bug #42621 [Security] Don't produce TypeErrors for non-string CSRF tokens (derrabus)

fabpot · fabpot · commit c2172c268b6b · 2021-08-18T12:47:09.000+02:00
This PR was merged into the 4.4 branch. Discussion ---------- [Security] Don't produce TypeErrors for non-string CSRF tokens | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #42614 | License | MIT | Doc PR | N/A Commits ------- 45e0f52 Don't produce TypeErrors for non-string CSRF tokens
diff --git a/src/Symfony/Component/Security/Http/Firewall/LogoutListener.php b/src/Symfony/Component/Security/Http/Firewall/LogoutListener.php
@@ -87,7 +87,7 @@ public function authenticate(RequestEvent $event)
         if (null !== $this->csrfTokenManager) {
             $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
 
-            if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
+            if (!\is_string($csrfToken) || false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
                 throw new LogoutException('Invalid CSRF token.');
             }
         }
diff --git a/src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php
@@ -84,7 +84,7 @@ protected function attemptAuthentication(Request $request)
         if (null !== $this->csrfTokenManager) {
             $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
 
-            if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
+            if (!\is_string($csrfToken) || false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
                 throw new InvalidCsrfTokenException('Invalid CSRF token.');
             }
         }
diff --git a/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
@@ -72,7 +72,7 @@ protected function attemptAuthentication(Request $request)
         if (null !== $this->csrfTokenManager) {
             $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
 
-            if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
+            if (!\is_string($csrfToken) || false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
                 throw new InvalidCsrfTokenException('Invalid CSRF token.');
             }
         }
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/LogoutListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/LogoutListenerTest.php
@@ -152,28 +152,42 @@ public function testSuccessHandlerReturnsNonResponse()
         $listener($event);
     }
 
-    public function testCsrfValidationFails()
+    /**
+     * @dataProvider provideInvalidCsrfTokens
+     */
+    public function testCsrfValidationFails($invalidToken)
     {
         $this->expectException(LogoutException::class);
         $tokenManager = $this->getTokenManager();
 
         [$listener, , $httpUtils, $options] = $this->getListener(null, $tokenManager);
 
         $request = new Request();
-        $request->query->set('_csrf_token', 'token');
+        if (null !== $invalidToken) {
+            $request->query->set('_csrf_token', $invalidToken);
+        }
 
         $httpUtils->expects($this->once())
             ->method('checkRequestPath')
             ->with($request, $options['logout_path'])
             ->willReturn(true);
 
-        $tokenManager->expects($this->once())
+        $tokenManager
             ->method('isTokenValid')
             ->willReturn(false);
 
         $listener(new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MASTER_REQUEST));
     }
 
+    public function provideInvalidCsrfTokens(): array
+    {
+        return [
+            ['invalid'],
+            [['in' => 'valid']],
+            [null],
+        ];
+    }
+
     private function getTokenManager()
     {
         return $this->createMock(CsrfTokenManagerInterface::class);
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/UsernamePasswordFormAuthenticationListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/UsernamePasswordFormAuthenticationListenerTest.php
@@ -24,6 +24,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Security;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
 use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationSuccessHandler;
@@ -37,7 +38,7 @@ class UsernamePasswordFormAuthenticationListenerTest extends TestCase
     /**
      * @dataProvider getUsernameForLength
      */
-    public function testHandleWhenUsernameLength($username, $ok)
+    public function testHandleWhenUsernameLength(string $username, bool $ok)
     {
         $request = Request::create('/login_check', 'POST', ['_username' => $username]);
         $request->setSession($this->createMock(SessionInterface::class));
@@ -84,10 +85,8 @@ public function testHandleWhenUsernameLength($username, $ok)
     /**
      * @dataProvider postOnlyDataProvider
      */
-    public function testHandleNonStringUsernameWithArray($postOnly)
+    public function testHandleNonStringUsernameWithArray(bool $postOnly)
     {
-        $this->expectException(BadRequestHttpException::class);
-        $this->expectExceptionMessage('The key "_username" must be a string, "array" given.');
         $request = Request::create('/login_check', 'POST', ['_username' => []]);
         $request->setSession($this->createMock(SessionInterface::class));
         $listener = new UsernamePasswordFormAuthenticationListener(
@@ -101,16 +100,18 @@ public function testHandleNonStringUsernameWithArray($postOnly)
             ['require_previous_session' => false, 'post_only' => $postOnly]
         );
         $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MASTER_REQUEST);
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_username" must be a string, "array" given.');
+
         $listener($event);
     }
 
     /**
      * @dataProvider postOnlyDataProvider
      */
-    public function testHandleNonStringUsernameWithInt($postOnly)
+    public function testHandleNonStringUsernameWithInt(bool $postOnly)
     {
-        $this->expectException(BadRequestHttpException::class);
-        $this->expectExceptionMessage('The key "_username" must be a string, "integer" given.');
         $request = Request::create('/login_check', 'POST', ['_username' => 42]);
         $request->setSession($this->createMock(SessionInterface::class));
         $listener = new UsernamePasswordFormAuthenticationListener(
@@ -124,16 +125,18 @@ public function testHandleNonStringUsernameWithInt($postOnly)
             ['require_previous_session' => false, 'post_only' => $postOnly]
         );
         $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MASTER_REQUEST);
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_username" must be a string, "integer" given.');
+
         $listener($event);
     }
 
