Skip to content

fix: ensure csrf token is string#9365

Merged
paulbalandan merged 11 commits intocodeigniter4:developfrom
datlechin:fix-csrf-token
Jan 18, 2025
Merged

fix: ensure csrf token is string#9365
paulbalandan merged 11 commits intocodeigniter4:developfrom
datlechin:fix-csrf-token

Conversation

@datlechin
Copy link

@datlechin datlechin commented Jan 3, 2025
edited
Loading

Description
Make sure the CSRF token must be a string, because hackers can fake the request and pass csrf_main as an array, the system will break 500.

Checklist:

  • Securely signed commits
  • Component(s) with PHPDoc blocks, only if necessary or adds value
  • Unit testing, with >80% coverage
  • User guide updated
  • Conforms to style guide

@kenjis kenjis added the tests needed Pull requests that need tests label Jan 3, 2025
@michalsn
Copy link
Member

michalsn commented Jan 3, 2025

The same check should be made for php:://input data.

@neznaika0
Copy link
Contributor

neznaika0 commented Jan 3, 2025

Look at this:

    private function getPostedToken(RequestInterface $request): ?string
    {
        assert($request instanceof IncomingRequest);

        // Does the token exist in POST, HEADER or optionally php:://input - json data or PUT, DELETE, PATCH - raw data.

        if ($tokenValue = $request->getPost($this->config->tokenName)) {
            return is_string($tokenValue) ? $tokenValue : null;
        }

        if ($request->hasHeader($this->config->headerName)
            && $request->header($this->config->headerName)->getValue() !== ''
            && $request->header($this->config->headerName)->getValue() !== []) {
            return $request->header($this->config->headerName)->getValue();
        }

        $body = (string) $request->getBody();

        if ($body !== '') {
            $json = json_decode($body);
            if ($json !== null && json_last_error() === JSON_ERROR_NONE) {
                return (isset($json->{$this->config->tokenName}) && is_string($json->{$this->config->tokenName}))
                    ? $json->{$this->config->tokenName}
                    : null;
            }

            parse_str($body, $parsed);

            return (isset($parsed[$this->config->tokenName]) && is_string($parsed[$this->config->tokenName]))
                ? $parsed[$this->config->tokenName]
                : null;
        }

        return null;
    }

@michalsn michalsn added bug Verified issues on the current code behavior or pull requests that will fix them GPG-Signing needed Pull requests that need GPG-Signing and removed tests needed Pull requests that need tests labels Jan 4, 2025
michalsn
michalsn requested changes Jan 4, 2025
View reviewed changes
Copy link
Member

@michalsn michalsn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Please also handle the case where the CSRF token comes from the php://input.

Your commits have to be signed:

You can fix the code style with the command:

composer cs-fix

paulbalandan
paulbalandan reviewed Jan 8, 2025
View reviewed changes
michalsn
michalsn reviewed Jan 14, 2025
View reviewed changes
Copy link
Member

@michalsn michalsn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost there - we also have to check the result of parse_str() function.

And we also need tests for these two scenarios: php://input and parse_str().

@michalsn michalsn removed the GPG-Signing needed Pull requests that need GPG-Signing label Jan 14, 2025
@datlechin datlechin requested a review from michalsn January 14, 2025 07:59
@michalsn
Copy link
Member

michalsn commented Jan 14, 2025

@datlechin Please run composer cs-fix.

michalsn
michalsn requested changes Jan 14, 2025
View reviewed changes
Copy link
Member

@michalsn michalsn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a chengelog entry here: https://github.com/codeigniter4/CodeIgniter4/blob/develop/user_guide_src/source/changelogs/v4.5.8.rst under "Bugs Fixed".

You can see the previous changelogs as a reference.

@neznaika0
Copy link
Contributor

neznaika0 commented Jan 14, 2025

You need to check here too, the array is unnecessary:

if ($request->hasHeader($this->config->headerName)
    && $request->header($this->config->headerName)->getValue() !== ''
    && $request->header($this->config->headerName)->getValue() !== []) {
if ($request->hasHeader($this->config->headerName)
    && is_string($request->header($this->config->headerName)->getValue())
    && $request->header($this->config->headerName)->getValue() !== '') {

['malicious' => 'data'] No offense. You can use common words instead of nicknames?

@datlechin datlechin requested a review from michalsn January 15, 2025 04:16
michalsn
michalsn requested changes Jan 17, 2025
View reviewed changes
@datlechin datlechin requested a review from michalsn January 17, 2025 09:46
@michalsn
Copy link
Member

michalsn commented Jan 17, 2025

@datlechin Please run composer cs-fix

paulbalandan
paulbalandan reviewed Jan 18, 2025
View reviewed changes
@paulbalandan paulbalandan requested review from michalsn and removed request for michalsn January 18, 2025 14:23
@paulbalandan paulbalandan merged commit 97a6d66 into codeigniter4:develop Jan 18, 2025
41 checks passed
@paulbalandan
Copy link
Member

paulbalandan commented Jan 18, 2025

Thank you, @datlechin

@datlechin datlechin deleted the fix-csrf-token branch January 18, 2025 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michalsn michalsn michalsn approved these changes

@paulbalandan paulbalandan paulbalandan approved these changes

Assignees

No one assigned

Labels

bug Verified issues on the current code behavior or pull requests that will fix them

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@datlechin @michalsn @neznaika0 @paulbalandan @kenjis