NotificationsYou must be signed in to change notification settings
Fork9.7k
Star30.8k

Commite8075f0

committed

Don't produce TypeErrors for non-string CSRF tokens

Signed-off-by: Alexander M. Turek <me@derrabus.de>

1 parent66817c2 commite8075f0Copy full SHA for e8075f0

File tree

5 files changed

+106

-20

lines changed

src/Symfony/Component/Security/Http
- Firewall
- Tests/Firewall
  - LogoutListenerTest.php
  - UsernamePasswordFormAuthenticationListenerTest.php

5 files changed

+106

-20

lines changed

`‎src/Symfony/Component/Security/Http/Firewall/LogoutListener.php‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ public function authenticate(RequestEvent $event)`
`87`	`87`	`if (null !==$this->csrfTokenManager) {`
`88`	`88`	`$csrfToken = ParameterBagUtils::getRequestParameterValue($request,$this->options['csrf_parameter']);`
`89`	`89`
`90`		`-if (false ===$this->csrfTokenManager->isTokenValid(newCsrfToken($this->options['csrf_token_id'],$csrfToken))) {`
	`90`	`+if (!\is_string($csrfToken) \|\|false ===$this->csrfTokenManager->isTokenValid(newCsrfToken($this->options['csrf_token_id'],$csrfToken))) {`
`91`	`91`	`thrownewLogoutException('Invalid CSRF token.');`
`92`	`92`	`}`
`93`	`93`	`}`

`‎src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ protected function attemptAuthentication(Request $request)`
`84`	`84`	`if (null !==$this->csrfTokenManager) {`
`85`	`85`	`$csrfToken = ParameterBagUtils::getRequestParameterValue($request,$this->options['csrf_parameter']);`
`86`	`86`
`87`		`-if (false ===$this->csrfTokenManager->isTokenValid(newCsrfToken($this->options['csrf_token_id'],$csrfToken))) {`
	`87`	`+if (!\is_string($csrfToken) \|\|false ===$this->csrfTokenManager->isTokenValid(newCsrfToken($this->options['csrf_token_id'],$csrfToken))) {`
`88`	`88`	`thrownewInvalidCsrfTokenException('Invalid CSRF token.');`
`89`	`89`	`}`
`90`	`90`	`}`

`‎src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ protected function attemptAuthentication(Request $request)`
`72`	`72`	`if (null !==$this->csrfTokenManager) {`
`73`	`73`	`$csrfToken = ParameterBagUtils::getRequestParameterValue($request,$this->options['csrf_parameter']);`
`74`	`74`
`75`		`-if (false ===$this->csrfTokenManager->isTokenValid(newCsrfToken($this->options['csrf_token_id'],$csrfToken))) {`
	`75`	`+if (!\is_string($csrfToken) \|\|false ===$this->csrfTokenManager->isTokenValid(newCsrfToken($this->options['csrf_token_id'],$csrfToken))) {`
`76`	`76`	`thrownewInvalidCsrfTokenException('Invalid CSRF token.');`
`77`	`77`	`}`
`78`	`78`	`}`

`‎src/Symfony/Component/Security/Http/Tests/Firewall/LogoutListenerTest.php‎`

Lines changed: 17 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -152,28 +152,42 @@ public function testSuccessHandlerReturnsNonResponse()`
`152`	`152`	`$listener($event);`
`153`	`153`	`}`
`154`	`154`
`155`		`-publicfunctiontestCsrfValidationFails()`
	`155`	`+/**`
	`156`	`+ * @dataProvider provideInvalidCsrfTokens`
	`157`	`+ */`
	`158`	`+publicfunctiontestCsrfValidationFails($invalidToken)`
`156`	`159`	`{`
`157`	`160`	`$this->expectException(LogoutException::class);`
`158`	`161`	`$tokenManager =$this->getTokenManager();`
`159`	`162`
`160`	`163`	`[$listener, ,$httpUtils,$options] =$this->getListener(null,$tokenManager);`
`161`	`164`
`162`	`165`	`$request =newRequest();`
`163`		`-$request->query->set('_csrf_token','token');`
	`166`	`+if (null !==$invalidToken) {`
	`167`	`+$request->query->set('_csrf_token',$invalidToken);`
	`168`	`+ }`
`164`	`169`
`165`	`170`	`$httpUtils->expects($this->once())`
`166`	`171`	`->method('checkRequestPath')`
`167`	`172`	`->with($request,$options['logout_path'])`
`168`	`173`	`->willReturn(true);`
`169`	`174`
`170`		`-$tokenManager->expects($this->once())`
	`175`	`+$tokenManager`
`171`	`176`	`->method('isTokenValid')`
`172`	`177`	`->willReturn(false);`
`173`	`178`
`174`	`179`	`$listener(newRequestEvent($this->createMock(HttpKernelInterface::class),$request, HttpKernelInterface::MASTER_REQUEST));`
`175`	`180`	`}`
`176`	`181`
	`182`	`+publicfunctionprovideInvalidCsrfTokens():array`
	`183`	`+ {`
	`184`	`+return [`
	`185`	`+ ['invalid'],`
	`186`	`+ [['in' =>'valid']],`
	`187`	`+ [null],`
	`188`	`+ ];`
	`189`	`+ }`
	`190`	`+`
`177`	`191`	`privatefunctiongetTokenManager()`
`178`	`192`	`{`
`179`	`193`	`return$this->createMock(CsrfTokenManagerInterface::class);`