     /**
      * @dataProvider postOnlyDataProvider
      */
-    public function testHandleNonStringUsernameWithObject($postOnly)
+    public function testHandleNonStringUsernameWithObject(bool $postOnly)
     {
-        $this->expectException(BadRequestHttpException::class);
-        $this->expectExceptionMessage('The key "_username" must be a string, "object" given.');
         $request = Request::create('/login_check', 'POST', ['_username' => new \stdClass()]);
         $request->setSession($this->createMock(SessionInterface::class));
         $listener = new UsernamePasswordFormAuthenticationListener(
@@ -147,13 +150,17 @@ public function testHandleNonStringUsernameWithObject($postOnly)
             ['require_previous_session' => false, 'post_only' => $postOnly]
         );
         $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MASTER_REQUEST);
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_username" must be a string, "object" given.');
+
         $listener($event);
     }
 
     /**
      * @dataProvider postOnlyDataProvider
      */
-    public function testHandleNonStringUsernameWith__toString($postOnly)
+    public function testHandleNonStringUsernameWith__toString(bool $postOnly)
     {
         $usernameClass = $this->createMock(DummyUserClass::class);
         $usernameClass
@@ -177,21 +184,86 @@ public function testHandleNonStringUsernameWith__toString($postOnly)
         $listener($event);
     }
 
-    public function postOnlyDataProvider()
+    /**
+     * @dataProvider provideInvalidCsrfTokens
+     */
+    public function testInvalidCsrfToken($invalidToken)
+    {
+        $formBody = ['_username' => 'fabien', '_password' => 'symfony'];
+        if (null !== $invalidToken) {
+            $formBody['_csrf_token'] = $invalidToken;
+        }
+
+        $request = Request::create('/login_check', 'POST', $formBody);
+        $request->setSession($this->createMock(SessionInterface::class));
+
+        $httpUtils = $this->createMock(HttpUtils::class);
+        $httpUtils
+            ->method('checkRequestPath')
+            ->willReturn(true)
+        ;
+        $httpUtils
+            ->method('createRedirectResponse')
+            ->willReturn(new RedirectResponse('/hello'))
+        ;
+
+        $failureHandler = $this->createMock(AuthenticationFailureHandlerInterface::class);
+        $failureHandler
+            ->expects($this->once())
+            ->method('onAuthenticationFailure')
+            ->willReturn(new Response())
+        ;
+
+        $authenticationManager = $this->createMock(AuthenticationProviderManager::class);
+        $authenticationManager
+            ->expects($this->never())
+            ->method('authenticate')
+        ;
+
+        $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
+        $csrfTokenManager->method('isTokenValid')->willReturn(false);
+
+        $listener = new UsernamePasswordFormAuthenticationListener(
+            $this->createMock(TokenStorageInterface::class),
+            $authenticationManager,
+            $this->createMock(SessionAuthenticationStrategyInterface::class),
+            $httpUtils,
+            'TheProviderKey',
+            new DefaultAuthenticationSuccessHandler($httpUtils),
+            $failureHandler,
+            ['require_previous_session' => false],
+            null,
+            null,
+            $csrfTokenManager
+        );
+
+        $listener(new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MASTER_REQUEST));
+    }
+
+    public function postOnlyDataProvider(): array
     {
         return [
             [true],
             [false],
         ];
     }
 
-    public function getUsernameForLength()
+    public function getUsernameForLength(): array
     {
         return [
             [str_repeat('x', Security::MAX_USERNAME_LENGTH + 1), false],
             [str_repeat('x', Security::MAX_USERNAME_LENGTH - 1), true],
         ];
     }
+
+    public function provideInvalidCsrfTokens(): array
+    {
+        return [
+            ['invalid'],
+            [['in' => 'valid']],
+            [null],
+        ];
+    }
 }
 
 class DummyUserClass

Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ public function authenticate(RequestEvent $event)`
`87`	`87`	`if (null !== $this->csrfTokenManager) {`
`88`	`88`	`$csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);`
`89`	`89`
`90`		`- if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {`
	`90`	`+ if (!\is_string($csrfToken) \|\| false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {`
`91`	`91`	`throw new LogoutException('Invalid CSRF token.');`
`92`	`92`	`}`
`93`	`93`	`}`
Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ protected function attemptAuthentication(Request $request)`
`84`	`84`	`if (null !== $this->csrfTokenManager) {`
`85`	`85`	`$csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);`
`86`	`86`
`87`		`- if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {`
	`87`	`+ if (!\is_string($csrfToken) \|\| false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {`
`88`	`88`	`throw new InvalidCsrfTokenException('Invalid CSRF token.');`
`89`	`89`	`}`
`90`	`90`	`}`
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ protected function attemptAuthentication(Request $request)`
`72`	`72`	`if (null !== $this->csrfTokenManager) {`
`73`	`73`	`$csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);`
`74`	`74`
`75`		`- if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {`
	`75`	`+ if (!\is_string($csrfToken) \|\| false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {`
`76`	`76`	`throw new InvalidCsrfTokenException('Invalid CSRF token.');`
`77`	`77`	`}`
`78`	`78`	`}`