From a94fe8208b835cae4c258ddae80a58372ee5946d Mon Sep 17 00:00:00 2001
From: eltharin <eltharin18@hotmail.fr>
Date: Fri, 21 Jun 2024 18:44:40 +0200
Subject: [PATCH] [Security] check token in payload instead just request

---
 .../IsCsrfTokenValidAttributeListener.php     |  2 +-
 .../IsCsrfTokenValidAttributeListenerTest.php | 22 +++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/Symfony/Component/Security/Http/EventListener/IsCsrfTokenValidAttributeListener.php b/src/Symfony/Component/Security/Http/EventListener/IsCsrfTokenValidAttributeListener.php
index 269c37709b547..3e05c71dbbcd5 100644
--- a/src/Symfony/Component/Security/Http/EventListener/IsCsrfTokenValidAttributeListener.php
+++ b/src/Symfony/Component/Security/Http/EventListener/IsCsrfTokenValidAttributeListener.php
@@ -46,7 +46,7 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event): vo
         foreach ($attributes as $attribute) {
             $id = $this->getTokenId($attribute->id, $request, $arguments);
 
-            if (!$this->csrfTokenManager->isTokenValid(new CsrfToken($id, $request->request->getString($attribute->tokenKey)))) {
+            if (!$this->csrfTokenManager->isTokenValid(new CsrfToken($id, $request->getPayload()->getString($attribute->tokenKey)))) {
                 throw new InvalidCsrfTokenException('Invalid CSRF token.');
             }
         }
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php
index cbbdc3b15fe62..00d464a6c69da 100644
--- a/src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php
+++ b/src/Symfony/Component/Security/Http/Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php
@@ -88,6 +88,28 @@ public function testIsCsrfTokenValidCalledCorrectly()
         $listener->onKernelControllerArguments($event);
     }
 
+    public function testIsCsrfTokenValidCalledCorrectlyInPayload()
+    {
+        $request = new Request(server: ['headers' => ['content-type' => 'application/json']], content: json_encode(['_token' => 'bar']));
+
+        $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
+        $csrfTokenManager->expects($this->once())
+            ->method('isTokenValid')
+            ->with(new CsrfToken('foo', 'bar'))
+            ->willReturn(true);
+
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            [new IsCsrfTokenValidAttributeMethodsController(), 'withDefaultTokenKey'],
+            [],
+            $request,
+            null
+        );
+
+        $listener = new IsCsrfTokenValidAttributeListener($csrfTokenManager);
+        $listener->onKernelControllerArguments($event);
+    }
+
     public function testIsCsrfTokenValidCalledCorrectlyWithCustomExpressionId()
     {
         $request = new Request(query: ['id' => '123'], request: ['_token' => 'bar']);