feature #54443 [Security] Add support for dynamic CSRF id with Expression in #[IsCsrfTokenValid] (yguedidi)

nicolas-grekas · nicolas-grekas · commit 695bd1a93c0f · 2024-04-05T11:33:59.000+02:00
This PR was merged into the 7.1 branch. Discussion ---------- [Security] Add support for dynamic CSRF id with Expression in `#[IsCsrfTokenValid]` | Q | A | ------------- | --- | Branch? | 7.1 | Bug fix? | no | New feature? | yes | Deprecations? | no | Issues | continuation of #52961 from Hackday | License | MIT Use case is for example on a list page with delete action per item, and you want a CSRF token per item, so in the template you have something like the following: ```twig {# in a loop over multiple posts #} <form action="{{ path('post_delete', {post: post.id}) }}" method="POST"> <input type="hidden" name="_token" value="{{ csrf_token('delete-post-' ~ post.id) }}"> ... </form> ``` The new feature will allow: ```php #[IsCsrfTokenValid(new Expression('"delete-post-" ~ args["post"].id'))] public function delete(Request $request, Post $post): Response { // ... delete the post } ``` Maybe this need more tests but need help identify which test cases are useful. Hope this can pass before the feature freeze Commits ------- 8f99ca5 Add support for dynamic CSRF id in IsCsrfTokenValid
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterCsrfFeaturesPass.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterCsrfFeaturesPass.php
@@ -13,6 +13,7 @@
 
 use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\Security\Csrf\TokenStorage\ClearableTokenStorageInterface;
 use Symfony\Component\Security\Http\EventListener\CsrfProtectionListener;
@@ -35,6 +36,10 @@ public function process(ContainerBuilder $container): void
 
     private function registerCsrfProtectionListener(ContainerBuilder $container): void
     {
+        if (!$container->hasDefinition('cache.system')) {
+            $container->removeDefinition('cache.security_is_csrf_token_valid_attribute_expression_language');
+        }
+
         if (!$container->has('security.authenticator.manager') || !$container->has('security.csrf.token_manager')) {
             return;
         }
@@ -45,6 +50,7 @@ private function registerCsrfProtectionListener(ContainerBuilder $container): vo
 
         $container->register('controller.is_csrf_token_valid_attribute_listener', IsCsrfTokenValidAttributeListener::class)
             ->addArgument(new Reference('security.csrf.token_manager'))
+            ->addArgument(new Reference('security.is_csrf_token_valid_attribute_expression_language', ContainerInterface::NULL_ON_INVALID_REFERENCE))
             ->addTag('kernel.event_subscriber');
     }
 
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -123,6 +123,7 @@ public function load(array $configs, ContainerBuilder $container): void
             $container->removeDefinition('security.expression_language');
             $container->removeDefinition('security.access.expression_voter');
             $container->removeDefinition('security.is_granted_attribute_expression_language');
+            $container->removeDefinition('security.is_csrf_token_valid_attribute_expression_language');
         }
 
         if (!class_exists(PasswordHasherExtension::class)) {
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
@@ -303,5 +303,12 @@
         ->set('cache.security_is_granted_attribute_expression_language')
             ->parent('cache.system')
             ->tag('cache.pool')
+
+        ->set('security.is_csrf_token_valid_attribute_expression_language', BaseExpressionLanguage::class)
+            ->args([service('cache.security_is_csrf_token_valid_attribute_expression_language')->nullOnInvalid()])
+
+        ->set('cache.security_is_csrf_token_valid_attribute_expression_language')
+            ->parent('cache.system')
+            ->tag('cache.pool')
     ;
 };
diff --git a/src/Symfony/Component/Security/Http/Attribute/IsCsrfTokenValid.php b/src/Symfony/Component/Security/Http/Attribute/IsCsrfTokenValid.php
@@ -11,14 +11,16 @@
 
 namespace Symfony\Component\Security\Http\Attribute;
 
+use Symfony\Component\ExpressionLanguage\Expression;
+
 #[\Attribute(\Attribute::IS_REPEATABLE | \Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD | \Attribute::TARGET_FUNCTION)]
 final class IsCsrfTokenValid
 {
     public function __construct(
         /**
-         * Sets the id used when generating the token.
+         * Sets the id, or an Expression evaluated to the id, used when generating the token.
          */
-        public string $id,
+        public string|Expression $id,
 