`‎src/Symfony/Component/Security/Http/Tests/Firewall/UsernamePasswordFormAuthenticationListenerTest.php‎`

Lines changed: 86 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@`
`24`	`24`	`useSymfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;`
`25`	`25`	`useSymfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;`
`26`	`26`	`useSymfony\Component\Security\Core\Security;`
	`27`	`+useSymfony\Component\Security\Csrf\CsrfTokenManagerInterface;`
`27`	`28`	`useSymfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;`
`28`	`29`	`useSymfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;`
`29`	`30`	`useSymfony\Component\Security\Http\Authentication\DefaultAuthenticationSuccessHandler;`
`@@ -37,7 +38,7 @@ class UsernamePasswordFormAuthenticationListenerTest extends TestCase`
`37`	`38`	`/**`
`38`	`39`	`* @dataProvider getUsernameForLength`
`39`	`40`	`*/`
`40`		`-publicfunctiontestHandleWhenUsernameLength($username,$ok)`
	`41`	`+publicfunctiontestHandleWhenUsernameLength(string$username,bool$ok)`
`41`	`42`	`{`
`42`	`43`	`$request = Request::create('/login_check','POST', ['_username' =>$username]);`
`43`	`44`	`$request->setSession($this->createMock(SessionInterface::class));`
`@@ -75,7 +76,7 @@ public function testHandleWhenUsernameLength($username, $ok)`
`75`	`76`	`'TheProviderKey',`
`76`	`77`	`newDefaultAuthenticationSuccessHandler($httpUtils),`
`77`	`78`	`$failureHandler,`
`78`		`- ['require_previous_session' =>false]`
	`79`	`+ ['require_previous_session' =>false],`
`79`	`80`	`);`
`80`	`81`
`81`	`82`	`$listener(newRequestEvent($this->createMock(HttpKernelInterface::class),$request, HttpKernelInterface::MASTER_REQUEST));`
`@@ -84,10 +85,8 @@ public function testHandleWhenUsernameLength($username, $ok)`
`84`	`85`	`/**`
`85`	`86`	`* @dataProvider postOnlyDataProvider`
`86`	`87`	`*/`
`87`		`-publicfunctiontestHandleNonStringUsernameWithArray($postOnly)`
	`88`	`+publicfunctiontestHandleNonStringUsernameWithArray(bool$postOnly)`
`88`	`89`	`{`
`89`		`-$this->expectException(BadRequestHttpException::class);`
`90`		`-$this->expectExceptionMessage('The key "_username" must be a string, "array" given.');`
`91`	`90`	`$request = Request::create('/login_check','POST', ['_username' => []]);`
`92`	`91`	`$request->setSession($this->createMock(SessionInterface::class));`
`93`	`92`	`$listener =newUsernamePasswordFormAuthenticationListener(`
`@@ -101,16 +100,18 @@ public function testHandleNonStringUsernameWithArray($postOnly)`
`101`	`100`	`['require_previous_session' =>false,'post_only' =>$postOnly]`
`102`	`101`	`);`
`103`	`102`	`$event =newRequestEvent($this->createMock(HttpKernelInterface::class),$request, HttpKernelInterface::MASTER_REQUEST);`
	`103`	`+`
	`104`	`+$this->expectException(BadRequestHttpException::class);`
	`105`	`+$this->expectExceptionMessage('The key "_username" must be a string, "array" given.');`
	`106`	`+`
`104`	`107`	`$listener($event);`
`105`	`108`	`}`
`106`	`109`
`107`	`110`	`/**`
`108`	`111`	`* @dataProvider postOnlyDataProvider`
`109`	`112`	`*/`
`110`		`-publicfunctiontestHandleNonStringUsernameWithInt($postOnly)`
	`113`	`+publicfunctiontestHandleNonStringUsernameWithInt(bool$postOnly)`
`111`	`114`	`{`
`112`		`-$this->expectException(BadRequestHttpException::class);`
`113`		`-$this->expectExceptionMessage('The key "_username" must be a string, "integer" given.');`
`114`	`115`	`$request = Request::create('/login_check','POST', ['_username' =>42]);`
`115`	`116`	`$request->setSession($this->createMock(SessionInterface::class));`
`116`	`117`	`$listener =newUsernamePasswordFormAuthenticationListener(`
`@@ -124,16 +125,18 @@ public function testHandleNonStringUsernameWithInt($postOnly)`
`124`	`125`	`['require_previous_session' =>false,'post_only' =>$postOnly]`
`125`	`126`	`);`
`126`	`127`	`$event =newRequestEvent($this->createMock(HttpKernelInterface::class),$request, HttpKernelInterface::MASTER_REQUEST);`
	`128`	`+`
	`129`	`+$this->expectException(BadRequestHttpException::class);`
	`130`	`+$this->expectExceptionMessage('The key "_username" must be a string, "integer" given.');`
	`131`	`+`
`127`	`132`	`$listener($event);`
`128`	`133`	`}`
`129`	`134`
`130`	`135`	`/**`
`131`	`136`	`* @dataProvider postOnlyDataProvider`
`132`	`137`	`*/`
`133`		`-publicfunctiontestHandleNonStringUsernameWithObject($postOnly)`
	`138`	`+publicfunctiontestHandleNonStringUsernameWithObject(bool$postOnly)`
`134`	`139`	`{`
`135`		`-$this->expectException(BadRequestHttpException::class);`
`136`		`-$this->expectExceptionMessage('The key "_username" must be a string, "object" given.');`
`137`	`140`	`$request = Request::create('/login_check','POST', ['_username' =>new \stdClass()]);`
`138`	`141`	`$request->setSession($this->createMock(SessionInterface::class));`
`139`	`142`	`$listener =newUsernamePasswordFormAuthenticationListener(`
`@@ -147,13 +150,17 @@ public function testHandleNonStringUsernameWithObject($postOnly)`
`147`	`150`	`['require_previous_session' =>false,'post_only' =>$postOnly]`
`148`	`151`	`);`
`149`	`152`	`$event =newRequestEvent($this->createMock(HttpKernelInterface::class),$request, HttpKernelInterface::MASTER_REQUEST);`
	`153`	`+`
	`154`	`+$this->expectException(BadRequestHttpException::class);`
	`155`	`+$this->expectExceptionMessage('The key "_username" must be a string, "object" given.');`
	`156`	`+`
`150`	`157`	`$listener($event);`
`151`	`158`	`}`
`152`	`159`
`153`	`160`	`/**`
`154`	`161`	`* @dataProvider postOnlyDataProvider`
`155`	`162`	`*/`
`156`		`-publicfunctiontestHandleNonStringUsernameWith__toString($postOnly)`
	`163`	`+publicfunctiontestHandleNonStringUsernameWith__toString(bool$postOnly)`
`157`	`164`	`{`
`158`	`165`	`$usernameClass =$this->createMock(DummyUserClass::class);`
`159`	`166`	`$usernameClass`
`@@ -177,21 +184,86 @@ public function testHandleNonStringUsernameWith__toString($postOnly)`
`177`	`184`	`$listener($event);`
`178`	`185`	`}`
`179`	`186`
`180`		`-publicfunctionpostOnlyDataProvider()`
	`187`	`+/**`
	`188`	`+ * @dataProvider provideInvalidCsrfTokens`
	`189`	`+ */`
	`190`	`+publicfunctiontestInvalidCsrfToken($invalidToken)`
	`191`	`+ {`
	`192`	`+$formBody = ['_username' =>'fabien','_password' =>'symfony'];`
	`193`	`+if (null !==$invalidToken) {`
	`194`	`+$formBody['_csrf_token'] =$invalidToken;`
	`195`	`+ }`
	`196`	`+`
	`197`	`+$request = Request::create('/login_check','POST',$formBody);`
	`198`	`+$request->setSession($this->createMock(SessionInterface::class));`
	`199`	`+`
	`200`	`+$httpUtils =$this->createMock(HttpUtils::class);`
	`201`	`+$httpUtils`
	`202`	`+ ->method('checkRequestPath')`
	`203`	`+ ->willReturn(true)`
	`204`	`+ ;`
	`205`	`+$httpUtils`
	`206`	`+ ->method('createRedirectResponse')`
	`207`	`+ ->willReturn(newRedirectResponse('/hello'))`
	`208`	`+ ;`
	`209`	`+`
	`210`	`+$failureHandler =$this->createMock(AuthenticationFailureHandlerInterface::class);`
	`211`	`+$failureHandler`
	`212`	`+ ->expects($this->once())`
	`213`	`+ ->method('onAuthenticationFailure')`
	`214`	`+ ->willReturn(newResponse())`
	`215`	`+ ;`
	`216`	`+`
	`217`	`+$authenticationManager =$this->createMock(AuthenticationProviderManager::class);`
	`218`	`+$authenticationManager`
	`219`	`+ ->expects($this->never())`
	`220`	`+ ->method('authenticate')`
	`221`	`+ ;`
	`222`	`+`
	`223`	`+$csrfTokenManager =$this->createMock(CsrfTokenManagerInterface::class);`
	`224`	`+$csrfTokenManager->method('isTokenValid')->willReturn(false);`
	`225`	`+`
	`226`	`+$listener =newUsernamePasswordFormAuthenticationListener(`
	`227`	`+$this->createMock(TokenStorageInterface::class),`
	`228`	`+$authenticationManager,`
	`229`	`+$this->createMock(SessionAuthenticationStrategyInterface::class),`
	`230`	`+$httpUtils,`
	`231`	`+'TheProviderKey',`
	`232`	`+newDefaultAuthenticationSuccessHandler($httpUtils),`
	`233`	`+$failureHandler,`
	`234`	`+ ['require_previous_session' =>false],`
	`235`	`+null,`
	`236`	`+null,`
	`237`	`+$csrfTokenManager`
	`238`	`+ );`
	`239`	`+`
	`240`	`+$listener(newRequestEvent($this->createMock(HttpKernelInterface::class),$request, HttpKernelInterface::MASTER_REQUEST));`
	`241`	`+ }`
	`242`	`+`
	`243`	`+publicfunctionpostOnlyDataProvider():array`
`181`	`244`	`{`
`182`	`245`	`return [`
`183`	`246`	`[true],`
`184`	`247`	`[false],`
`185`	`248`	`];`
`186`	`249`	`}`
`187`	`250`
`188`		`-publicfunctiongetUsernameForLength()`
	`251`	`+publicfunctiongetUsernameForLength():array`
`189`	`252`	`{`
`190`	`253`	`return [`
`191`	`254`	`[str_repeat('x', Security::MAX_USERNAME_LENGTH +1),false],`
`192`	`255`	`[str_repeat('x', Security::MAX_USERNAME_LENGTH -1),true],`
`193`	`256`	`];`
`194`	`257`	`}`
	`258`	`+`
	`259`	`+publicfunctionprovideInvalidCsrfTokens():array`
	`260`	`+ {`
	`261`	`+return [`
	`262`	`+ ['invalid'],`
	`263`	`+ [['in' =>'valid']],`
	`264`	`+ [null],`
	`265`	`+ ];`
	`266`	`+ }`
`195`	`267`	`}`
`196`	`268`
`197`	`269`	`class DummyUserClass`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commite8075f0

File tree

5 files changed

5 files changed

`‎src/Symfony/Component/Security/Http/Firewall/LogoutListener.php‎`

`‎src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php‎`

`‎src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php‎`

`‎src/Symfony/Component/Security/Http/Tests/Firewall/LogoutListenerTest.php‎`

`‎src/Symfony/Component/Security/Http/Tests/Firewall/UsernamePasswordFormAuthenticationListenerTest.php‎`

0 commit comments