Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: CSRF protection #6320

Merged
merged 8 commits into from
Aug 1, 2022
Merged

refactor: CSRF protection #6320

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
898c756
test: add tests for Token Randomization in Cookie CSRF
kenjis Jul 31, 2022
4466c88
test: fix setUp()
kenjis Jul 31, 2022
333290d
refactor: remove $_COOKIE
kenjis Jul 31, 2022
06f4ceb
refactor: move `if`
kenjis Jul 31, 2022
e056312
refactor: extract restoreHash() method
kenjis Jul 31, 2022
0184261
refactor: generateHash() always generate new hash
kenjis Jul 31, 2022
f4c1fa4
refactor: extract removeTokenInRequest() method
kenjis Jul 31, 2022
2b890fe
docs: add doc comments
kenjis Jul 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
test: add tests for Token Randomization in Cookie CSRF
  • Loading branch information
@kenjis
kenjis committed Jul 31, 2022
commit 898c756f0754ba18b4113849277d0faa03a6cc11
88 changes: 88 additions & 0 deletions tests/system/Security/SecurityCSRFCookieRandomizeTokenTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
<?php

/**
* This file is part of CodeIgniter 4 framework.
*
* (c) CodeIgniter Foundation <admin@codeigniter.com>
*
* For the full copyright and license information, please view
* the LICENSE file that was distributed with this source code.
*/

namespace CodeIgniter\Security;

use CodeIgniter\Config\Factories;
use CodeIgniter\Cookie\Cookie;
use CodeIgniter\HTTP\IncomingRequest;
use CodeIgniter\HTTP\URI;
use CodeIgniter\HTTP\UserAgent;
use CodeIgniter\Test\CIUnitTestCase;
use CodeIgniter\Test\Mock\MockAppConfig;
use CodeIgniter\Test\Mock\MockSecurity;
use Config\Security as SecurityConfig;

/**
* @internal
*/
final class SecurityCSRFCookieRandomizeTokenTest extends CIUnitTestCase
{
/**
* @var string CSRF protection hash
*/
private string $hash = '8b9218a55906f9dcc1dc263dce7f005a';

/**
* @var string CSRF randomized token
*/
private string $randomizedToken = '8bc70b67c91494e815c7d2219c1ae0ab005513c290126d34d41bf41c5265e0f1';

protected function setUp(): void
{
parent::setUp();

$_COOKIE = [];

$config = new SecurityConfig();
$config->csrfProtection = Security::CSRF_PROTECTION_COOKIE;
$config->tokenRandomize = true;
Factories::injectMock('config', 'Security', $config);

// Set Cookie value
$security = new MockSecurity(new MockAppConfig());
$_COOKIE[$security->getCookieName()] = $this->hash;

$this->resetServices();
}

public function testTokenIsReadFromCookie()
{
$security = new MockSecurity(new MockAppConfig());

$this->assertSame(
$this->randomizedToken,
$security->getHash()
);
}

public function testCSRFVerifySetNewCookie()
{
$_SERVER['REQUEST_METHOD'] = 'POST';
$_POST['foo'] = 'bar';
$_POST['csrf_test_name'] = $this->randomizedToken;

$request = new IncomingRequest(new MockAppConfig(), new URI('http://badurl.com'), null, new UserAgent());

$security = new Security(new MockAppConfig());

$this->assertInstanceOf(Security::class, $security->verify($request));
$this->assertLogged('info', 'CSRF token verified.');
$this->assertCount(1, $_POST);

/** @var Cookie $cookie */
$cookie = $this->getPrivateProperty($security, 'cookie');
$newHash = $cookie->getValue();

$this->assertNotSame($this->hash, $newHash);
$this->assertSame(32, strlen($newHash));
}
}