         /**
          * Sets the key of the request that contains the actual token value that should be validated.
diff --git a/src/Symfony/Component/Security/Http/EventListener/IsCsrfTokenValidAttributeListener.php b/src/Symfony/Component/Security/Http/EventListener/IsCsrfTokenValidAttributeListener.php
@@ -12,6 +12,9 @@
 namespace Symfony\Component\Security\Http\EventListener;
 
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\ExpressionLanguage\Expression;
+use Symfony\Component\ExpressionLanguage\ExpressionLanguage;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;
 use Symfony\Component\HttpKernel\KernelEvents;
 use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
@@ -26,6 +29,7 @@ final class IsCsrfTokenValidAttributeListener implements EventSubscriberInterfac
 {
     public function __construct(
         private readonly CsrfTokenManagerInterface $csrfTokenManager,
+        private ?ExpressionLanguage $expressionLanguage = null,
     ) {
     }
 
@@ -37,9 +41,12 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event): vo
         }
 
         $request = $event->getRequest();
+        $arguments = $event->getNamedArguments();
 
         foreach ($attributes as $attribute) {
-            if (!$this->csrfTokenManager->isTokenValid(new CsrfToken($attribute->id, $request->request->getString($attribute->tokenKey)))) {
+            $id = $this->getTokenId($attribute->id, $request, $arguments);
+
+            if (!$this->csrfTokenManager->isTokenValid(new CsrfToken($id, $request->request->getString($attribute->tokenKey)))) {
                 throw new InvalidCsrfTokenException('Invalid CSRF token.');
             }
         }
@@ -49,4 +56,18 @@ public static function getSubscribedEvents(): array
     {
         return [KernelEvents::CONTROLLER_ARGUMENTS => ['onKernelControllerArguments', 25]];
     }
+
+    private function getTokenId(string|Expression $id, Request $request, array $arguments): string
+    {
+        if (!$id instanceof Expression) {
+            return $id;
+        }
+
+        $this->expressionLanguage ??= new ExpressionLanguage();
+
+        return (string) $this->expressionLanguage->evaluate($id, [
+            'request' => $request,
+            'args' => $arguments,
+        ]);
+    }
 }
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php
@@ -9,9 +9,11 @@
  * file that was distributed with this source code.
  */
 
-namespace EventListener;
+namespace Symfony\Component\Security\Http\Tests\EventListener;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\ExpressionLanguage\Expression;
+use Symfony\Component\ExpressionLanguage\ExpressionLanguage;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
@@ -86,6 +88,37 @@ public function testIsCsrfTokenValidCalledCorrectly()
         $listener->onKernelControllerArguments($event);
     }
 
+    public function testIsCsrfTokenValidCalledCorrectlyWithCustomExpressionId()
+    {
+        $request = new Request(query: ['id' => '123'], request: ['_token' => 'bar']);
+
+        $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
+        $csrfTokenManager->expects($this->once())
+            ->method('isTokenValid')
+            ->with(new CsrfToken('foo_123', 'bar'))
+            ->willReturn(true);
+
+        $expressionLanguage = $this->createMock(ExpressionLanguage::class);
+        $expressionLanguage->expects($this->once())
+            ->method('evaluate')
+            ->with(new Expression('"foo_" ~ args.id'), [
+                'args' => ['id' => '123'],
+                'request' => $request,
+            ])
+            ->willReturn('foo_123');
+
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            [new IsCsrfTokenValidAttributeMethodsController(), 'withCustomExpressionId'],
+            ['123'],
+            $request,
+            null
+        );
+
+        $listener = new IsCsrfTokenValidAttributeListener($csrfTokenManager, $expressionLanguage);
+        $listener->onKernelControllerArguments($event);
+    }
+
     public function testIsCsrfTokenValidCalledCorrectlyWithCustomTokenKey()
     {
         $request = new Request(request: ['my_token_key' => 'bar']);
diff --git a/src/Symfony/Component/Security/Http/Tests/Fixtures/IsCsrfTokenValidAttributeMethodsController.php b/src/Symfony/Component/Security/Http/Tests/Fixtures/IsCsrfTokenValidAttributeMethodsController.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Http\Tests\Fixtures;
 
