Use StringUtils::equals on CSRF token and add unit tests
This commit is contained in:
Lukas Reschke
parent
728780aee8
commit
4efa7c09b1
2 changed files with 99 additions and 5 deletions
|
|
@ -33,6 +33,7 @@ use OC\Security\TrustedDomainHelper;
|
|||
use OCP\IConfig;
|
||||
use OCP\IRequest;
|
||||
use OCP\Security\ISecureRandom;
|
||||
use OCP\Security\StringUtils;
|
||||
|
||||
/**
|
||||
* Class for accessing variables in the request.
|
||||
|
|
@ -416,12 +417,10 @@ class Request implements \ArrayAccess, \Countable, IRequest {
|
|||
}
|
||||
|
||||
// Check if the token is valid
|
||||
if($token !== $this->items['requesttoken']) {
|
||||
// Not valid
|
||||
return false;
|
||||
} else {
|
||||
// Valid token
|
||||
if(StringUtils::equals($token, $this->items['requesttoken'])) {
|
||||
return true;
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1156,4 +1156,99 @@ class RequestTest extends \Test\TestCase {
|
|||
$this->assertSame($expectedUri, $request->getRequestUri());
|
||||
}
|
||||
|
||||
public function testPassesCSRFCheckWithGet() {
|
||||
/** @var Request $request */
|
||||
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
|
||||
->setMethods(['getScriptName'])
|
||||
->setConstructorArgs([
|
||||
[
|
||||
'get' => [
|
||||
'requesttoken' => 'MyStoredRequestToken',
|
||||
],
|
||||
'requesttoken' => 'MyStoredRequestToken',
|
||||
],
|
||||
$this->secureRandom,
|
||||
$this->config,
|
||||
$this->stream
|
||||
])
|
||||
->getMock();
|
||||
|
||||
$this->assertTrue($request->passesCSRFCheck());
|
||||
}
|
||||
|
||||
public function testPassesCSRFCheckWithPost() {
|
||||
/** @var Request $request */
|
||||
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
|
||||
->setMethods(['getScriptName'])
|
||||
->setConstructorArgs([
|
||||
[
|
||||
'post' => [
|
||||
'requesttoken' => 'MyStoredRequestToken',
|
||||
],
|
||||
'requesttoken' => 'MyStoredRequestToken',
|
||||
],
|
||||
$this->secureRandom,
|
||||
$this->config,
|
||||
$this->stream
|
||||
])
|
||||
->getMock();
|
||||
|
||||
$this->assertTrue($request->passesCSRFCheck());
|
||||
}
|
||||
|
||||
public function testPassesCSRFCheckWithHeader() {
|
||||
/** @var Request $request */
|
||||
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
|
||||
->setMethods(['getScriptName'])
|
||||
->setConstructorArgs([
|
||||
[
|
||||
'server' => [
|
||||
'HTTP_REQUESTTOKEN' => 'MyStoredRequestToken',
|
||||
],
|
||||
'requesttoken' => 'MyStoredRequestToken',
|
||||
],
|
||||
$this->secureRandom,
|
||||
$this->config,
|
||||
$this->stream
|
||||
])
|
||||
->getMock();
|
||||
|
||||
$this->assertTrue($request->passesCSRFCheck());
|
||||
}
|
||||
|
||||
public function testPassesCSRFCheckWithInvalidToken() {
|
||||
/** @var Request $request */
|
||||
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
|
||||
->setMethods(['getScriptName'])
|
||||
->setConstructorArgs([
|
||||
[
|
||||
'server' => [
|
||||
'HTTP_REQUESTTOKEN' => 'MyInvalidSentToken',
|
||||
],
|
||||
'requesttoken' => 'MyStoredRequestToken',
|
||||
],
|
||||
$this->secureRandom,
|
||||
$this->config,
|
||||
$this->stream
|
||||
])
|
||||
->getMock();
|
||||
|
||||
$this->assertFalse($request->passesCSRFCheck());
|
||||
}
|
||||
|
||||
public function testPassesCSRFCheckWithoutTokenFail() {
|
||||
/** @var Request $request */
|
||||
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
|
||||
->setMethods(['getScriptName'])
|
||||
->setConstructorArgs([
|
||||
[],
|
||||
$this->secureRandom,
|
||||
$this->config,
|
||||
$this->stream
|
||||
])
|
||||
->getMock();
|
||||
|
||||
$this->assertFalse($request->passesCSRFCheck());
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue