Merge pull request from GHSA-3wjh-93gr-chh6

* Integration tests: Memoize request handler as well This is useful to send HTTP requests (or their PSR-7 equivalents) through the entire application's middleware stack (instead of talking to specific controllers, which should be considered implementation detail). * Add tests for CSRF token check * Integration tests: Configure vendor path Now that this is possible, make the easy change... * Implement middleware for CSRF token verification This fixes a rather large oversight in Flarum's codebase, which was that we had no explicit CSRF protection using the traditional token approach. The JS frontend was actually sending these tokens, but the backend did not require them. * Accept CSRF token in request body as well * Refactor tests to shorten HTTP requests Multiple tests now provide JSON request bodies, and others copy cookies from previous responses, so let's provide convenient helpers for these. * Fixed issue with tmp/storage/views not existing, this caused tmpname to notice. Fixed csrf test that assumed an access token allows application access, which is actually api token. Improved return type hinting in the StartSession middleware * Using a different setting key now, so that it won't break tests whenever you re-run them once smtp is set. Fixed, badly, the test to create users etc caused by the prepareDatabase flushing all settings by default. * added custom view, now needs translation
2025-07-21 16:51:34 +02:00 · 2019-06-24 09:14:39 +02:00
parent 6fe9ea3dee
commit a65074d01b
12 changed files with 376 additions and 18 deletions
--- a/framework/core/src/Http/Exception/TokenMismatchException.php
+++ b/framework/core/src/Http/Exception/TokenMismatchException.php
@@ -15,4 +15,8 @@ use Exception;

 class TokenMismatchException extends Exception
 {
+    public function __construct($message = null, $code = 419, Exception $previous = null)
+    {
+        parent::__construct($message, $code, $previous);
+    }
 }
--- a/framework/core/src/Http/Middleware/AuthenticateWithHeader.php
+++ b/framework/core/src/Http/Middleware/AuthenticateWithHeader.php
@@ -40,6 +40,7 @@ class AuthenticateWithHeader implements Middleware

                $request = $request->withAttribute('apiKey', $key);
                $request = $request->withAttribute('bypassFloodgate', true);
+                $request = $request->withAttribute('bypassCsrfToken', true);
            } elseif ($token = AccessToken::find($id)) {
                $token->touch();

--- a/framework/core/src/Http/Middleware/CheckCsrfToken.php
+++ b/framework/core/src/Http/Middleware/CheckCsrfToken.php
@@ -0,0 +1,48 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * (c) Toby Zerner <toby.zerner@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Flarum\Http\Middleware;
+
+use Flarum\Http\Exception\TokenMismatchException;
+use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Server\MiddlewareInterface as Middleware;
+use Psr\Http\Server\RequestHandlerInterface as Handler;
+
+class CheckCsrfToken implements Middleware
+{
+    public function process(Request $request, Handler $handler): Response
+    {
+        if (in_array($request->getMethod(), ['GET', 'HEAD', 'OPTIONS'])) {
+            return $handler->handle($request);
+        }
+
+        if ($request->getAttribute('bypassCsrfToken', false)) {
+            return $handler->handle($request);
+        }
+
+        if ($this->tokensMatch($request)) {
+            return $handler->handle($request);
+        }
+
+        throw new TokenMismatchException('CSRF token did not match');
+    }
+
+    private function tokensMatch(Request $request): bool
+    {
+        $expected = (string) $request->getAttribute('session')->token();
+
+        $provided = $request->getParsedBody()['csrfToken'] ??
+            $request->getHeaderLine('X-CSRF-Token');
+
+        return hash_equals($expected, $provided);
+    }
+}
--- a/framework/core/src/Http/Middleware/StartSession.php
+++ b/framework/core/src/Http/Middleware/StartSession.php
@@ -67,7 +67,7 @@ class StartSession implements Middleware
        return $this->withSessionCookie($response, $session);
    }

-    private function makeSession(Request $request)
+    private function makeSession(Request $request): Store
    {
        return new Store(
            $this->config['cookie'],
@@ -76,12 +76,12 @@ class StartSession implements Middleware
        );
    }

-    private function withCsrfTokenHeader(Response $response, Session $session)
+    private function withCsrfTokenHeader(Response $response, Session $session): Response
    {
        return $response->withHeader('X-CSRF-Token', $session->token());
    }

-    private function withSessionCookie(Response $response, Session $session)
+    private function withSessionCookie(Response $response, Session $session): Response
    {
        return FigResponseCookies::set(
            $response,
@@ -89,7 +89,7 @@ class StartSession implements Middleware
        );
    }

-    private function getSessionLifetimeInSeconds()
+    private function getSessionLifetimeInSeconds(): int
    {
        return $this->config['lifetime'] * 60;
    }