Commit640e7a4

Oviglo

authored and

nicolas-grekas

committed

[Security] Add methods param in IsCsrfTokenValid attribute

1 parent2468bae commit640e7a4Copy full SHA for 640e7a4

File tree

5 files changed

+164

-0

lines changed

src/Symfony
- Bundle/FrameworkBundle
  - CHANGELOG.md
- Component/Security/Http
  - Attribute
    - IsCsrfTokenValid.php
  - EventListener
    - IsCsrfTokenValidAttributeListener.php
  - Tests
    - EventListener
      - IsCsrfTokenValidAttributeListenerTest.php
    - Fixtures
      - IsCsrfTokenValidAttributeMethodsController.php

5 files changed

+164

-0

lines changed

`‎src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ CHANGELOG`
`16`	`16`	* Add`--method` option to the`debug:router` command
`17`	`17`	`* Auto-exclude DI extensions, test cases, entities and messenger messages`
`18`	`18`	* Add DI alias from`ServicesResetterInterface` to`services_resetter`
	`19`	+* Add`methods` argument in`#[IsCsrfTokenValid]` attribute
`19`	`20`
`20`	`21`	`7.2`
`21`	`22`	`---`

`‎src/Symfony/Component/Security/Http/Attribute/IsCsrfTokenValid.php`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,12 @@ public function __construct(`
`26`	`26`	`* Sets the key of the request that contains the actual token value that should be validated.`
`27`	`27`	`*/`
`28`	`28`	`public ?string$tokenKey ='_token',`
	`29`	`+`
	`30`	`+/**`
	`31`	`+ * Sets the available http methods that can be used to validate the token.`
	`32`	`+ * If not set, the token will be validated for all methods.`
	`33`	`+ */`
	`34`	`+publicarray\|string$methods = [],`
`29`	`35`	`) {`
`30`	`36`	`}`
`31`	`37`	`}`

`‎src/Symfony/Component/Security/Http/EventListener/IsCsrfTokenValidAttributeListener.php`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,11 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event): vo`
`45`	`45`
`46`	`46`	`foreach ($attributesas$attribute) {`
`47`	`47`	`$id =$this->getTokenId($attribute->id,$request,$arguments);`
	`48`	`+$methods =\array_map('strtoupper', (array)$attribute->methods);`
	`49`	`+`
	`50`	`+if ($methods && !\in_array($request->getMethod(),$methods,true)) {`
	`51`	`+continue;`
	`52`	`+ }`
`48`	`53`
`49`	`54`	`if (!$this->csrfTokenManager->isTokenValid(newCsrfToken($id,$request->getPayload()->getString($attribute->tokenKey)))) {`
`50`	`55`	`thrownewInvalidCsrfTokenException('Invalid CSRF token.');`