+use Symfony\Component\ExpressionLanguage\Expression;
 use Symfony\Component\Security\Http\Attribute\IsCsrfTokenValid;
 
 class IsCsrfTokenValidAttributeMethodsController
@@ -24,6 +25,16 @@ public function withDefaultTokenKey()
     {
     }
 
+    #[IsCsrfTokenValid(new Expression('"foo_" ~ args.id'))]
+    public function withCustomExpressionId(string $id)
+    {
+    }
+
+    #[IsCsrfTokenValid(new Expression('"foo_" ~ args.slug'))]
+    public function withInvalidExpressionId(string $id)
+    {
+    }
+
     #[IsCsrfTokenValid('foo', tokenKey: 'my_token_key')]
     public function withCustomTokenKey()
     {

Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,7 @@ public function load(array $configs, ContainerBuilder $container): void`
`123`	`123`	`$container->removeDefinition('security.expression_language');`
`124`	`124`	`$container->removeDefinition('security.access.expression_voter');`
`125`	`125`	`$container->removeDefinition('security.is_granted_attribute_expression_language');`
	`126`	`+ $container->removeDefinition('security.is_csrf_token_valid_attribute_expression_language');`
`126`	`127`	`}`
`127`	`128`
`128`	`129`	`if (!class_exists(PasswordHasherExtension::class)) {`
Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,9 @@`
`12`	`12`	`namespace Symfony\Component\Security\Http\EventListener;`
`13`	`13`
`14`	`14`	`use Symfony\Component\EventDispatcher\EventSubscriberInterface;`
	`15`	`+use Symfony\Component\ExpressionLanguage\Expression;`
	`16`	`+use Symfony\Component\ExpressionLanguage\ExpressionLanguage;`
	`17`	`+use Symfony\Component\HttpFoundation\Request;`
`15`	`18`	`use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;`
`16`	`19`	`use Symfony\Component\HttpKernel\KernelEvents;`
`17`	`20`	`use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;`
`@@ -26,6 +29,7 @@ final class IsCsrfTokenValidAttributeListener implements EventSubscriberInterfac`
`26`	`29`	`{`
`27`	`30`	`public function __construct(`
`28`	`31`	`private readonly CsrfTokenManagerInterface $csrfTokenManager,`
	`32`	`+ private ?ExpressionLanguage $expressionLanguage = null,`
`29`	`33`	`) {`
`30`	`34`	`}`
`31`	`35`
`@@ -37,9 +41,12 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event): vo`
`37`	`41`	`}`
`38`	`42`
`39`	`43`	`$request = $event->getRequest();`
	`44`	`+ $arguments = $event->getNamedArguments();`
`40`	`45`
`41`	`46`	`foreach ($attributes as $attribute) {`
`42`		`- if (!$this->csrfTokenManager->isTokenValid(new CsrfToken($attribute->id, $request->request->getString($attribute->tokenKey)))) {`
	`47`	`+ $id = $this->getTokenId($attribute->id, $request, $arguments);`
	`48`	`+`
	`49`	`+ if (!$this->csrfTokenManager->isTokenValid(new CsrfToken($id, $request->request->getString($attribute->tokenKey)))) {`
`43`	`50`	`throw new InvalidCsrfTokenException('Invalid CSRF token.');`
`44`	`51`	`}`
`45`	`52`	`}`
`@@ -49,4 +56,18 @@ public static function getSubscribedEvents(): array`
`49`	`56`	`{`
`50`	`57`	`return [KernelEvents::CONTROLLER_ARGUMENTS => ['onKernelControllerArguments', 25]];`
`51`	`58`	`}`
	`59`	`+`
	`60`	`+ private function getTokenId(string\|Expression $id, Request $request, array $arguments): string`
	`61`	`+ {`
	`62`	`+ if (!$id instanceof Expression) {`
	`63`	`+ return $id;`
	`64`	`+ }`
	`65`	`+`
	`66`	`+ $this->expressionLanguage ??= new ExpressionLanguage();`
	`67`	`+`
	`68`	`+ return (string) $this->expressionLanguage->evaluate($id, [`
	`69`	`+ 'request' => $request,`
	`70`	`+ 'args' => $arguments,`
	`71`	`+ ]);`
	`72`	`+ }`
`52`	`73`	`}`