use StringUtils for csrf filter. add tests

anlutro · Nov 14, 2014 · b74d395 · b74d395
1 parent 822d505
commit b74d395
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 1 deletion.
diff --git a/src/Web/Filters/CsrfFilter.php b/src/Web/Filters/CsrfFilter.php
@@ -13,6 +13,7 @@
 use Illuminate\Routing\Route;
 use Illuminate\Session\Store;
 use Illuminate\Session\TokenMismatchException;
+use Symfony\Component\Security\Core\Util\StringUtils;
 
 class CsrfFilter
 {
@@ -27,7 +28,7 @@ public function __construct(Store $session, $regenerate = true)
 
 	public function filter(Route $route, Request $request)
 	{
-		if ($this->session->token() != $request->input('_token')) {
+		if (!StringUtils::equals($this->session->token(), $request->input('_token'))) {
 			throw new TokenMismatchException;
 		}
 

diff --git a/tests/Web/Filters/CsrfFilterTest.php b/tests/Web/Filters/CsrfFilterTest.php
@@ -0,0 +1,69 @@
+<?php
+
+use Mockery as m;
+use Illuminate\Http\Request;
+
+class CsrfFilterTest extends PHPUnit_Framework_TestCase
+{
+	public function tearDown()
+	{
+		m::close();
+	}
+
+	public function makeFilter($session, $regenerate)
+	{
+		return new \anlutro\Core\Web\Filters\CsrfFilter($session, $regenerate);
+	}
+
+	public function mockSession()
+	{
+		return m::mock('Illuminate\Session\Store');
+	}
+
+	public function mockRoute()
+	{
+		return m::mock('Illuminate\Routing\Route');
+	}
+
+	/**
+	 * @test
+	 * @dataProvider getTokenData
+	 */
+	public function throwsExceptionWhenTokensAreNotEqual($throws, $input, $sessionToken)
+	{
+		$route = $this->mockRoute();
+		$request = Request::create('/', 'POST', ['_token' => $input]);
+		$session = $this->mockSession();
+		$session->shouldReceive('token')->andReturn($sessionToken);
+		$filter = $this->makeFilter($session, false);
+		if ($throws) {
+			$this->setExpectedException('Illuminate\Session\TokenMismatchException');
+		}
+		$filter->filter($route, $request);
+	}
+
+	public function getTokenData()
+	{
+		return [
+			[true, 'foo', 'bar'],
+			[true, '', 'bar'],
+			[true, '', '0asdf'],
+			[true, 0, '0asdf'],
+			[true, 0, 'foo'],
+			[true, 1, '1asdf'],
+			[false, '0asdf', '0asdf'],
+		];
+	}
+
+	/** @test */
+	public function regeneratesTokenWhenConfigured()
+	{
+		$route = $this->mockRoute();
+		$request = Request::create('/', 'POST', ['_token' => 'asdf']);
+		$session = $this->mockSession();
+		$session->shouldReceive('token')->andReturn('asdf');
+		$session->shouldReceive('regenerateToken')->once();
+		$filter = $this->makeFilter($session, true);
+		$filter->filter($route, $request);
+	}
+}