`‎src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php`

Lines changed: 137 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -206,4 +206,141 @@ public function testExceptionWhenInvalidToken()`
`206`	`206`	`$listener =newIsCsrfTokenValidAttributeListener($csrfTokenManager);`
`207`	`207`	`$listener->onKernelControllerArguments($event);`
`208`	`208`	`}`
	`209`	`+`
	`210`	`+publicfunctiontestIsCsrfTokenValidCalledCorrectlyWithDeleteMethod()`
	`211`	`+ {`
	`212`	`+$request =newRequest(request: ['_token' =>'bar']);`
	`213`	`+$request->setMethod('DELETE');`
	`214`	`+`
	`215`	`+$csrfTokenManager =$this->createMock(CsrfTokenManagerInterface::class);`
	`216`	`+$csrfTokenManager->expects($this->once())`
	`217`	`+ ->method('isTokenValid')`
	`218`	`+ ->with(newCsrfToken('foo','bar'))`
	`219`	`+ ->willReturn(true);`
	`220`	`+`
	`221`	`+$event =newControllerArgumentsEvent(`
	`222`	`+$this->createMock(HttpKernelInterface::class),`
	`223`	`+ [newIsCsrfTokenValidAttributeMethodsController(),'withDeleteMethod'],`
	`224`	`+ [],`
	`225`	`+$request,`
	`226`	`+null`
	`227`	`+ );`
	`228`	`+`
	`229`	`+$listener =newIsCsrfTokenValidAttributeListener($csrfTokenManager);`
	`230`	`+$listener->onKernelControllerArguments($event);`
	`231`	`+ }`
	`232`	`+`
	`233`	`+publicfunctiontestIsCsrfTokenValidIgnoredWithNonMatchingMethod()`
	`234`	`+ {`
	`235`	`+$request =newRequest(request: ['_token' =>'bar']);`
	`236`	`+$request->setMethod('POST');`
	`237`	`+`
	`238`	`+$csrfTokenManager =$this->createMock(CsrfTokenManagerInterface::class);`
	`239`	`+$csrfTokenManager->expects($this->never())`
	`240`	`+ ->method('isTokenValid')`
	`241`	`+ ->with(newCsrfToken('foo','bar'));`
	`242`	`+`
	`243`	`+$event =newControllerArgumentsEvent(`
	`244`	`+$this->createMock(HttpKernelInterface::class),`
	`245`	`+ [newIsCsrfTokenValidAttributeMethodsController(),'withDeleteMethod'],`
	`246`	`+ [],`
	`247`	`+$request,`
	`248`	`+null`
	`249`	`+ );`
	`250`	`+`
	`251`	`+$listener =newIsCsrfTokenValidAttributeListener($csrfTokenManager);`
	`252`	`+$listener->onKernelControllerArguments($event);`
	`253`	`+ }`
	`254`	`+`
	`255`	`+publicfunctiontestIsCsrfTokenValidCalledCorrectlyWithGetOrPostMethodWithGetMethod()`
	`256`	`+ {`
	`257`	`+$request =newRequest(request: ['_token' =>'bar']);`
	`258`	`+$request->setMethod('GET');`
	`259`	`+`
	`260`	`+$csrfTokenManager =$this->createMock(CsrfTokenManagerInterface::class);`
	`261`	`+$csrfTokenManager->expects($this->once())`
	`262`	`+ ->method('isTokenValid')`
	`263`	`+ ->with(newCsrfToken('foo','bar'))`
	`264`	`+ ->willReturn(true);`
	`265`	`+`
	`266`	`+$event =newControllerArgumentsEvent(`
	`267`	`+$this->createMock(HttpKernelInterface::class),`
	`268`	`+ [newIsCsrfTokenValidAttributeMethodsController(),'withGetOrPostMethod'],`
	`269`	`+ [],`
	`270`	`+$request,`
	`271`	`+null`
	`272`	`+ );`
	`273`	`+`
	`274`	`+$listener =newIsCsrfTokenValidAttributeListener($csrfTokenManager);`
	`275`	`+$listener->onKernelControllerArguments($event);`
	`276`	`+ }`
	`277`	`+`
	`278`	`+publicfunctiontestIsCsrfTokenValidNoIgnoredWithGetOrPostMethodWithPutMethod()`
	`279`	`+ {`
	`280`	`+$request =newRequest(request: ['_token' =>'bar']);`
	`281`	`+$request->setMethod('PUT');`
	`282`	`+`
	`283`	`+$csrfTokenManager =$this->createMock(CsrfTokenManagerInterface::class);`
	`284`	`+$csrfTokenManager->expects($this->never())`
	`285`	`+ ->method('isTokenValid')`
	`286`	`+ ->with(newCsrfToken('foo','bar'));`
	`287`	`+`
	`288`	`+$event =newControllerArgumentsEvent(`
	`289`	`+$this->createMock(HttpKernelInterface::class),`
	`290`	`+ [newIsCsrfTokenValidAttributeMethodsController(),'withGetOrPostMethod'],`
	`291`	`+ [],`
	`292`	`+$request,`
	`293`	`+null`
	`294`	`+ );`
	`295`	`+`
	`296`	`+$listener =newIsCsrfTokenValidAttributeListener($csrfTokenManager);`
	`297`	`+$listener->onKernelControllerArguments($event);`
	`298`	`+ }`
	`299`	`+`
	`300`	`+publicfunctiontestIsCsrfTokenValidCalledCorrectlyWithInvalidTokenKeyAndPostMethod()`
	`301`	`+ {`
	`302`	`+$this->expectException(InvalidCsrfTokenException::class);`
	`303`	`+`
	`304`	`+$request =newRequest(request: ['_token' =>'bar']);`
	`305`	`+$request->setMethod('POST');`
	`306`	`+`
	`307`	`+$csrfTokenManager =$this->createMock(CsrfTokenManagerInterface::class);`
	`308`	`+$csrfTokenManager->expects($this->once())`
	`309`	`+ ->method('isTokenValid')`
	`310`	`+ ->withAnyParameters()`
	`311`	`+ ->willReturn(false);`
	`312`	`+`
	`313`	`+$event =newControllerArgumentsEvent(`
	`314`	`+$this->createMock(HttpKernelInterface::class),`
	`315`	`+ [newIsCsrfTokenValidAttributeMethodsController(),'withPostMethodAndInvalidTokenKey'],`
	`316`	`+ [],`
	`317`	`+$request,`
	`318`	`+null`
	`319`	`+ );`
	`320`	`+`
	`321`	`+$listener =newIsCsrfTokenValidAttributeListener($csrfTokenManager);`
	`322`	`+$listener->onKernelControllerArguments($event);`
	`323`	`+ }`
	`324`	`+`
	`325`	`+publicfunctiontestIsCsrfTokenValidIgnoredWithInvalidTokenKeyAndUnavailableMethod()`
	`326`	`+ {`
	`327`	`+$request =newRequest(request: ['_token' =>'bar']);`
	`328`	`+$request->setMethod('PUT');`
	`329`	`+`
	`330`	`+$csrfTokenManager =$this->createMock(CsrfTokenManagerInterface::class);`
	`331`	`+$csrfTokenManager->expects($this->never())`
	`332`	`+ ->method('isTokenValid')`
	`333`	`+ ->withAnyParameters();`
	`334`	`+`
	`335`	`+$event =newControllerArgumentsEvent(`
	`336`	`+$this->createMock(HttpKernelInterface::class),`
	`337`	`+ [newIsCsrfTokenValidAttributeMethodsController(),'withPostMethodAndInvalidTokenKey'],`
	`338`	`+ [],`
	`339`	`+$request,`
	`340`	`+null`
	`341`	`+ );`
	`342`	`+`
	`343`	`+$listener =newIsCsrfTokenValidAttributeListener($csrfTokenManager);`
	`344`	`+$listener->onKernelControllerArguments($event);`
	`345`	`+ }`
`209`	`346`	`}`

