rojo-rbx/rojo
1
0
Fork 1
mirror of https://github.com/rojo-rbx/rojo.git synced 2026-04-23 22:25:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implement CSRF challenge support in upload

Browse Source
This commit is contained in:
Lucien Greathouse
2021-02-09 11:36:59 -05:00
parent 7888a704e1
commit 0e89b91c38
2 changed files with 32 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -1,6 +1,7 @@
# Rojo Changelog # Rojo Changelog
## Unreleased Changes ## Unreleased Changes
* Fixed `rojo upload` to handle CSRF challenges.
## [6.0.1](https://github.com/rojo-rbx/rojo/releases/tag/v6.0.1) (January 22, 2021) ## [6.0.1](https://github.com/rojo-rbx/rojo/releases/tag/v6.0.1) (January 22, 2021)
* Fixed `rojo upload` requests being rejected by Roblox * Fixed `rojo upload` requests being rejected by Roblox

45
src/cli/upload.rs
View File

@@ -1,5 +1,8 @@
use memofs::Vfs; use memofs::Vfs;
use reqwest::header::{ACCEPT, CONTENT_TYPE, COOKIE, USER_AGENT}; use reqwest::{
header::{ACCEPT, CONTENT_TYPE, COOKIE, USER_AGENT},
StatusCode,
};
use thiserror::Error; use thiserror::Error;
use crate::{auth_cookie::get_auth_cookie, cli::UploadCommand, serve_session::ServeSession}; use crate::{auth_cookie::get_auth_cookie, cli::UploadCommand, serve_session::ServeSession};
@@ -41,28 +44,42 @@ pub fn upload(options: UploadCommand) -> Result<(), anyhow::Error> {
.property_behavior(rbx_xml::EncodePropertyBehavior::WriteUnknown); .property_behavior(rbx_xml::EncodePropertyBehavior::WriteUnknown);
rbx_xml::to_writer(&mut buffer, tree.inner(), &encode_ids, config)?; rbx_xml::to_writer(&mut buffer, tree.inner(), &encode_ids, config)?;
do_upload(buffer, options.asset_id, &cookie)
}
fn do_upload(buffer: Vec<u8>, asset_id: u64, cookie: &str) -> anyhow::Result<()> {
let url = format!( let url = format!(
"https://data.roblox.com/Data/Upload.ashx?assetid={}", "https://data.roblox.com/Data/Upload.ashx?assetid={}",
options.asset_id asset_id
); );
log::trace!("POSTing to {}", url);
let client = reqwest::Client::new(); let client = reqwest::Client::new();
let mut response = client
.post(&url) let build_request = move || {
.header(COOKIE, format!(".ROBLOSECURITY={}", &cookie)) client
.header(USER_AGENT, "Roblox/WinInet") .post(&url)
.header(CONTENT_TYPE, "application/xml") .header(COOKIE, format!(".ROBLOSECURITY={}", cookie))
.header(ACCEPT, "application/json") .header(USER_AGENT, "Roblox/WinInet")
.body(buffer) .header(CONTENT_TYPE, "application/xml")
.send()?; .header(ACCEPT, "application/json")
.body(buffer.clone())
};
log::debug!("Uploading to Roblox...");
let mut response = build_request().send()?;
// Starting in Feburary, 2021, the upload endpoint performs CSRF challenges.
// If we receive an HTTP 403 with a X-CSRF-Token reply, we should retry the
// request, echoing the value of that header.
if response.status() == StatusCode::FORBIDDEN {
if let Some(csrf_token) = response.headers().get("X-CSRF-Token") {
log::debug!("Received CSRF challenge, retrying with token...");
response = build_request().header("X-CSRF-Token", csrf_token).send()?;
}
}
let status = response.status(); let status = response.status();
if !status.is_success() { if !status.is_success() {
log::error!("Error uploading, status: {}", status);
return Err(Error::RobloxApi { return Err(Error::RobloxApi {
body: response.text()?, body: response.text()?,
} }