cabc 100644
--- a/public/index.php
+++ b/public/index.php
@@ -1,5 +1,12 @@
 <?php
 
+session_name("a3e0f0ee-9f5a-4be2-88cb-3b7ceb626d00");
+session_start();
+
+function csrf_token(): string {
+    return $_SESSION["csrf-token"] = base64_encode(random_bytes(30));
+}
+
 function getid(): string {
     return str_pad(bin2hex(random_bytes(16)), 32, "0", STR_PAD_LEFT);
 }
@@ -32,7 +39,19 @@ $result = null;
 if (isset($_POST["code"]) && strlen($_POST["code"]) <= 16383) {
     $id = getid();
 
+    header("Content-Type: application/json");
+
     $code = $_POST["code"];
+    $csrf = $_POST["csrf"] ?? null;
+    
+    if ($csrf === null || $csrf !== $_SESSION["csrf-token"]) {
+        echo json_encode([
+            "ok" => false,
+            "message" => "CSRF token mismatch",
+            "csrf" => csrf_token(),
+        ]);
+        exit;
+    }
 
     $srcDir = __DIR__ . "/../_runners/$id/src";
 
@@ -44,17 +63,21 @@ if (isset($_POST["code"]) && strlen($_POST["code"]) <= 16383) {
     $resultStr = shell_exec("./compile-and-run.sh '$id' Program 2>/dev/null");
     chdir(__DIR__);
 
+    $csrf = csrf_token();
+
     if (is_string($resultStr)) {
         $result = json_decode($resultStr, true);
         $result["runner"] = $id;
+        $result["ok"] = true;
+        $result["csrf"] = $csrf;
     }
 
-
-    header("Content-Type: application/json");
     echo json_encode($result);
     exit;
 }
 
+$csrf = csrf_token();
+
 ?>
 <!DOCTYPE html>
 <html lang="en">
@@ -68,6 +91,7 @@ if (isset($_POST["code"]) && strlen($_POST["code"]) <= 16383) {
     <script src="jquery-1.12.4.min.js"></script>
     <script src="codemirror.js"></script>
     <script src="clike.js"></script>
+    <script src="site.js"></script>
 </head>
 <body>
     <div id="loader" style="display: none;">
@@ -76,83 +100,12 @@ if (isset($_POST["code"]) && strlen($_POST["code"]) <= 16383) {
     <h1>&#9749;&#65039; Java Compiler</h1>
     <p>Powered by Eclipse Temurin</p>
     <form method="POST">
+        <input name="csrf" id="csrf-token" type="hidden" value="<?= htmlentities($csrf) ?>">
         <textarea maxlength="16383" id="editor" name="code" rows="20"><?= htmlentities($code ?? $defaultCode) ?></textarea>
         <div id="toolbar">
             <button type="submit">&#9654;&nbsp;Compile &amp; run</button>
         </div>
     </form>
     <div id="output" style="display: none;"></div>
-
-    <script>
-        $(function() {
-            var editor = CodeMirror.fromTextArea($("#editor")[0], {
-                lineNumbers: true,
-                mode: "text/x-java",
-                theme: "eclipse",
-                tabSize: 4,
-                indentWithTabs: false,
-                smartIndent: true,
-                indentUnit: 4
-            });
-            editor.setSize(898, 500);
-
-            $("form").on("submit", function(e) {
-                e.preventDefault();
-
-                $("#loader").show();
-                $("#output").empty().hide();
-
-                $.ajax({
-                    type: "POST",
-                    url: location.href,
-                    data: {
-                        code: editor.getValue()
-                    },
-                    dataType: "json",
-                    success: function(data) {
-                        $("#loader").hide();
-
-                        if (data.compile.status == 0) {
-                            if (data.run.status != null) {
-                                // program was executed
-                                $("#output").append(
-                                    $("<h4></h4>").text(data.run.status == 0 ? "Executed successfully" : "Execution failed").css("color", data.run.status == 0 ? "green" : "red"),
-                                );
-
-                                if (data.run.stdout) {
-                                    $("#output").append(
-                                        $("<p></p>").text("Program output:"),
-                                        $("<pre></pre>").append(
-                                            $("<code></code>").text(data.run.stdout)
-                                        )
-                                    );
-                                }
-
-                                if (data.run.stderr) {
-                                    $("#output").append(
-                                        $("<p></p>").text("Error output:"),
-                                        $("<pre></pre>").append(
-                                            $("<code></code>").text(data.run.stderr)
-                                        )
-                                    );
-                                }
-                            }
-                        } else {
-                            // compilation failed, stderr will contain compiler errors
-                            $("#output").append(
-                                $("<h4></h4>").text("Compilation failed").css("color", "red"),
-                                $("<p></p>").text("Compiler errors:"),
-                                $("<pre></pre>").append(
-                                    $("<code></code>").text(data.compile.stderr)
-                                )
-                            );
-                        }
-
-                        $("#output").slideDown(400);
-                    }
-                })
-            });
-        });
-    </script>
 </body>
 </html>
diff --git a/public/site.js b/public/site.js
new file mode 100644
index 0000000..21d51a7
--- /dev/null
+++ b/public/site.js
@@ -0,0 +1,80 @@
+$(function() {
+    var csrf = $("#csrf-token").val();
+    var editor = CodeMirror.fromTextArea($("#editor")[0], {
+        lineNumbers: true,
+        mode: "text/x-java",
+        theme: "eclipse",
+        tabSize: 4,
+        indentWithTabs: false,
+        smartIndent: true,
+        indentUnit: 4
+    });
+    editor.setSize(898, 500);
+
+    $("form").on("submit", function(e) {
+        e.preventDefault();
+
+        $("#loader").show();
+        $("#output").empty().hide();
+
+        $.ajax({
+            type: "POST",
+            url: location.href,
+            data: {
+                code: editor.getValue(),
+                csrf: csrf
+            },
+            dataType: "json",
+            success: function(data) {
+                $("#loader").hide();
+
+                if (!data.ok) {
+                    alert("Error: " + data.message);
+                    if (data.csrf)
+                        csrf = data.csrf;
+                    return;
+                }
+
+                csrf = data.csrf;
+
+                if (data.compile.status == 0) {
+                    if (data.run.status != null) {
+                        // program was executed
+                        $("#output").append(
+                            $("<h4></h4>").text(data.run.status == 0 ? "Executed successfully" : "Execution failed").css("color", data.run.status == 0 ? "green" : "red"),
+                        );
+
+                        if (data.run.stdout) {
+                            $("#output").append(
+                                $("<p></p>").text("Program output:"),
+                                $("<pre></pre>").append(
+                                    $("<code></code>").text(data.run.stdout)
+                                )
+                            );
+                        }
+
+                        if (data.run.stderr) {
+                            $("#output").append(
+                                $("<p></p>").text("Error output:"),
+                                $("<pre></pre>").append(
+                                    $("<code></code>").text(data.run.stderr)
+                                )
+                            );
+                        }
+                    }
+                } else {
+                    // compilation failed, stderr will contain compiler errors
+                    $("#output").append(
+                        $("<h4></h4>").text("Compilation failed").css("color", "red"),
+                        $("<p></p>").text("Compiler errors:"),
+                        $("<pre></pre>").append(
+                            $("<code></code>").text(data.compile.stderr)
+                        )
+                    );
+                }
+
+                $("#output").slideDown(400);
+            }
+        })
+    });
+});
-- 
cgit v1.2.3