bug #57488 [Security] check token in payload instead just request (eltharin)

fabpot · fabpot · commit c9c16e9cb511 · 2024-06-25T08:39:47.000+02:00
This PR was squashed before being merged into the 7.1 branch. Discussion ---------- [Security] check token in payload instead just request | Q | A | ------------- | --- | Branch? | 7.1 | Bug fix? | yes | New feature? | no | Deprecations? | no | License | MIT Replace request by getPayload for allow token to ba passed in Json for an API call Commits ------- a94fe82 [Security] check token in payload instead just request
diff --git a/src/Symfony/Component/Security/Http/EventListener/IsCsrfTokenValidAttributeListener.php b/src/Symfony/Component/Security/Http/EventListener/IsCsrfTokenValidAttributeListener.php
@@ -46,7 +46,7 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event): vo
         foreach ($attributes as $attribute) {
             $id = $this->getTokenId($attribute->id, $request, $arguments);
 
-            if (!$this->csrfTokenManager->isTokenValid(new CsrfToken($id, $request->request->getString($attribute->tokenKey)))) {
+            if (!$this->csrfTokenManager->isTokenValid(new CsrfToken($id, $request->getPayload()->getString($attribute->tokenKey)))) {
                 throw new InvalidCsrfTokenException('Invalid CSRF token.');
             }
         }
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php
@@ -88,6 +88,28 @@ public function testIsCsrfTokenValidCalledCorrectly()
         $listener->onKernelControllerArguments($event);
     }
 
+    public function testIsCsrfTokenValidCalledCorrectlyInPayload()
+    {
+        $request = new Request(server: ['headers' => ['content-type' => 'application/json']], content: json_encode(['_token' => 'bar']));
+
+        $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
+        $csrfTokenManager->expects($this->once())
+            ->method('isTokenValid')
+            ->with(new CsrfToken('foo', 'bar'))
+            ->willReturn(true);
+
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            [new IsCsrfTokenValidAttributeMethodsController(), 'withDefaultTokenKey'],
+            [],
+            $request,
+            null
+        );
+
+        $listener = new IsCsrfTokenValidAttributeListener($csrfTokenManager);
+        $listener->onKernelControllerArguments($event);
+    }
+
     public function testIsCsrfTokenValidCalledCorrectlyWithCustomExpressionId()
     {
         $request = new Request(query: ['id' => '123'], request: ['_token' => 'bar']);

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event): vo`
`46`	`46`	`foreach ($attributes as $attribute) {`
`47`	`47`	`$id = $this->getTokenId($attribute->id, $request, $arguments);`
`48`	`48`
`49`		`- if (!$this->csrfTokenManager->isTokenValid(new CsrfToken($id, $request->request->getString($attribute->tokenKey)))) {`
	`49`	`+ if (!$this->csrfTokenManager->isTokenValid(new CsrfToken($id, $request->getPayload()->getString($attribute->tokenKey)))) {`
`50`	`50`	`throw new InvalidCsrfTokenException('Invalid CSRF token.');`
`51`	`51`	`}`
`52`	`52`	`}`