PHRAS-3857 : Check CSRF token on account (#4556)

* fix csrf account * fix * csrf new application * fix
alchemy-fr · Oct 23, 2024 · 59342a6 · 59342a6
1 parent 8f84487
commit 59342a6
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 3 deletions.
diff --git a/lib/Alchemy/Phrasea/Controller/Root/AccountController.php b/lib/Alchemy/Phrasea/Controller/Root/AccountController.php
@@ -318,6 +318,8 @@ public function displayAccount()
 
         $initiatedValidations = $this->getBasketRepository()->findby(['vote_initiator' => $user, ]);
 
+        $this->setSessionFormToken('userAccount');
+
         return $this->render('account/account.html.twig', [
             'user'                  => $user,
             'evt_mngr'              => $manager,
@@ -417,6 +419,10 @@ public function confirmDeleteAccount(Request $request)
      */
     public function updateAccount(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'userAccount')) {
+            return new Response('invalid crsf token form', 403);
+        }
+
         $registrations = $request->request->get('registrations', []);
 
         if (false === is_array($registrations)) {

diff --git a/lib/Alchemy/Phrasea/Controller/Root/DeveloperController.php b/lib/Alchemy/Phrasea/Controller/Root/DeveloperController.php
@@ -171,6 +171,10 @@ public function authorizeGrantPassword(Request $request, ApiApplication $applica
      */
     public function newApp(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'newApplication')) {
+            return new Response('invalid crsf token form', 403);
+        }
+
         if ($request->request->get('type') === ApiApplication::DESKTOP_TYPE) {
             $form = new \API_OAuth2_Form_DevAppDesktop($request);
         } else {
@@ -223,6 +227,8 @@ public function listApps()
      */
     public function displayFormApp(Request $request)
     {
+        $this->setSessionFormToken('newApplication');
+
         return $this->render('developers/application_form.html.twig', [
             "violations" => null,
             'form'       => null,

diff --git a/templates/web/account/account.html.twig b/templates/web/account/account.html.twig
@@ -293,6 +293,7 @@
 
                     </div>
                 </div>
+                <input type="hidden" name="userAccount_token" value="{{ app['session'].get('userAccount_token') }}">
             </form>
         </div>
     </div>

diff --git a/templates/web/developers/application_form.html.twig b/templates/web/developers/application_form.html.twig
@@ -123,5 +123,6 @@
         </div>
 
     </div>
+    <input type="hidden" name="newApplication_token" value="{{ app['session'].get('newApplication_token') }}">
   </form>
 {% endblock %}
diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Root/AccountTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Root/AccountTest.php
@@ -384,6 +384,7 @@ public function testUpdateAccount()
         $app = $this->getApplication();
         $client = $this->getClient();
         $bases = $notifs = [];
+        $randomValue = $this->setSessionFormToken('userAccount');
 
         foreach ($app->getDataboxes() as $databox) {
             foreach ($databox->get_collections() as $collection) {
@@ -424,7 +425,8 @@ public function testUpdateAccount()
             'form_retryFTP'        => '',
             'notifications'        => $notifs,
             'form_defaultdataFTP'  => ['document', 'preview', 'caption'],
-            'mail_notifications' => '1'
+            'mail_notifications' => '1',
+            'userAccount_token'    => $randomValue
         ]);
 
         $response = $client->getResponse();

diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Root/DevelopersTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Root/DevelopersTest.php
@@ -39,14 +39,17 @@ public function testDisplayformApp()
      */
     public function testPostNewAppInvalidArguments()
     {
+        $randomValue = $this->setSessionFormToken('newApplication');
+
         $crawler = self::$DI['client']->request('POST', '/developers/application/', [
             'type'            => ApiApplication::WEB_TYPE,
             'name'            => '',
             'description'     => 'okok',
             'website'         => 'my.website.com',
             'callback'        => 'my.callback.com',
             'scheme-website'  => 'http://',
-            'scheme-callback' => 'http://'
+            'scheme-callback' => 'http://',
+            'newApplication_token' => $randomValue
             ]);
 
         $this->assertTrue(self::$DI['client']->getResponse()->isOk());
@@ -63,6 +66,7 @@ public function testPostNewApp()
     {
         $apps = self::$DI['app']['repo.api-applications']->findByCreator(self::$DI['user']);
         $nbApp = count($apps);
+        $randomValue = $this->setSessionFormToken('newApplication');
 
         self::$DI['client']->request('POST', '/developers/application/', [
             'type'            => ApiApplication::WEB_TYPE,
@@ -71,7 +75,8 @@ public function testPostNewApp()
             'website'         => 'my.website.com',
             'callback'        => 'my.callback.com',
             'scheme-website'  => 'http://',
-            'scheme-callback' => 'http://'
+            'scheme-callback' => 'http://',
+            'newApplication_token' => $randomValue
         ]);
 
         $apps = self::$DI['app']['repo.api-applications']->findByCreator(self::$DI['user']);