[Security] Implement stateless headers/cookies-based CSRF protection

nicolas-grekas · nicolas-grekas · commit 27d8a31d105e · 2024-10-08T15:08:31.000+02:00
diff --git a/src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md b/src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
@@ -14,6 +14,8 @@ CHANGELOG
  * Deprecate making `cache.app` adapter taggable, use the `cache.app.taggable` adapter instead
  * Enable `json_decode_detailed_errors` in the default serializer context in debug mode by default when `seld/jsonlint` is installed
  * Register `Symfony\Component\Serializer\NameConverter\SnakeCaseToCamelCaseNameConverter` as a service named `serializer.name_converter.snake_case_to_camel_case` if available
+ * Add `framework.csrf_protection.stateless_token_ids`, `.cookie_name`, and `.check_header` options to use stateless headers/cookies-based CSRF protection
+ * Add `framework.form.csrf_protection.field_attr` option
  * Deprecate `session.sid_length` and `session.sid_bits_per_character` config options
  * Add the ability to use an existing service as a lock/semaphore resource
  * Add support for configuring multiple serializer instances via the configuration
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -209,9 +209,22 @@ private function addCsrfSection(ArrayNodeDefinition $rootNode): void
                     ->treatTrueLike(['enabled' => true])
                     ->treatNullLike(['enabled' => true])
                     ->addDefaultsIfNotSet()
+                    ->fixXmlConfig('stateless_token_id')
                     ->children()
-                        // defaults to framework.session.enabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class)
-                        ->booleanNode('enabled')->defaultNull()->end()
+                        // defaults to framework.csrf_protection.stateless_token_ids || framework.session.enabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class)
+                        ->scalarNode('enabled')->defaultNull()->end()
+                        ->arrayNode('stateless_token_ids')
+                            ->scalarPrototype()->end()
+                            ->info('Enable headers/cookies-based CSRF validation for the listed token ids.')
+                        ->end()
+                        ->scalarNode('check_header')
+                            ->defaultFalse()
+                            ->info('Whether to check the CSRF token in a header in addition to a cookie when using stateless protection.')
+                        ->end()
+                        ->scalarNode('cookie_name')
+                            ->defaultValue('csrf-token')
+                            ->info('The name of the cookie to use when using stateless protection.')
+                        ->end()
                     ->end()
                 ->end()
             ->end()
@@ -232,8 +245,14 @@ private function addFormSection(ArrayNodeDefinition $rootNode, callable $enableI
                             ->treatNullLike(['enabled' => true])
                             ->addDefaultsIfNotSet()
                             ->children()
-                                ->booleanNode('enabled')->defaultNull()->end() // defaults to framework.csrf_protection.enabled
+                                ->scalarNode('enabled')->defaultNull()->end() // defaults to framework.csrf_protection.enabled
+                                ->scalarNode('token_id')->defaultNull()->end()
                                 ->scalarNode('field_name')->defaultValue('_token')->end()
+                                ->arrayNode('field_attr')
+                                    ->performNoDeepMerging()
+                                    ->scalarPrototype()->end()
+                                    ->defaultValue(['data-controller' => 'csrf-protection'])
+                                ->end()
                             ->end()
                         ->end()
                     ->end()
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
@@ -464,7 +464,7 @@ public function load(array $configs, ContainerBuilder $container): void
 
         // csrf depends on session being registered
         if (null === $config['csrf_protection']['enabled']) {
-            $this->writeConfigEnabled('csrf_protection', $this->readConfigEnabled('session', $container, $config['session']) && !class_exists(FullStack::class) && ContainerBuilder::willBeAvailable('symfony/security-csrf', CsrfTokenManagerInterface::class, ['symfony/framework-bundle']), $config['csrf_protection']);
+            $this->writeConfigEnabled('csrf_protection', $config['csrf_protection']['stateless_token_ids'] || $this->readConfigEnabled('session', $container, $config['session']) && !class_exists(FullStack::class) && ContainerBuilder::willBeAvailable('symfony/security-csrf', CsrfTokenManagerInterface::class, ['symfony/framework-bundle']), $config['csrf_protection']);
         }
         $this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
 
@@ -765,6 +765,10 @@ private function registerFormConfiguration(array $config, ContainerBuilder $cont
 
             $container->setParameter('form.type_extension.csrf.enabled', true);
             $container->setParameter('form.type_extension.csrf.field_name', $config['form']['csrf_protection']['field_name']);
+            $container->setParameter('form.type_extension.csrf.field_attr', $config['form']['csrf_protection']['field_attr']);
+
+            $container->getDefinition('form.type_extension.csrf')
+                ->replaceArgument(7, $config['form']['csrf_protection']['token_id']);
         } else {
             $container->setParameter('form.type_extension.csrf.enabled', false);
         }
@@ -1815,8 +1819,7 @@ private function registerSecurityCsrfConfiguration(array $config, ContainerBuild
         if (!class_exists(\Symfony\Component\Security\Csrf\CsrfToken::class)) {
             throw new LogicException('CSRF support cannot be enabled as the Security CSRF component is not installed. Try running "composer require symfony/security-csrf".');
         }
-
-        if (!$this->isInitializedConfigEnabled('session')) {
+        if (!$config['stateless_token_ids'] && !$this->isInitializedConfigEnabled('session')) {
             throw new \LogicException('CSRF protection needs sessions to be enabled.');
         }
 
