mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Only allow requesting new CSRF tokens if it passes the SameSite Cookie test 

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2020-01-03 13:08:37 +01:00
parent 7976cb7e94
commit da81b71f93
No known key found for this signature in database
GPG Key ID: F941078878347C0C
2 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
core/Controller/CSRFTokenController.php
View File

@ -28,6 +28,7 @@ namespace OC\Core\Controller;
use OC\Security\CSRF\CsrfTokenManager; use OC\Security\CSRF\CsrfTokenManager;
use OCP\AppFramework\Controller; use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Http\JSONResponse;
use OCP\IRequest; use OCP\IRequest;
@ -54,6 +55,10 @@ class CSRFTokenController extends Controller {
* @return JSONResponse * @return JSONResponse
*/ */
public function index(): JSONResponse { public function index(): JSONResponse {
if (!$this->request->passesStrictCookieCheck()) {
return new JSONResponse([], Http::STATUS_FORBIDDEN);
}
$requestToken = $this->tokenManager->getToken(); $requestToken = $this->tokenManager->getToken();
return new JSONResponse([ return new JSONResponse([

13
tests/Core/Controller/CSRFTokenControllerTest.php
View File

@ -54,7 +54,9 @@ class CSRFTokenControllerTest extends TestCase {
$this->tokenManager); $this->tokenManager);
} }
public function testGetToken() { public function testGetToken(): void {
$this->request->method('passesStrictCookieCheck')->willReturn(true);
$token = $this->createMock(CsrfToken::class); $token = $this->createMock(CsrfToken::class);
$this->tokenManager->method('getToken')->willReturn($token); $this->tokenManager->method('getToken')->willReturn($token);
$token->method('getEncryptedValue')->willReturn('toktok123'); $token->method('getEncryptedValue')->willReturn('toktok123');
@ -68,4 +70,13 @@ class CSRFTokenControllerTest extends TestCase {
], $response->getData()); ], $response->getData());
} }
public function testGetTokenNoStrictSameSiteCookie(): void {
$this->request->method('passesStrictCookieCheck')->willReturn(false);
$response = $this->controller->index();
$this->assertInstanceOf(JSONResponse::class, $response);
$this->assertSame(Http::STATUS_FORBIDDEN, $response->getStatus());
}
} }