`‎src/Symfony/Component/Security/Http/Tests/Fixtures/IsCsrfTokenValidAttributeMethodsController.php`

Lines changed: 15 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -44,4 +44,19 @@ public function withCustomTokenKey()`
`44`	`44`	`publicfunctionwithInvalidTokenKey()`
`45`	`45`	`{`
`46`	`46`	`}`
	`47`	`+`
	`48`	`+ #[IsCsrfTokenValid('foo', methods:'DELETE')]`
	`49`	`+publicfunctionwithDeleteMethod()`
	`50`	`+ {`
	`51`	`+ }`
	`52`	`+`
	`53`	`+ #[IsCsrfTokenValid('foo', methods: ['GET','POST'])]`
	`54`	`+publicfunctionwithGetOrPostMethod()`
	`55`	`+ {`
	`56`	`+ }`
	`57`	`+`
	`58`	`+ #[IsCsrfTokenValid('foo', tokenKey:'invalid_token_key', methods: ['POST'])]`
	`59`	`+publicfunctionwithPostMethodAndInvalidTokenKey()`
	`60`	`+ {`
	`61`	`+ }`
`47`	`62`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit640e7a4

File tree

5 files changed

5 files changed

`‎src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md`

`‎src/Symfony/Component/Security/Http/Attribute/IsCsrfTokenValid.php`

`‎src/Symfony/Component/Security/Http/EventListener/IsCsrfTokenValidAttributeListener.php`

`‎src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php`

`‎src/Symfony/Component/Security/Http/Tests/Fixtures/IsCsrfTokenValidAttributeMethodsController.php`

0 commit comments