@@ -1826,6 +1829,24 @@ private function registerSecurityCsrfConfiguration(array $config, ContainerBuild
         if (!class_exists(CsrfExtension::class)) {
             $container->removeDefinition('twig.extension.security_csrf');
         }
+
+        if (!$config['stateless_token_ids']) {
+            $container->removeDefinition('security.csrf.same_origin_token_manager');
+
+            return;
+        }
+
+        $container->getDefinition('security.csrf.same_origin_token_manager')
+            ->replaceArgument(3, $config['stateless_token_ids'])
+            ->replaceArgument(4, $config['check_header'])
+            ->replaceArgument(5, $config['cookie_name']);
+
+        if (!$this->isInitializedConfigEnabled('session')) {
+            $container->setAlias('security.csrf.token_manager', 'security.csrf.same_origin_token_manager');
+            $container->getDefinition('security.csrf.same_origin_token_manager')
+                ->setDecoratedService(null)
+                ->replaceArgument(2, null);
+        }
     }
 
     private function registerSerializerConfiguration(array $config, ContainerBuilder $container, PhpFileLoader $loader): void
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/form_csrf.php b/src/Symfony/Bundle/FrameworkBundle/Resources/config/form_csrf.php
@@ -23,6 +23,8 @@
                 service('translator')->nullOnInvalid(),
                 param('validator.translation_domain'),
                 service('form.server_params'),
+                param('form.type_extension.csrf.field_attr'),
+                abstract_arg('framework.form.csrf_protection.token_id'),
             ])
             ->tag('form.type_extension')
     ;
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd b/src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd
@@ -71,12 +71,25 @@
     </xsd:complexType>
 
     <xsd:complexType name="form_csrf_protection">
+        <xsd:sequence>
+            <xsd:element name="field-attr" type="field_attr" minOccurs="0" maxOccurs="unbounded" />
+        </xsd:sequence>
         <xsd:attribute name="enabled" type="xsd:boolean" />
+        <xsd:attribute name="token-id" type="xsd:string" />
         <xsd:attribute name="field-name" type="xsd:string" />
     </xsd:complexType>
 
+    <xsd:complexType name="field_attr">
+        <xsd:attribute name="name" type="xsd:string" use="required"/>
+    </xsd:complexType>
+
     <xsd:complexType name="csrf_protection">
+        <xsd:sequence>
+            <xsd:element name="stateless-token-id" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
+        </xsd:sequence>
         <xsd:attribute name="enabled" type="xsd:boolean" />
+        <xsd:attribute name="check-header" type="xsd:string" />
+        <xsd:attribute name="cookie-name" type="xsd:string" />
     </xsd:complexType>
 
     <xsd:complexType name="esi">
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/security_csrf.php b/src/Symfony/Bundle/FrameworkBundle/Resources/config/security_csrf.php
@@ -15,6 +15,7 @@
 use Symfony\Bridge\Twig\Extension\CsrfRuntime;
 use Symfony\Component\Security\Csrf\CsrfTokenManager;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
+use Symfony\Component\Security\Csrf\SameOriginCsrfTokenManager;
 use Symfony\Component\Security\Csrf\TokenGenerator\TokenGeneratorInterface;
 use Symfony\Component\Security\Csrf\TokenGenerator\UriSafeTokenGenerator;
 use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
@@ -46,5 +47,18 @@
 
