Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: ensure csrf token is string #9365

Open
wants to merge 10 commits into
base: develop
Choose a base branch
from
Open

fix: ensure csrf token is string #9365

wants to merge 10 commits into from

Conversation

datlechin
Copy link

@datlechin datlechin commented Jan 3, 2025
edited
Loading

Description
Make sure the CSRF token must be a string, because hackers can fake the request and pass csrf_main as an array, the system will break 500.

Checklist:

  • Securely signed commits
  • Component(s) with PHPDoc blocks, only if necessary or adds value
  • Unit testing, with >80% coverage
  • User guide updated
  • Conforms to style guide

@kenjis kenjis added the tests needed Pull requests that need tests label Jan 3, 2025
@michalsn
Copy link
Member

michalsn commented Jan 3, 2025

The same check should be made for php:://input data.

@neznaika0
Copy link
Contributor

Look at this:

    private function getPostedToken(RequestInterface $request): ?string
    {
        assert($request instanceof IncomingRequest);

        // Does the token exist in POST, HEADER or optionally php:://input - json data or PUT, DELETE, PATCH - raw data.

        if ($tokenValue = $request->getPost($this->config->tokenName)) {
            return is_string($tokenValue) ? $tokenValue : null;
        }

        if ($request->hasHeader($this->config->headerName)
            && $request->header($this->config->headerName)->getValue() !== ''
            && $request->header($this->config->headerName)->getValue() !== []) {
            return $request->header($this->config->headerName)->getValue();
        }

        $body = (string) $request->getBody();

        if ($body !== '') {
            $json = json_decode($body);
            if ($json !== null && json_last_error() === JSON_ERROR_NONE) {
                return (isset($json->{$this->config->tokenName}) && is_string($json->{$this->config->tokenName}))
                    ? $json->{$this->config->tokenName}
                    : null;
            }

            parse_str($body, $parsed);

            return (isset($parsed[$this->config->tokenName]) && is_string($parsed[$this->config->tokenName]))
                ? $parsed[$this->config->tokenName]
                : null;
        }

        return null;
    }

@michalsn michalsn added bug Verified issues on the current code behavior or pull requests that will fix them GPG-Signing needed Pull requests that need GPG-Signing and removed tests needed Pull requests that need tests labels Jan 4, 2025
michalsn
michalsn requested changes Jan 4, 2025
View reviewed changes
Copy link
Member

@michalsn michalsn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Please also handle the case where the CSRF token comes from the php://input.

Your commits have to be signed:

You can fix the code style with the command:

composer cs-fix

michalsn
michalsn reviewed Jan 14, 2025
View reviewed changes
Copy link
Member

@michalsn michalsn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost there - we also have to check the result of parse_str() function.

And we also need tests for these two scenarios: php://input and parse_str().

@michalsn michalsn removed the GPG-Signing needed Pull requests that need GPG-Signing label Jan 14, 2025
@datlechin datlechin requested a review from michalsn January 14, 2025 07:59
@michalsn
Copy link
Member

@datlechin Please run composer cs-fix.

michalsn
michalsn requested changes Jan 14, 2025
View reviewed changes
Copy link
Member

@michalsn michalsn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a chengelog entry here: https://github.com/codeigniter4/CodeIgniter4/blob/develop/user_guide_src/source/changelogs/v4.5.8.rst under "Bugs Fixed".

You can see the previous changelogs as a reference.

@neznaika0
Copy link
Contributor

You need to check here too, the array is unnecessary:

if ($request->hasHeader($this->config->headerName)
    && $request->header($this->config->headerName)->getValue() !== ''
    && $request->header($this->config->headerName)->getValue() !== []) {
if ($request->hasHeader($this->config->headerName)
    && is_string($request->header($this->config->headerName)->getValue())
    && $request->header($this->config->headerName)->getValue() !== '') {

['malicious' => 'data'] No offense. You can use common words instead of nicknames?

@datlechin datlechin requested a review from michalsn January 15, 2025 04:16
michalsn
michalsn requested changes Jan 17, 2025
View reviewed changes
system/Security/Security.php Outdated Show resolved Hide resolved
user_guide_src/source/changelogs/v4.5.8.rst Outdated Show resolved Hide resolved
@datlechin @michalsn
wip
afdbf42 
Co-authored-by: Michal Sniatala <michal@sniatala.pl>
@datlechin @michalsn
wip
5814ef5 
Co-authored-by: Michal Sniatala <michal@sniatala.pl>
@datlechin datlechin requested a review from michalsn January 17, 2025 09:46
@michalsn
Copy link
Member

@datlechin Please run composer cs-fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paulbalandan paulbalandan Awaiting requested review from paulbalandan

@michalsn michalsn Awaiting requested review from michalsn

Assignees
No one assigned
Labels
bug Verified issues on the current code behavior or pull requests that will fix them
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@datlechin @michalsn @neznaika0 @paulbalandan @kenjis