         ->set('twig.extension.security_csrf', CsrfExtension::class)
             ->tag('twig.extension')
+
+        ->set('security.csrf.same_origin_token_manager', SameOriginCsrfTokenManager::class)
+            ->decorate('security.csrf.token_manager')
+            ->args([
+                service('request_stack'),
+                service('logger')->nullOnInvalid(),
+                service('.inner'),
+                abstract_arg('framework.csrf_protection.stateless_token_ids'),
+                abstract_arg('framework.csrf_protection.check_header'),
+                abstract_arg('framework.csrf_protection.cookie_name'),
+            ])
+            ->tag('monolog.logger', ['channel' => 'request'])
+            ->tag('kernel.event_listener', ['event' => 'kernel.response', 'method' => 'onKernelResponse'])
     ;
 };
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
@@ -715,13 +715,18 @@ protected static function getBundleDefaultConfig()
             'trusted_proxies' => ['%env(default::SYMFONY_TRUSTED_PROXIES)%'],
             'trusted_headers' => ['%env(default::SYMFONY_TRUSTED_HEADERS)%'],
             'csrf_protection' => [
-                'enabled' => false,
+                'enabled' => null,
+                'cookie_name' => 'csrf-token',
+                'check_header' => false,
+                'stateless_token_ids' => [],
             ],
             'form' => [
                 'enabled' => !class_exists(FullStack::class),
                 'csrf_protection' => [
                     'enabled' => null, // defaults to csrf_protection.enabled
                     'field_name' => '_token',
+                    'field_attr' => ['data-controller' => 'csrf-protection'],
+                    'token_id' => null,
                 ],
             ],
             'esi' => ['enabled' => false],
diff --git a/src/Symfony/Bundle/FrameworkBundle/composer.json b/src/Symfony/Bundle/FrameworkBundle/composer.json
@@ -96,7 +96,7 @@
         "symfony/runtime": "<6.4.13|>=7.0,<7.1.6",
         "symfony/scheduler": "<6.4.4|>=7.0.0,<7.0.4",
         "symfony/serializer": "<6.4",
-        "symfony/security-csrf": "<6.4",
+        "symfony/security-csrf": "<7.2",
         "symfony/security-core": "<6.4",
         "symfony/stopwatch": "<6.4",
         "symfony/translation": "<6.4",
diff --git a/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php b/src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php
@@ -19,6 +19,7 @@
 use Symfony\Component\Form\FormInterface;
 use Symfony\Component\Form\FormView;
 use Symfony\Component\Form\Util\ServerParams;
+use Symfony\Component\OptionsResolver\Options;
 use Symfony\Component\OptionsResolver\OptionsResolver;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Contracts\Translation\TranslatorInterface;
@@ -35,6 +36,8 @@ public function __construct(
         private ?TranslatorInterface $translator = null,
         private ?string $translationDomain = null,
         private ?ServerParams $serverParams = null,
+        private array $fieldAttr = [],
+        private ?string $defaultTokenId = null,
     ) {
     }
 
@@ -73,6 +76,7 @@ public function finishView(FormView $view, FormInterface $form, array $options):
             $csrfForm = $factory->createNamed($options['csrf_field_name'], HiddenType::class, $data, [
                 'block_prefix' => 'csrf_token',
                 'mapped' => false,
+                'attr' => $this->fieldAttr + ['autocomplete' => 'off'],
             ]);
 
             $view->children[$options['csrf_field_name']] = $csrfForm->createView($view);
@@ -81,13 +85,24 @@ public function finishView(FormView $view, FormInterface $form, array $options):
 
     public function configureOptions(OptionsResolver $resolver): void
     {
+        if ($defaultTokenId = $this->defaultTokenId) {
+            $defaultTokenManager = $this->defaultTokenManager;
+            $defaultTokenId = static fn (Options $options) => $options['csrf_token_manager'] === $defaultTokenManager ? $defaultTokenId : null;
+        }
+
         $resolver->setDefaults([
             'csrf_protection' => $this->defaultEnabled,
             'csrf_field_name' => $this->defaultFieldName,
             'csrf_message' => 'The CSRF token is invalid. Please try to resubmit the form.',
             'csrf_token_manager' => $this->defaultTokenManager,
-            'csrf_token_id' => null,
+            'csrf_token_id' => $defaultTokenId,
         ]);
+
+        $resolver->setAllowedTypes('csrf_protection', 'bool');
+        $resolver->setAllowedTypes('csrf_field_name', 'string');
+        $resolver->setAllowedTypes('csrf_message', 'string');
+        $resolver->setAllowedTypes('csrf_token_manager', CsrfTokenManagerInterface::class);
+        $resolver->setAllowedTypes('csrf_token_id', ['null', 'string']);
     }
 
     public static function getExtendedTypes(): iterable
diff --git a/src/Symfony/Component/Security/Csrf/CHANGELOG.md b/src/Symfony/Component/Security/Csrf/CHANGELOG.md
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+7.2
+---
+
+ * Add `SameOriginCsrfTokenManager`
+
 6.0
 ---
 
diff --git a/src/Symfony/Component/Security/Csrf/SameOriginCsrfTokenManager.php b/src/Symfony/Component/Security/Csrf/SameOriginCsrfTokenManager.php
diff --git a/src/Symfony/Component/Security/Csrf/Tests/SameOriginCsrfTokenManagerTest.php b/src/Symfony/Component/Security/Csrf/Tests/SameOriginCsrfTokenManagerTest.php
diff --git a/src/Symfony/Component/Security/Csrf/composer.json b/src/Symfony/Component/Security/Csrf/composer.json

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@`
`23`	`23`	`service('translator')->nullOnInvalid(),`
`24`	`24`	`param('validator.translation_domain'),`
`25`	`25`	`service('form.server_params'),`
	`26`	`+ param('form.type_extension.csrf.field_attr'),`
	`27`	`+ abstract_arg('framework.form.csrf_protection.token_id'),`
`26`	`28`	`])`
`27`	`29`	`->tag('form.type_extension')`
`28`	`30`	`;`